Skip to content
This repository has been archived by the owner on Sep 21, 2023. It is now read-only.

OSCAL Obfuscator mini-application #51

Open
wendellpiez opened this issue Apr 8, 2022 · 2 comments
Open

OSCAL Obfuscator mini-application #51

wendellpiez opened this issue Apr 8, 2022 · 2 comments

Comments

@wendellpiez
Copy link
Contributor

wendellpiez commented Apr 8, 2022

As an OSCAL user, I might find it difficult to make bug reports on OSCAL data because I can't share the data. How can I show the bug?

A little OSCAL data-obfuscator demo that rewrote OSCAL fragments (even invalid) into a 'blind' variant, with local save, could be helpful in this regard.

This could potentially be done in XSLT 1.0, assuming the right specs (around complications such as UUIDs etc).

@wendellpiez
Copy link
Contributor Author

Actually, challenge here would be to make it sufficiently lossy (not reversible) while still meeting the need. Interesting problem.

@aj-stein-nist
Copy link
Contributor

As an OSCAL user, I might find it difficult to make bug reports on OSCAL data because I can't share the data. How can I show the bug?

A little OSCAL data-obfuscator demo that rewrote OSCAL fragments (even invalid) into a 'blind' variant, with local save, could be helpful in this regard.

This could potentially be done in XSLT 1.0, assuming the right specs (around complications such as UUIDs etc).

I personally love this idea! This is actually the impetus behind doing the leg work in usnistgov/OSCAL#1119 to pave the way for such a tool: to facilitate the sharing of debugging data and general information sharing in the long-term! The requirements work around this, after threat modeling, is to know which fields should be "redacted" and which others should not, and in combination with one another as "sensitive information" (Controlled Unclassified Information or a more objective interpretation of sensitive) to build criteria for such tools.

I love this idea, and I will send you an email with internal memos from other information security colleagues about the context around this, and why such a tool would be wonderfully important.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants