-
Notifications
You must be signed in to change notification settings - Fork 39
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
167f871
commit 3b2bd9b
Showing
1 changed file
with
115 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,115 @@ | ||
|  | ||
|
|
||
| # Common Security Advisory Framework (CSAF) Technical Committee Working Meeting | ||
|
|
||
| - Meeting Date: June 28, 2023 | ||
| - Time: 1:00 pm US EDT | ||
|
|
||
| ## Call to Order and Welcome | ||
|
|
||
| Meeting called to order @ 1:02 PM US EDT | ||
|
|
||
| ## Roll call | ||
|
|
||
| All participants recorded their attendance on the OASIS meeting calendar. | ||
| All participants were kindly encouraged to register themselves to optimize the use of the shared time during the meeting in one of two ways: | ||
| - Clicking the link with the text "Register my attendance" on the top of the event page. | ||
| - Or directly visiting the per event direct "record my attendance link." | ||
|
|
||
| Quorum was NOT reached. | ||
|
|
||
|
|
||
| ## Participants | ||
|
|
||
| | Name | Company | Role | | ||
| |--------------------|--------------------------------------------------|--------------| | ||
| | Jane Ginn | Cyber Threat Intelligence Network, Inc. (C... | Member | | ||
| | Rhonda Levy | Cisco Systems | Voting Member| | ||
| | Justin Murphy | DHS Cybersecurity and Infrastructure Security...| Voting Member| | ||
| | Denny Page | TIBCO Software Inc. | Voting Member| | ||
| | Martin Prpic | Red Hat | Voting Member| | ||
| | Michael Reeder | Dell | Voting Member| | ||
| | Omar Santos | Cisco Systems | Chair | | ||
| | Thomas Schaffer | Cisco Systems | Member | | ||
| | Thomas Schmidt | Federal Office for Information Security (B... | Voting Member| | ||
| | Dina Truxius | Federal Office for Information Security (B... | Member | | ||
| | Sonny van Lingen | Huawei Technologies Co., Ltd. | Member | | ||
|
|
||
|
|
||
| ### Observers present | ||
|
|
||
| None | ||
|
|
||
| Note: Observers of this committee that are ready to become Members should follow the specific instructions displayed the OASIS Open Notices tab. | ||
|
|
||
| ## Agenda | ||
| - Roll Call via self-registration. | ||
| - Approve May Meeting Minutes: https://github.com/oasis-tcs/csaf/blob/master/meeting_minutes/2023-05-31.md | ||
| - Quorum not reached so no approval of minutes. | ||
| - CISA’s SBOM Meeting Recap: https://www.cisa.gov/sbom | ||
| - VEX Summit (July 27): https://vexsummit.org | ||
| - Discuss next steps. | ||
| - Adjourn | ||
|
|
||
|
|
||
| ## Meeting Notes | ||
|
|
||
|
|
||
| Sure, here's the provided text transformed into Markdown format: | ||
|
|
||
| - Justin’s recap of the hybrid Cisa SBOM meeting on June 14th. | ||
| - 75-80 people attended in person and 900+ virtually - nearly 1000 people. | ||
| - Worked in groups of 5; met once since then and did a hotwash with mostly positive feedback. | ||
| - Had many discussions and generated a large range of new ideas. | ||
| - Co-chairs who lead them were from different sectors, such as health care and automotive speakers. | ||
| - Had SBOM success stories, and targeted discussions to engage more with the US government. | ||
| - Had some international folks there too from the UK and Japan. | ||
| - It was recorded and working on video - short videos to match with topics – 5, 10 and 25-minutes. | ||
| - Slides will be available too. Cisa.sbom. | ||
| - Feedback is to do more - 4 times a year - 2 hybrid and 2 virtual: in the fall virtual and in early spring hybrid in the DC area. | ||
|
|
||
| - From CSAF standard perspective, talking to a few staff members from OASIS, as the journey to ISO is still in progress. | ||
| - Nothing they need from TC right now. | ||
| - It’s in legal and the board pushing to ISO. | ||
| - No updates on their sites either. | ||
| - Will email if anything comes in or information needed from the TC. | ||
| - Transition accepted as is. | ||
|
|
||
| - Thomas Schmidt looking into how to publish training material. | ||
| - Second workshop in October in Germany. | ||
|
|
||
| - **Roundtable items:** | ||
| - Thomas Schmidt – At AP Threat event– status met some people there. | ||
| - They will be participating in the summit and are an open-source tool AP Threat supporting VEX customer demand. | ||
| - From a VEX standpoint and CSAF – security advisories – VEX in content of SBOM, they will share information at the summit. | ||
| - API is a topic that we should use for 2.1 and should start a discussion early on. | ||
| - It’s a different concept and we need to make sure we have Use cases and an understanding. | ||
| - Have a write up with a starting point to make a little better for APIs and will send an email to everyone. | ||
| - Takes CSAF files from memories. General API thing that we should look at, storage and other questions. | ||
| - Omar to take the action and put in GitHub issues. | ||
| - We starting publishing VEX on June 11, at Cisco, and AP Threat is doing something similar. | ||
| - Use VEX for everything vulnerabilities; 3rd party and VEX documents. | ||
| - Will track and put item in for discussion in Vex summit. | ||
| - Different AP models for everything: VEX software materials and attestations. | ||
|
|
||
|
|
||
| ### VEX Summit | ||
| https://vexsummit.org/ | ||
|
|
||
| "VEX Summit" update shared with the TC. The event will take place in Raleigh, NC (and virtual) on July 27, 2023. | ||
| The event would include both physical and virtual participation. The purpose of the summit would be to do some benchmarking around different VEX and CSAF implementations, as well as discuss lessons learned and best practices. | ||
| The group expressed interest in the idea and agreed to further discuss logistics. | ||
| - Omar: “Bake Off” phrase will not be used for the Vulnerability Exploitability eXchange (VEX) Summit, as discussed at the last meeting, because there is an assumption that there’s a winner. | ||
| - Vendors presenting VEX documents and that creates competition. | ||
| - 228 people registered thus far. | ||
|
|
||
| ## Next Steps | ||
| - Participate in the VEX Summit | ||
| - However, we will meet next month before the VEX Summit. | ||
|
|
||
|
|
||
| ## Adjourn | ||
| The meeting adjourned at 1:39PM US EDT. | ||
|
|
||
| Note: All monthly meetings take place on the last Wednesday of each month at 1:00 PM US EDT. | ||
| The next meeting will be held on July 26, 2023. |