2nd Annual NIST Security Automation Workshop
By gbrunett on Sep 22, 2006
This week, I had the pleasure of speaking at the 2nd Annual NIST Security Automation Workshop held at the NIST campus in Gaitherburg, MD. Overall the conference was wonderful with both great sessions and of course a lot of great discussions in the halls. Day one of the conference was primarily about vision, strategy and direction with great talks from speakers such as:
- Tony Sager, Chief, Vulnerability Analysis and Operations, NSA
- Ron Ross, FISMA Implementation Project Lead, NIST
- Richard Hale, Chief Information Assurance Officer, DISA
- Dennis Heretick, Chief Information Security Officer, DOJ
- Eustace King, Deputy Director, OSD/NII-IAD
- Annabelle Lee, Director, NCSD/DHS
Day two was focused more on technical matters especially those related to the following efforts:
- Common Configuration Enumeration (CCE)
- Common Vulnerabilities and Exposures (CVE)
- Open Vulnerability and Assessment Language (OVAL)
- eXtensible Configuration Checklist Description Format (XCCDF)
as well as their interaction and alignment toward the goal of automating security configuration application and assessment. There were also some very interesting vendor presentations from companies who were developing security assessment and configuraiton tools that leverage these formats. Really cool stuff. I am personally very interested in hearing from Sun customers who are tracking these projects and interested in seeing security guidance, alerts, etc. published in the XCCDF and OVAL formats.
All (or at least most) of the presentations can be found here and I also have a copy of my presentation here. My talk was primarily a look at Solaris (and Trusted Solaris) security... where we have been, what we are doing today, and where we are going. Along the way, I also discussed some of the ways in which we have collaborated with academia, industry and government to better understand our customers security requirements, improve the security capabilities of our products, and help make cyberspace a little safer for everyone. Much of that collaboration and teamwork still continues to this day as we work with organizations like CIS, NSA, DISA, NIST, and Mitre (for example) to continue to improve the security capabilities of our products and services, and I, for one, can't wait to see what's next!