I've been working on the A6 API for the past week and I'm certain Mrs IronFog is wondering when I might be done (she's graciously been giving up about two hours of quality time each night - something I am immensely appreciative of).
A6 stands for The Audit, Assertion, Assessment, and Assurance API (a term coined by @CSOAndy via Chris Hoff's Rationale Survivability), so I figured I would know if I was done when I could put a check mark next to each aspect of the 6 A's (this feels like the start of a buffer overflow joke).
So here we go:
- Audit - Check - we have /ssapi/compliance/
- Assertion - Check - we have /ssapi/ISO27002/ and /ssapi/environment/
- Assessment - Check - we have /ssapi/element/xccdf/
- And - Check (for the sake of completeness)
- Assurance - sort-of, it's somewhat of an emergent or external property - I'll explain below
- API - Check - we have /ssapi/
Ok, so 5.0 out of 6 is pretty good, but here's why I think we're complete enough to consider this a first draft. The terms Assertion ad Assurance are financial audit terms:
- Assertion is a self-issued statement made by one party (the provider) to others (end users) about their state - such as "I have a billion dollars in cash" or "we are secure" - they're not validated by anyone else.
- Assurance is a validated statement, specifically validated by a trusted third party (like an audit firm) reviews the supporting facts behind an assertion and confirms they are true, have integrity and have the correct scope (or completeness)
Assertions are easy, anyone can make a statement about anything - that's what our stack does - however, we just have to trust that the statements are true and good.
For assurance, we have three options:
- Have some trusted mechanism (black box software in a tamperproof appliance) validate the information from the stack and issue a signed XML blob;
- Get a third party auditor to validate the assertions issued by the stack and provide a formal sign-off; and
- Review the information ourselves and see if we can spot inconsistencies (and then call "liar-liar-combusting-pants")
Barring perfectly trustable computing, we cannot provide true Assurance functions through technology alone - we can just make it easier to share what we know in an easily interpretable fashion.
So basically, the stack as it stands, is structurally complete enough for a first draft release (which I'll start packaging up shortly). Ofcourse, there's still specifications, nuances, details and documentation to get done; I know other things will emerge as I review and cleanup what I've done, but that will be iterative, not net new.