RE: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation

[Adam Cron]

My hope is that the REST API accesses the native database, and not a COPY of 
the database. Folks around the world are making “copies”, now, and the REST API 
is really meant to solve THAT particular problem (as well as many others).

That being said, I really don’t know what is “behind” the web site I am 
clicking on, now, to show me the CWE information. So, someone inside MITRE 
might have a better answer.

From: Kurt Seifried <k...@seifried.org>
Sent: Friday, March 4, 2022 2:55 PM
To: Alec J Summers <asumm...@mitre.org>
Cc: Adam Cron <ac...@synopsys.com>; CWE CAPEC Board 
<cwe-capec-board-list@mitre.org>; Hayashi, Kathy <kat...@qualcomm.com>; 
Sherman, Brent <brent.m.sher...@intel.com>; Oberg, Jason 
<ja...@tortugalogic.com>
Subject: Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation

Maybe this question was already answered but I can't find it: what's the 
backend data source? E.g. will the REST API simply provide an interface to the 
XML download, and then that XML gets updated as MITRE releases new versions? I 
assume the "source of truth" is still on an internal MITRE system, if so how 
does that data get to the rest API (do we need an API for that ;).

On Fri, Mar 4, 2022 at 12:31 PM Alec J Summers 
<asumm...@mitre.org<mailto:asumm...@mitre.org>> wrote:
Good afternoon, all!

I wanted to clarify one point with respect to the API WG. The group is open to 
all community members with interest in participating, and the deliberations, 
work, decisions, etc. will be public. While elements of the CWE/CAPEC sites’ 
backend infrastructure are not currently open-source, the REST API itself will 
be, as well as any reference implementations that the WG chooses to develop. 
Most of the REST API development will take place outside of the MITRE team and 
so the code will be open source and integrated with the closed source CWE/CAPEC 
backend infrastructure.

It is conceivable that all CWE/CAPEC code could one day be open-source, but 
that is not the case right now.

Cheers,
Alec

--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World


From: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>>
Date: Tuesday, March 1, 2022 at 6:15 PM
To: Seifried, Kurt <k...@seifried.org<mailto:k...@seifried.org>>, Adam Cron 
<adam.c...@synopsys.com<mailto:adam.c...@synopsys.com>>
Cc: CWE CAPEC Board 
<cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>>, 
Hayashi, Kathy <kat...@qualcomm.com<mailto:kat...@qualcomm.com>>, Sherman, 
Brent <brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>>, Oberg, 
Jason <ja...@tortugalogic.com<mailto:ja...@tortugalogic.com>>
Subject: Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation
Clarification: “working on read access to start.”

Apologies for the miscommunication.

Cheers,
Alec

--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World


From: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>>
Date: Tuesday, March 1, 2022 at 5:41 PM
To: Seifried, Kurt <k...@seifried.org<mailto:k...@seifried.org>>, Adam Cron 
<adam.c...@synopsys.com<mailto:adam.c...@synopsys.com>>
Cc: CWE CAPEC Board 
<cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>>, 
Hayashi, Kathy <kat...@qualcomm.com<mailto:kat...@qualcomm.com>>, Sherman, 
Brent <brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>>, Oberg, 
Jason <ja...@tortugalogic.com<mailto:ja...@tortugalogic.com>>
Subject: Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation
Kurt,

Thanks for your note. This was a question that Adam et al answered in the 
document I shared on 2/24. In short, the working group would start working 
towards a REST API to start.

Best,
Alec

--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World


From: Kurt Seifried <k...@seifried.org<mailto:k...@seifried.org>>
Date: Tuesday, March 1, 2022 at 5:33 PM
To: Adam Cron <adam.c...@synopsys.com<mailto:adam.c...@synopsys.com>>
Cc: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>>, CWE CAPEC 
Board <cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>>, 
Hayashi, Kathy <kat...@qualcomm.com<mailto:kat...@qualcomm.com>>, Sherman, 
Brent <brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>>, Oberg, 
Jason <ja...@tortugalogic.com<mailto:ja...@tortugalogic.com>>
Subject: Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation
Is this REST API read only, or also write to update CWEs, or?

On Tue, Mar 1, 2022 at 9:23 AM Adam Cron 
<adam.c...@synopsys.com<mailto:adam.c...@synopsys.com>> wrote:
I have no objections. Enclosed is a strawman invitation. Please edit or comment 
as you see fit. Please don’t forward it out, yet.

Best regards,

Adam

From: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>>
Sent: Tuesday, March 1, 2022 9:45 AM
To: CWE CAPEC Board 
<cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>>
Cc: Adam Cron <ac...@synopsys.com<mailto:ac...@synopsys.com>>; Hayashi, Kathy 
<kat...@qualcomm.com<mailto:kat...@qualcomm.com>>; Sherman, Brent 
<brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>>; Oberg, Jason 
<ja...@tortugalogic.com<mailto:ja...@tortugalogic.com>>
Subject: Re: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation

Good morning, all.

I wanted to follow up on this thread and see if there were any other questions 
or thoughts for the REST API Working Group proposal.

If not, I wanted to ask if there were any objections to officially authorize 
this group to begin discussions and determine the path forward.

Cheers,
Alec

--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World


From: Jason Oberg <ja...@tortugalogic.com<mailto:ja...@tortugalogic.com>>
Date: Friday, February 25, 2022 at 10:02 AM
To: Sherman, Brent <brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>>
Cc: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>>, CWE CAPEC 
Board <cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>>, 
Adam Cron <adam.c...@synopsys.com<mailto:adam.c...@synopsys.com>>, Hayashi, 
Kathy <kat...@qualcomm.com<mailto:kat...@qualcomm.com>>
Subject: [EXT] Re: CWE/CAPEC Rest API Working Group Documentation
Hi Brent,

Understood. I think it's reasonable that one goal of the working group should 
be to flesh these details out. I just worry this piece of it might be the long 
pole so it likely needs serious consideration early on so there is a 
foreseeable path forward.

Regards,
Jason


On Thu, Feb 24, 2022 at 2:28 PM Sherman, Brent M 
<brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>> wrote:
hi jason,
thank you for your support, greatly appreciated!
I agree there needs to be a path towards implementation however I think this is 
something the wg needs to answer (adam, kathy – please correct me if I’m wrong).
I think we (ipsa wg) know the answers to your questions however, maybe there is 
something we are not aware of which is why we want to form the wg.
hopefully that makes sense.

thanks
brent


From: Jason Oberg <ja...@tortugalogic.com<mailto:ja...@tortugalogic.com>>
Sent: Thursday, February 24, 2022 2:11 PM
To: Alec J Summers <asumm...@mitre.org<mailto:asumm...@mitre.org>>
Cc: CWE CAPEC Board 
<cwe-capec-board-list@mitre.org<mailto:cwe-capec-board-list@mitre.org>>; Adam 
Cron <adam.c...@synopsys.com<mailto:adam.c...@synopsys.com>>; Sherman, Brent M 
<brent.m.sher...@intel.com<mailto:brent.m.sher...@intel.com>>; Hayashi, Kathy 
<kat...@qualcomm.com<mailto:kat...@qualcomm.com>>
Subject: Re: CWE/CAPEC Rest API Working Group Documentation

Adam, Kathy, Brent,

Thank you for taking on this important initiative. I'm fully supportive and it 
is very much needed.

While defining the API is the first step, I'm wondering what the path is to 
actually implement it. Specifically:

  *   Can the existing CWE data model support APIs that are RESTful?
  *   Who will execute on the API endpoint development work? Will MITRE or 
another party?
These may be questions for MITRE, but I think it's important to have a path 
towards implementation while the APIs are defined. We surely all agree that 
defining an API that never gets built is not good for anyone.

Regards,
Jason


On Thu, Feb 24, 2022 at 1:31 PM Alec J Summers 
<asumm...@mitre.org<mailto:asumm...@mitre.org>> wrote:
Dear Board members,

Good afternoon!

During our last meeting, we spoke about the request from community stakeholders 
to establish a working group to build a REST API for the CWE/CAPEC program. The 
Board had several questions regarding the intention, technical specifications, 
target audience, and milestones associated with the request. Recall that the 
Board charter differentiates a working group from a special interest group in 
that it is not intended to operate on an open-ended timeline and is meant to 
achieve a particular outcome.

I have attached a document of answers to Board’s questions from the Accellera 
Systems Initiative IPSA working group members – the group responsible for the 
initial request for a CWE REST API working group. I have also cced the proposed 
chair of the working group, Adam Cron (Synopsys), as well as two other members 
Brent Sherman (Intel) and Kathy Hayashi (Qualcomm) so they may provide 
clarifications or reply to any additional questions directly in this thread.

Cheers,
Alec

--
Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
––––––––––––––––––––––––––––––––––––
MITRE - Solving Problems for a Safer World



--

Error! Filename not specified.

Dr. Jason Oberg | Co-Founder and CTO | +1 (808) 635-7604

Tortuga 
Logic<https://urldefense.com/v3/__http:/www.tortugalogic.com/__;!!A4F2R9G_pg!KhP1Tp0dIAuQOQwjf78PecF8WBfuwNa4sP9WLK03IjU7Hr9AnrUoeHynYR0srqW5IQ$>
  |  75 E Santa Clara Street, San Jose, CA 95113



NOTICE TO RECIPIENT | This email and any attachments may contain private, 
confidential and privileged material for the sole use of the intended 
recipient. If you are not the intended recipient, please immediately notify the 
sender of the error by return email and delete this email and any attachments.


--

Error! Filename not specified.

Dr. Jason Oberg | Co-Founder and CTO | +1 (808) 635-7604

Tortuga 
Logic<https://urldefense.com/v3/__http:/www.tortugalogic.com/__;!!A4F2R9G_pg!KhP1Tp0dIAuQOQwjf78PecF8WBfuwNa4sP9WLK03IjU7Hr9AnrUoeHynYR0srqW5IQ$>
  |  75 E Santa Clara Street, San Jose, CA 95113



NOTICE TO RECIPIENT | This email and any attachments may contain private, 
confidential and privileged material for the sole use of the intended 
recipient. If you are not the intended recipient, please immediately notify the 
sender of the error by return email and delete this email and any attachments.


--
Kurt Seifried (He/Him)
k...@seifried.org<mailto:k...@seifried.org>


--
Kurt Seifried (He/Him)
k...@seifried.org<mailto:k...@seifried.org>