Skip to content

Latest commit

 

History

History
168 lines (126 loc) · 6.5 KB

test-matrix-2024-03.md

File metadata and controls

168 lines (126 loc) · 6.5 KB
Raw

April 2024 CASP Plugfest Test Matrix

The CASP Charter includes:

the intent of CASP is to be vendor and application agnostic, enabling interoperability across a range of cyber security tools and applications. The use of standardized interfaces and protocols enables interoperability of different tools, regardless of the vendor that developed them, the language they are written in or the function they are designed to fulfill.

Because each plugfest event tests interoperability using standardized interfaces and protocols, this test matrix lists the organizations interested in promoting cross-vendor interoperability, organized by data or protocol standard to facilitate test planning.

Data Interoperability Tests

Each object defined by a data standard may be Produced or Consumed by an application. The test matrix includes a Role column to indicate which data role(s) the participant intends to test.

CACAO

Participant Role Notes

CSAF

Participant Role Notes
sFractal P CASR/Vex available on web and via OpenC2

CycloneDX

Participant Role Notes
sFractal P CDX SBOM available on web and via OpenC2

Indicators of Behavior - IOB

Participant Role Notes

OCSF

Participant Role Notes

OpenC2 Content

Actions supporting automated:

  • Protection: Configuration Management, Anti-virus, SBOM, Security Assessment and Approval
  • Sensing: SIEM, Threat Hunting
  • Defense: SOAR, XDR
Participant Role Notes
sFractal C put link to longer explanation

Open Security Controls Assessment Language - OSCAL

Participant Role Notes

Open XDR Architecture - OXA

Participant Role Notes

PACE

Participant Role Notes
sFractal P,C add link

SPDX

Participant Role Notes
sFractal P CDX SBOM available on web and via OpenC2

STIX

Participant Role Notes

Threat Actor Context - TAC

Participant Role Notes

VEX

Participant Role Notes
sFractal P CASR/Vex available on web and via OpenC2

Protocol/Interface Tests

Each protocol may support Initiator (Client/Producer), Responder (Server/Consumer) or Symmetric interaction roles. The test matrix includes a Role column to indicate which interaction role(s) the participant intends to test.

TAXII

Participant Role Notes

OpenC2 Message

Participant Role Notes
sFractal I,R Blinky - HTTP, MQTT
sFractal I,R Twinkly - HTTP, MQTT
sFractal I,R SBOM - MQTT
HII R OIF-Device: OC2 Language, Hunting AP - MQTT v3, v5 & HTTP

OpenC2 has published specifications for message transfer over MQTT v5.0 and HTTPS. MQTT is preferred to avoid the need to open inbound paths to a local enclave if testing across the Internet. The HTTPS Transfer Specification supports a Testing mode that drops the requirement for TLS authentication and its associated certificate management challenges.

For assistance applying these OpenC2 specifications use the CASP mail list or open an issue in the associated GitHub repository (MQTT / HTTPS).

Protocol Support

The following message brokers are being used for testing OpenC2-based interoperability:

  • Mosquitto - Eclipse foundation public test server at mqtt://test.mosquitto.org:xxxx - see documentation for port options
  • HiveMQ - MQTT v3.1 and v5 at mqtt+ssl://3271a3ddd2eb43caa7c4b195c7d6cabd.s2.eu.hivemq.cloud:8883

The HiveMQ broker uses TLS session encryption and requires basic (username/password) authentication. Participants should request authentication info (see contributing and provide device IDs (any name you wish) to be included in the topic lists to allow other participants to communicate with you.