Balisage Paper: SCAP Composer
A DITA Open Toolkit Plug-in for Packaging Security Content
July 30 - August 2, 2019
The materials listed below were provided by the speaker as supplements to a
presentation at Balisage. These materials may include the slides or visuals used in
the
presentation; supplementary material, such as code samples or a demonstration application;
and/or the paper accompanying the presentation (if it has not been provided in XML).
These
materials have been zipped for easy download and are identified by a brief description
of
the contents. The materials themselves are untouched
, that is, they
have not been tested or edited by Balisage: The Markup Conference or by Mulberry
Technologies, Inc. As such, they are included on this website AS IS
,
i.e., as provided by the speaker, with no warranties, express or otherwise, made by
Balisage
or Mulberry.
Slides and Materials
- SCAP_Composer_Balisage2019.zip: Presentation slides in Adobe PDF
Quinn S, Scarfone K, Waltermire D (2012) Guide to Adopting and Using the Security Content Automation Protocol (SCAP) Version 1.2 (Draft), NIST Special Publication 800-117.
Extensible Markup Language (XML) 1.0 (Fifth Edition) (2008), W3C Recommendation. Available at http://www.w3.org/TR/xml/
SCAP Validated Products and Modules - Security Content Automation Protocol Validation Program. Available at https://csrc.nist.gov/Projects/scap-validation-program/Validated-Products-and-Modules
The United States Government Configuration Baseline (USGCB) - NIST. Available at https://usgcb.nist.gov/
Guide to the Secure Configuration of Red Hat Enterprise Linux 7. OpenSCAP Security Guide. Available at https://static.open-scap.org/ssg-guides/ssg-rhel7-guide-pci-dss.html
Payment Card Industry (PCI) Data Security Standard (2018), Version 3.2.1.
OVAL Repository: Top Contributors. Available at https://oval.cisecurity.org/repository/top-contributors
XML Schema Part 0: Primer Second Edition (2004), W3C Recommendation. Available at https://www.w3.org/TR/xmlschema-0/
Waltermire D, Quinn S, Booth H, Scarfone K, Prisaca D (2018) The technical specification for the security content automation protocol (SCAP) version 1.3 (National Institute of Standards and Technology, Gaithersburg, MD), NIST SP 800-126r3. doi:https://doi.org/10.6028/NIST.SP.800-126r3
DITA Version 1.3 Specification (2018) (Organization for the Advancement of Structured Information Standards), OASIS Standard. Available at http://docs.oasis-open.org/dita/dita/v1.3/dita-v1.3-part0-overview.html
The DITA Open Toolkit: dita-ot/dita-ot (2019) (DITA Open Toolkit). Available at https://github.com/dita-ot/dita-ot
Waltermire D, Schmidt C, Scarfone K, Ziring N (2011) Specification for the Extensible Configuration Checklist Description Format (XCCDF) Version 1.2, NIST Interagency Report 7275 Revision 4. Available at http://csrc.nist.gov/publications/PubsNISTIRs.html
XML Linking Language (XLink) Version 1.1 (2010), W3C Recommendation. Available at https://www.w3.org/TR/xlink11/
OVAL Documentation. Available at http://ovalproject.github.io/
XML Catalogs (2005), OASIS Standard V1.1. Available at https://www.oasis-open.org/committees/download.php/14809/xml-catalogs.html
Namespaces in XML 1.0 (Third Edition) (2009), W3C Recommendation. Available at https://www.w3.org/TR/xml-names/
Lubell J (2018) A New SCAP Information and Data Model for Content Authors. Critical Infrastructure Protection XII, eds Staggs J, Shenoi S (Springer International Publishing), pp 127–146. doi:https://doi.org/10.1007/978-3-030-04537-1_8. Available at https://www.nist.gov/publications/new-scap-information-model-and-data-model-content-authors
Kimber E (2012) DITA for Practitioners Volume 1: Architecture and Technology (XMLPress).
Information technology — Document Schema Definition Language (DSDL) — Part 3: Rule-based validation — Schematron (2016) (International Organization for Standardization), ISO/IEC 19757-3. Available at http://schematron.com
Information technology — Document Schema Definition Language (DSDL) — Part 2: Regular-grammar-based validation — RELAX NG (2008) (International Organization for Standardization), ISO/IEC 19757-2. Available at https://relaxng.org
RELAX NG DTD Compatibility (2001) (Organization for the Advancement of Structured Information Standards), Committee Specification. Available at https://relaxng.org/compatibility-20011203.html
Cook M, Quinn S, Waltermire D, Prisaca D (2018) Security content automation protocol (SCAP) version 1.3 validation program test requirements (National Institute of Standards and Technology, Gaithersburg, MD), NIST IR 7511r5. doi:https://doi.org/10.6028/NIST.IR.7511r5
XSL Transformations (XSLT) Version 2.0 (2007), W3C Recommendation. Available at https://www.w3.org/TR/xslt20/
Apache Ant (2019) (The Apache Software Foundation). Available at https://github.com/apache/ant
Lubell J (2017) Using DITA to Create Security Configuration Checklists: A Case Study. Proceedings of Balisage: The Markup Conference, Balisage Series on Markup Technologies. (Washington, DC). doi:https://doi.org/10.4242/BalisageVol19.Lubell01
Fox J (2019) Splash Screen Plug-in for the DITA Open Toolkit. Available at https://github.com/jason-fox/fox.jason.splash
Steffens A, Lichter H, Moscher M (2018) Towards Data-driven Continuous Compliance Testing. 3rd Workshop on Continuous Software Engineering (Ulm, Germany), pp 78–84.
Security compliance content in SCAP, Bash, Ansible, and other formats: ComplianceAsCode/content (2019) (ComplianceAsCode). Available at https://github.com/ComplianceAsCode/content
Ben-Kiki O, Evans C (2009) YAML Ain’t Markup Language (YAML™) Version 1.2, 3rd Edition.
Baset S, Suneja S, Bila N, Tuncer O, Isci C (2017) Usable declarative configuration specification and validation for applications, systems, and cloud. Proceedings of the 18th ACM/IFIP/USENIX Middleware Conference on Industrial Track - Middleware ’17 (ACM Press, Las Vegas, Nevada), pp 29–35. doi:https://doi.org/10.1145/3154448.3154453