Boston, MA, USA; 14 July 2020 – OASIS, the international standards and open source consortium, today announced that three new members were elected to its Board of Directors: Jeremy Allison of Google, Rich Bowen of Red Hat, and Wende Peters of Bank of America. Their depth of experience in the open source and open standards communities bolsters the Board’s reach and establishes OASIS as the home for worldwide standards in cybersecurity, blockchain, privacy, cryptography, cloud computing, IoT, urban mobility, emergency management, and other content technologies.

These three new members join the continuing members of the Board: Martin Chapman of Oracle; Bruce Rich of Cryptsoft; Jason Keirstead of IBM; Beth Pumo of Kaiser Permanente; and Daniel Reidel of New Context. Reelected Board members Frederick Hirsch, Individual member; Gershon Janssen, Individual member; and Richard Struse of Mitre will each serve a two-year term starting in July 2020.

“At OASIS, we are dedicated to the mission of building an inclusive open development ecosystem where open standards and open source complement each other,” said Guy Martin, OASIS Executive Director. “I’m excited to welcome Jeremy, Rich and Wende to our Board, and am confident that their combined experience will help us continue to fulfill that mission.”

Jeremy Allison works for Google’s Open Source Programs Office, where he is co-creator and one of the lead developers of the Samba Team, producing an Open Source Windows compatible file and print server product for UNIX systems. He has broad experience in government and nonprofits to complement his extensive technical background. In addition to his new duties on the OASIS Board, he also serves on the Board of Directors for the Software Freedom Conservancy and is a member of the Advisory Board of the Document Foundation.

“Open Standards in collaboration with Open Source implementations are an incredibly important part of our industry, and Google is proud to play a role in helping shape them,” said Jeremy Allison. “I’m looking forward to this opportunity to serve OASIS in my capacity as a Board member.”

Rich Bowen is the Community Manager, CentOS Project with Red Hat, where he works in the Open Source Program Office. He began his work with the open source community in the 1990s, before the term “open source” gained traction. In addition to community project work with Perl, Rich has focused primarily with the Apache Web Server Project. He has served 6 terms on the Board of Directors of the Apache Server Foundation since joining in 2002, with an emphasis on overseeing successful events such as ApacheCon.

Rich Bowen said, “It is a great honor, and a serious responsibility, to be elected to the board. I hope that with my experience at Apache, and my role in the Open Source Program Office at Red Hat, I’ll be able to contribute an important perspective about the role of Open Source in truly Open Standards.”

Wende Peters is the Senior Vice President, Global Information Security for Bank of America, where she oversees the Application Management and Continuous Development (AMCD) organization, focusing on transformation, automation, and reimagining security and governance. Wende has over 30 years of experience in a wide range of industry sectors including cybersecurity, network management, and defense systems. She was instrumental in the Security Orchestration and Automated Response (SOAR) as well as Integrated Adaptive Cyber Defense (IACD) and is a longtime collaborator with OASIS in the financial sector.

“The work that OASIS facilitates is critical to encouraging innovation in technology. Open standards help to level the playing field and ensure that emerging solutions can compete. It’s an honor to be selected to help advance this organization and its mission,” said Wende Peters.

OASIS expressed deep appreciation to outgoing Board Members Bret Jordan of Broadcom, Margaret LaBrecque of Intel, and Paul Lipton, each of whom contributed significantly to help grow and improve the consortium.

Additional Information:
OASIS Board of Directors — https://www.oasis-open.org/board

About OASIS:
One of the most respected, member-driven standards bodies in the world, OASIS offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. OASIS members include major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

PALO ALTO, Calif., June 30, 2020 — The Open Source Initiative® (OSI), the internationally recognized steward of the Open Source Definition and open source licenses, is excited to announce the Affiliate Membership of OASIS Open, a global nonprofit consortium managing a broad technical agenda encompassing cybersecurity, blockchain, privacy, cryptography, cloud computing, IoT, urban mobility, emergency management, and other content technologies.

“OASIS Open and OSI have been informal collaborators on licensing and other topics from the early days of the OpenDocument Format to our recent Open Projects Program,” noted Guy Martin, Executive Director of OASIS Open. “We are delighted to formalize our relationship as a sign of our mutual commitment to expanding the role of open source in the standards definition process and look forward to an exciting future for this combined open ecosystem.”

Founded in 1993, the OASIS Open community is committed to advancing work that lowers cost, improves efficiency, stimulates innovation, grows global markets, and promotes interoperability. Each project operates independently under OASIS’s industry-leading process and clear Intellectual Property Rights.

Begun in 2019, the OASIS Open Projects program provides open source communities with foundation-level support—for governance, intellectual property (IP) management, collaboration tools, outreach and events—with an optional path to standardization and de jure approval for reference in international policy and procurement. Open Projects lets communities choose from seven currently-supported, OSI-approved licenses.

OASIS Open and OSI have been consultative partners helping shape open source and open standards work in many technology domains, including ensuring that OASIS Open programs satisfy the criteria defined by OSI’s Open Standards Requirements (OSR), which mandates standards must not prohibit conforming implementations in open source software. OASIS Open also enjoys productive liaison and peer relationships with several of OSI’s other Affiliate Members.

“OASIS Open has been the most important pioneer of approaches to bridging the gap between open standards and open source, and we are excited to have a new basis on which to collaborate going forward,” said Pam Chestek, OSI Board Director and Chair, OSI Standards Committee.

The OSI Affiliate Member Program allows non-profit organizations—unequivocally independent groups with a commitment to open source—to join the OSI in support of our work to promote and protect open source software. As the steward of the Open Source Definition certifying Open Source Software Licenses, by establishing such certification as the standard for open source software development and distribution, and with the support of our Affiliate Membership, the OSI has become a cornerstone of software freedom.

About OASIS Open

One of the most respected, member-driven standards bodies in the world, OASIS Open offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. Their members include major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented. Please see https://oasis-open-projects.org for more information.

About The Open Source Initiative

Founded in 1998, the Open Source Initiative (OSI) protects and promotes open source software, development and communities, championing software freedom in society through education, collaboration, and infrastructure, stewarding the Open Source Definition, and preventing abuse of the ideals and ethos inherent to the open source movement. The OSI is a public charity with global vision based in California. For more information about the OSI, please see https://opensource.org.

18 June 2020 – The OASIS open standards consortium announced that its members have approved Open Data Protocol (OData) Version 4.01 as an OASIS Standard, a status that signifies the highest level of ratification. OData helps create a more open, programmable Web, and simplifies the querying and sharing of data across applications for re-use in the enterprise, cloud, and mobile devices.

OData enables the creation and consumption of REST-based data services which allow resources, identified using Uniform Resource Locators (URLs) and defined in a data model, to be published and edited by Web clients using simple HTTP messages.

OData Version 4.01 adopts patterns to feel more like custom REST APIs, and defines new patterns in a number of areas. These enhancements can be categorized into:

● Simplified syntax and payloads

● Extended query patterns

● Enhanced update capabilities

● New JSON Metadata and Batch Formats

Also approved were three new versions of supporting specifications: OData JSON Format, OData Common Schema Definition Language (CSDL) JSON Representation, and OData Common Schema Definition Language (CSDL) XML Representation.

“OData 4.01 incorporates developer feedback to introduce cleaner patterns, while at the same time addressing a number of common feature requests,” said OASIS OData co-chair Michael Pizzo of Microsoft. “Looking forward, we are using the patterns introduced in OData 4.01 to define a lightweight profile for implementing RESTful APIs.”

As part of this effort, the OData Technical Committee is creating an OASIS Open Repository to support the community development and adoption of lightweight REST-based APIs based on this profile. The open repository will be available and open to contributions in early July.

OData co-chair Ralf Handl of SAP added, “OData 4.01 is a fully compatible increment, reflecting seven years of experience with using OData in enterprise software. OData is an extremely powerful REST protocol that has resulted in richer experiences and more interoperable solutions.”

Support for OData Version 4.01

Microsoft
“Microsoft Graph uses OData to provide our customers a single unified API across Microsoft 365, which includes services such as Teams, Outlook, Azure Active Directory, Intune, Windows 10 and more. We appreciate the hard work of the OASIS OData Technical Committee and the developer community who helped shape OData 4.01. Our developers appreciate the simplified API patterns introduced in OData 4.01, and we are already building upon some of the new features like the JSON batch format and bulk operations.”
— Alex Simons, Corporate Vice President Program Management, Microsoft

SAP
“OData provides an important technology foundation that powers SAP’s User Experience. The rich metadata in OData combines with the SAP Fiori design system to create consistent interaction patterns that let our customers run across a wide range of business systems and technology platforms, providing end users a web or native mobile experience.”
— Alexander Lingg, Head of SAP User Experience

Additional Information
OASIS OData Technical Committee: https://www.oasis-open.org/committees/odata

About OASIS

One of the most respected, member-driven standards bodies in the world, OASIS offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. OASIS members include major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

4 June 2020 – The OASIS open standards consortium today announced that its members have approved the Static Analysis Results Interchange Format (SARIF) version 2.1.0 as an OASIS Standard, a status that signifies the highest level of ratification. SARIF defines a common output format for static analysis tools that detect software defects and vulnerabilities, making it feasible for developers and teams to aggregate results produced by multiple tools.

Software developers assess the quality of their programs using a variety of tools that report on validity, security, performance, and compliance with legal requirements. To form an overall picture of program quality, developers often need to aggregate the results produced by all of these tools, a task made difficult when each tool produces output in a different format. SARIF addresses this challenge by defining a standard format that enables developers to:

• Comprehensively capture the range of data produced by commonly used static analysis tools.
• Reduce the cost and complexity of aggregating the results of various analysis tools into common workflows.
• Represent analysis results for all kinds of programming artifacts, including source code and object code.

“Each static analysis tool contributes a different perspective on the code being analyzed,” said OASIS SARIF Technical Committee co-chair, David Keaton. “Combining the results of multiple tools in a common format provides a more complete understanding of the issues in the code that need to be addressed. It’s especially valuable with regard to safety and security.”

“With SARIF,” Keaton continued, “organizations can improve the quality and security of their systems while using standardized and interoperable static analysis solutions. SARIF gives them the ability to easily compare results and supports the development of products whose code spans languages and operating systems.”

The OASIS SARIF Technical Committee brings together major software companies, cybersecurity providers, government, security orchestration specialists, programmers, and consultants. Participation in the SARIF Technical Committee is open to all companies, nonprofit groups, governments, academic institutions, and individuals through membership in OASIS. As with all OASIS projects, archives of the Committee’s work are accessible to both members and non-members alike. OASIS also hosts an open mailing list for public comment.

Support for SARIF 2.1.0

GrammaTech
“The benefits of CodeSonar embracing SARIF have really resonated with customers. In today’s ecosystem driven world where lots of different products are being used within a CI/CD pipeline, SARIF enables interoperability which is extremely important at increasing the effectiveness of static analysis tools, and consequently the quality of software in many safety and security-critical domains.”

— Paul Anderson, VP of Engineering, GrammaTech

Micro Focus
“Software developers and security practitioners use a variety of solutions to form an overall picture of security and quality of their code, but the task is hindered by the need to process results in different formats. A standard output format allows organizations to more efficiently view, understand, manage, and ultimately address software flaws. As an industry leader, Micro Focus Fortify is proud to be a part of this effort.”

— Yekaterina Tsipenyuk O’Neil, Distinguished Technologist and Principal Security Researcher, Micro Focus

Microsoft
“Microsoft has found the SARIF standard invaluable to lower costs when creating cross-tool code authoring, build and work item filing experiences. The detailed, uniform cross-tool data produced by our SARIF-based engineering system is unlocking insights that weren’t previously available.”

— Michael C. Fanning, Principal Software Engineering Manager, Microsoft

Additional Information
OASIS SARIF Technical Committee: https://www.oasis-open.org/committees/sarif

About OASIS
One of the most respected, member-driven standards bodies in the world, OASIS offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. OASIS members include major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.

Media inquiries:
communications@oasis-open.org
+1.941.284.0403

Boston, MA, USA; 21 April 2020 — The global nonprofit consortium, OASIS, has hired open source leader, Guy Martin, as its Executive Director. Bringing 25 years of software experience to his new role, Martin will help drive a broad technical agenda that encompasses cybersecurity, privacy, blockchain, cryptography, cloud computing, IoT, emergency management, mobility data, and more. He will advance the OASIS standards portfolio and extend Open Projects, a first-of-a-kind program that combines foundation-level support for open source communities with a path to recognition in international policy and procurement.

“OASIS is at the forefront of an evolution in the open source and standards worlds,” said Gershon Janssen, chair of the OASIS Board of Directors. “Guy Martin has the vision and experience to lead our organization into new opportunities, enhancing our core services while remaining true to our culture of respect and our philosophy of openness and transparency.”

In addition to his extensive work in helping build open source programs for companies like Red Hat, Samsung, and Autodesk, Martin was instrumental in starting the Academy Software Foundation (ASWF) and the Open Connectivity Foundation (OCF). At OCF, he worked to successfully integrate FRAND standards with open source reference implementations. He is also a passionate advocate for diversity and inclusion in technology.

“It’s an incredibly exciting time to become part of the OASIS community,” said Martin. “Governments and enterprises are looking for more assurances from the open source process while developers want the freedom to produce code alongside specifications. I look forward to the opportunity to re-examine the way we approach everything–from governance to process, from lP to community outreach.”

Martin observed the potential for some of the newest OASIS projects, including the Open Cybersecurity Alliance and the Ethereum OASIS Baseline Protocol, to follow the success of foundational OASIS standards ratified by ISO, IEC, and ITU, such as OpenDocument and SAML.

As OASIS Executive Director, Martin heads up an internationally diverse staff supporting members in more than 100 countries on virtually every continent.

About OASIS
One of the most respected, member-driven standards bodies in the world, OASIS offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. OASIS members include major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.

Media inquiries: communications@oasis-open.org; +1.941.284.0403

• OpenDXL Ontology enables automatic integration and communication between disparate security technologies via open source standard and code
• Leaders from AT&T, IBM, McAfee, Packet Clearinghouse, Tripwire join OCA’s Technical Steering Committee

February 24, 2020, San Francisco, CA – The Open Cybersecurity Alliance (OCA) today announced the availability of OpenDXL Ontology, the first open source language for connecting cybersecurity tools through a common messaging framework. With open source code freely available to the security community, OpenDXL Ontology enables any tool to automatically gain the ability to communicate and interoperate with all other technologies using this language. By eliminating the need for custom integrations between individual products, this release marks a major milestone in the OCA’s mission to drive greater interoperability across the security industry. The newly formed Open Cybersecurity Alliance was launched in October 2019 to connect the fragmented cybersecurity landscape with common, open source code and practices that allow companies to “integrate once, reuse everywhere.” Governed under the auspices of OASIS, the OCA now includes more than 25 member organizations and has brought two major interoperability projects into the open-source realm, with OpenDXL Ontology (contributed by McAfee) and STIX Shifter (contributed by IBM Security) now available for cross-industry collaboration and development on GitHub. In addition to the availability of OpenDXL Ontology, the OCA is also announcing the formation of its Technical Steering Committee, including leaders from AT&T, IBM Security, McAfee, Packet Clearinghouse, and Tripwire, who will drive the technical direction and development of the organization. “With the adoption of public cloud and explosion of connected devices, the ability for enterprises to quickly respond to threats across ever-changing technologies, and even beyond perimeters, is critical,” says Brian Rexroad, Vice President of Security Platforms at AT&T. “OCA is driving an industrial shift in interoperability with the OpenDXL Ontology to support security at scale.” Open Source Language Schema to Connect Security Tools The Open Data Exchange Layer (OpenDXL) is an open messaging framework that over 4,100 vendors and enterprises already utilize to develop and share integrations with other tools. The release of the OpenDXL Ontology now offers a single, common language for these notifications, information and actions across security products that any vendor can adopt in order to communicate in a standard way with all other tools under this umbrella. This provides companies with a set of tooling that can be applied once and automatically reused everywhere across all product categories, while also eliminating the need to update integrations as product versions and functionalities change. For example, if a certain tool detects a compromised device, it could automatically notify all other tools and even quarantine that device using a standard message format readable by all. While previously this was only possible with custom integrations between individual products, it will now be automatically enabled between all tools that adopt OpenDXL Ontology. Through continued development by the community, this common language will facilitate a wide variety of interoperability use cases, from sharing threat intelligence to triggering remediation between tools, such as isolating a device or updating a policy. The adoption of OpenDXL Ontology will help create a stronger, united front to defend and protect across all types of security tools, while reducing the burden of point integrations between individual products. OCA Momentum: 25+ Organizations Join Forces for Open Security Since launching five months ago, the OCA has expanded to include more than 25 partner organizations, with the following new members joining: Armis, Center for Internet Security, CyberNB, Cydarm, Gigamon, Raytheon, Recorded Future, sFractal Consulting, and Tripwire. The full list of members can be found here. The OCA community is currently collaborating on GitHub and Slack to further new open-source code and use-cases for cybersecurity industry interoperability. In addition to the development of OpenDXL Ontology for a common, open-source language between tools, the OCA is also continuing to build out capabilities for STIX-Shifter, a universal, out-of-the box search capability for security products of all types. Since bringing STIX Shifter to the open-source community, hundreds of visitors have accessed this technology on GitHub, with dozens of users initiating new project forks for development on top of the primary STIX Shifter code. The OCA will continue development for both STIX Shifter and OpenDXL Ontology, and is actively seeking additional contributors from across the security industry to help guide and drive innovative new use cases for these open source projects. Visit https://opencybersecurityalliance.org to learn more about the Open Security Alliance and get involved in the projects that are currently underway. About the Open Cybersecurity Alliance The Open Cybersecurity Alliance (OCA) brings together vendors and end users to create an open cybersecurity ecosystem where products can freely exchange information, insights, analytics, and orchestrated response. OCA supports commonly developed code and tooling and the use of mutually agreed upon technologies, data standards, and procedures. The OCA is governed under the auspices of OASIS, which offers projects a path to standardization and de jure approval for reference in international policy and procurement. Media Contact: Cathy Morley Foster Public Relations, Open Cybersecurity Alliance cathy.morleyfoster@gmail.com (925) 708-7893 Carol Geyer Chief Development Officer Open Source and Standards Communities OASIS carol.geyer@oasis-open.org (941) 284-0403

24 Feb 2020 — Members of the OASIS international consortium are collaborating to provide live multi-vendor interoperability demonstrations featuring one of the industry’s most widely-adopted security standards, the Key Management Interoperability Protocol (KMIP).

“The OASIS KMIP Technical Committee is continuing to develop and release well tested versions of the standard to cater for new and changing requirements and this year’s demonstration event again showcases that effort,” said Tony Cox of Cryptsoft, co-chair of the OASIS KMIP Technical Committee and Lead for the KMIP Interop event.

“2019 saw the publication of KMIP v2.0, which provided a major update to KMIP capabilities, and the definition and the development of KMIP 2.1. Tested as part of this KMIP interop event, KMIP 2.1 brings a suite of new security object management features including many focused on enhancing administration of cloud and IoT security deployments,” said Judy Furlong of Dell, co-chair of the OASIS KMIP Technical Committee.

This year, five members of the OASIS KMIP TC are providing demonstrations of KMIP v2.0 and KMIP v2.1 during the RSA Conference 2020 Expo. This demonstration allows RSA visitors to the OASIS booth to interact with multiple vendors demonstrating interchange of security objects as well as provision of encryption keys and cryptographic services across a common interface. OASIS KMIP Technical Committee members, Cryptsoft, Fortanix, PrimeKey, QuintessenceLabs and Utimaco are demonstrating the full key management lifecycle including creating, registering, locating, retrieving, deleting, and transferring symmetric and asymmetric keys and certificates among vendor systems.

Support for KMIP

Cryptsoft CTO, Tim Hudson, said, “This year’s KMIP Interoperability Event has enabled demonstration of the latest capabilities added to the latest version of the standard. As a major OEM technology supplier, supplying standards-based solutions ensures interoperability is a reality for our customers and this event is the proof each year. KMIP 2.0 and KMIP 2.1 allow solutions for unified key management and hardware security modules that meet the demands of enterprise, financials, cloud and IoT deployments.”

IBM Product Management, Encryption and Key Management, Rick Robinson, said, “The development and adoption of standards, especially KMIP, are critical to customer success in pursuit of their data protection and security strategy. On behalf of our customers, IBM continues to bring our leadership in data protection and cryptography to the development of this important, global standard.”

Fortanix CTO, Anand Kashyap, said, “Digital business transformation is built on a foundation of digital trust. Cryptography and key management are critical to securing sensitive data in a world where data moves between cloud environments. Fortanix believes that open interoperability standards and REST APIs are critical to make data security pervasive. KMIP is a foundational standard that is essential to expanding the use of encryption and key management. Fortanix is proud to support and integrate with the OASIS KMIP standard.”

QuintessenceLabs CTO, John Leiseboer, said, “Interoperability greatly benefits our customers and empowers them in controlling their organization’s security. QuintessenceLabs has been involved with OASIS and the KMIP Technical Committee since the start, and we are proud to ensure that each of our products is fully compliant via rigorous testing.”

More information
https://www.oasis-open.org/committees/kmip

About OASIS

One of the most respected, member-driven standards bodies in the world, OASIS offers projects a path to standardization and de jure approval for reference in international policy and procurement. OASIS has a broad technical agenda encompassing cryptography, cybersecurity, privacy, cloud computing, IoT, blockchain, and other areas. OASIS members can be found in 100+ countries on virtually every continent. Major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.

Media inquiries: communications@oasis-open.org; +1.941.284.0403

18 February 2020 — Whether it’s hailing a ride, booking a vacation house, buying new or used goods, contracting services, or downloading music, the sharing economy is redefining traditional business models. To support data exchange and trustworthiness in this expanding market, ISO–the International Organization for Standardization–has formed Technical Committee 324. This new group is defining a broad set of global standards for the sharing economy. The American National Standards Institute (ANSI) and the OASIS standards consortium have brought together leaders from the largest online platforms, innovative startups, technology companies, financial services providers, and nonprofits to represent American interests in this work as members of the U.S. Technical Advisory Group (TAG) to ISO/TC 324, Sharing Economy.

“We’re seeing a growing shift towards policy setting in the sharing economy. The ISO standards we’re defining now will play a key role in shaping those policies,” said Tim Hirsch of CaaStle, chair of the U.S. TAG. “Our work is going to have a profound impact across the market—on platform operators, service providers, and users.”

Focusing on five key market segments—transportation, staffing, lodging, retail, and media—ISO/TC 324 will address areas as varied as risk mitigation, asset protection, management, and resourcing. The initial phase of the work will focus on terminology and principles, and operationalizing sharing economy methodologies.

Microsoft‘s Stephanie Beers, vice chair of the U.S. TAG, observed, “The TAG has already effectively advocated for several issues important to our members. For example, we succeeded in changing ISO’s definition of the sharing economy to cover not only business-to-consumer but also business-to-business. We recognize the importance of not excluding groups that want guidance from these standards.”

“The majority of sharing economy pioneers are based in the U.S. We’re proud to have so many of these industry giants collaborating side-by-side with visionary technology and financial companies and providers of the latest platforms,” said Carol Geyer, chief development officer of OASIS. “All the U.S. TAG members should be applauded for their commitment to international collaboration, data safety, and the future of peer-to-peer computing.”

The next ISO/TC 324 plenary will be held in Saint-Denis, France, 22-24 June 2020.

Support from U.S. TAG members

“eBay, in working with the U.S. TAG, is setting consistent practices and standards for sharing at a global ecommerce level which will result in even greater connected business opportunities and unprecedented benefits for consumers.” Sanjeev Katariya, Vice President and Chief Architect, eBay AI & Platforms

“The sharing economy will change every aspect of our lives from how we do business to how we interact with each other and our environment. The FinTech4Good team is looking forward to working with other TAG members to achieve Agenda 2030 through the sharing economy.” Xiaochen Zhang, President, FinTech4Good

“Indiegogo is excited to partner with other industry leaders on this important initiative. Having international standards is key to collaborating globally, and we are excited to help progress a mutual understanding throughout the ecosystem.” Andy Yang, CEO, Indiegogo

“As the sharing economy is embraced by every demographic in the world, it is incumbent upon the sharing economy ecosystem to professionalize itself with standards that seek normalization, protections for workers and consumers, and encourage growth.” Jeremy Gottschalk, Founder and CEO, Marketplace Risk

“Trust is the bedrock of any successful partnership. Bringing together both public and private organizational experience in Sharing Economy/Collaborative eCommerce, spear-headed by ANSI and OASIS is a step in the right direction to ensure TRUST is the foundation. To ensure the future of work and the marketplace driven economy is not hijacked by business or political interests, defining these ethical and technological standards now, will help guide all participants in this burgeoning business model.” Adam Broadway, CEO, Near Me

“While sharing economy, blockchain and fintech may be new terms, they are quickly becoming the foundation for how organizations and individuals will work in the future. These are the technologies and functions we use in our Media Exchange to leverage unused cloud time, equipment and manpower for distributed productions that lower costs and improve quality.”” Joseph Maar, CEO, NECF Corporation

“Setting fair sharing economy standards will have a huge impact moving forward. Mass inequity in society has led to the proliferation of sharing economy businesses, but we as a committee need to be the voice for all stakeholders — from businesses, providers and consumers of these platforms.” Anitha Beberg, CEO, Seva Exchange

“The formation of this committee is tremendous recognition of the long-term viability of the global sharing economy. This international collaboration will be vital to the continued expansion of major sharing economy segments in emerging markets where on-demand entrepreneurs and the companies they represent require stronger protection to ensure growth, profitability, and customer satisfaction.” Tim Attia, CEO, Slice Labs

“The Gig Economy Group is pleased to participate in the working group to explore the important impact of the sharing economy on how we create a framework of engagement that works for the different stakeholders in the market with the rapid growth of the sharing economy.” Dave Toole, CEO and Chairman, The Gig Economy

Visit ISO’s website for information on U.S. TAG to ISO/TC 324.

About ANSI
The American National Standards Institute (ANSI) is a private non-profit organization whose mission is to enhance U.S. global competitiveness and the American quality of life by promoting, facilitating, and safeguarding the integrity of the voluntary standardization and conformity assessment system. Its membership is comprised of businesses, professional societies and trade associations, standards developers, government agencies, and consumer and labor organizations. The Institute represents and serves the diverse interests of more than 270,000 companies and organizations and 30 million professionals worldwide. ANSI is the official U.S. representative to the International Organization for Standardization (ISO) and, via the U.S. National Committee, the International Electrotechnical Commission (IEC). For more information, visit www.ansi.org.

About OASIS OASIS is one of the most respected, member-driven standards bodies in the world. It offers standards and open source projects a path to recognition in international policy and procurement. OASIS has a broad technical agenda encompassing the sharing economy, cybersecurity, privacy, cryptography, cloud computing, IoT, legal, emergency management, augmented reality, and more. OASIS members can be found in 100+ countries on virtually every continent. Major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented.

Borderless Cyber, WASHINGTON, D.C., October 8, 2019 – Today, the OASIS international consortium announced an industry initiative to bring interoperability and data sharing across cybersecurity products. With initial open source content and code contributed by IBM Security and McAfee, and formed under the auspices of OASIS, the Open Cybersecurity Alliance (OCA) brings together organizations and individuals from around the world to develop open source security technologies which can freely exchange information, insights, analytics, and orchestrated responses.

According to industry analyst firm, Enterprise Strategy Group, organizations use 25 to 49 different security tools from up to 10 vendors on average, each of which generates siloed data. (Cybersecurity Landscape: The Evolution of Enterprise-class Vendors).

Connecting these tools and data requires complex integrations, taking away from time that could be spent hunting and responding to threats.To accelerate and optimize security for enterprise users, the OCA will develop protocols and standards which enable tools to work together and share information across vendors. The aim is to simplify the integration of security technologies across the threat lifecycle – from threat hunting and detection, to analytics, operations and response — so that products can work together out of the box.

The purpose of the OCA is to develop and promote sets of open source common content, code, tooling, patterns, and practices for interoperability and sharing data among cybersecurity tools. For enterprise users, this means:

• Improving security visibility and ability to discover new insights and findings that might otherwise have been missed;
• Extracting more value from existing products and reducing vendor lock-in;
• Connecting data and sharing insights across products.

Founders of the Alliance, IBM Security and McAfee, are joined in the initiative by Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin. The OCA welcomes participation from additional organizations and individual contributors.

“Today, organizations struggle without a standard language when sharing data between products and tools,” said Carol Geyer, chief development officer of OASIS. “We have seen efforts emerge to foster data exchange, but what has been missing is the ability for each tool to transmit and receive these messages in a standardized format, resulting in more expensive and time-consuming integration costs. The aim of the OCA is to accelerate the open sharing concept making it easier for enterprises to manage and operate.”

“When security teams are constantly spending their time manually integrating tools and maintaining those integrations, it’s not helping anyone other than the attackers,” said Jason Keirstead, chief architect, IBM Security Threat Management. “The mission of the OCA is to create a unified security ecosystem, where businesses no longer have to build one-off manual integrations between every product, but instead can build one integration to work across all, based on a commonly accepted set of standards and code.”

“Attackers maximize damage by sharing data with one another. Our best defense strategy is to share data too,” said D.J. Long, vice president business development, McAfee. “The OCA creed is ‘Integrate once, reuse everywhere’ which builds upon McAfee’s open philosophy that led to the OpenDXL project in 2016. Organizations will be able to seamlessly exchange data between products and tools from any provider that adopts the OCA project deliverables. We’re looking at the potential for unprecedented real-time security intelligence.”

Initial technology contributions to the open project are as follows, with additions expected as part of ongoing work:

STIX-Shifter (from IBM Security): This project aims to create a universal, out-of-the box search capability for security products of all types, by providing a way to connect security products to other security, cloud, and software data repositories via a standardized cybersecurity data model (STIX 2). STIX-Shifter is an open source library which can identify information about potential threats within a wide variety of data repositories and translate it into a format that can be digested and analyzed by any security tool that has this standard enabled.

OpenDXL Standard Ontology (from McAfee) focused on the development of an open and interoperable cybersecurity messaging format for use with the OpenDXL messaging bus. The OpenDXL Standard Ontology will be offered under the Apache 2.0 license.

Open Cybersecurity Alliance Sponsors

“Every digital device is a potential vulnerability point. Advanced Cyber Security Corp. is proud to be an initial sponsor of the OCA and is committed to this collaborative effort to promote the use of common code, tooling, and standards for endpoint security and to help industry professionals and government agencies advance in cyber security awareness and preparedness.”
C.J. Brunet, president and COO – Advanced Cyber Security Corp.

“Cybersecurity systems will be strongest and most able to effectively adapt and respond to changing threats when communication and connectivity within the ecosystem is open. Corsa Security is part of OCA to create such an open environment and build towards highly effective cyber systems.”
Carolyn Raab, chief product officer – Corsa Security

“At CrowdStrike, the power of crowdsourced data critically informs our customers with actionable insights to help defeat sophisticated adversaries, ensuring organizations stay ahead of future threats. Our participation in the OCA will facilitate strategic information sharing for more visibility into cybercriminal patterns, motivations, and behaviors. Aligning with our partners like IBM to foster better integration and alert exchange will help stop breaches before they occur.”
Matthew Polly, vice president of worldwide alliances, channels and business development – CrowdStrike

“CyberArk strongly believes in the power of vendor collaboration to strengthen the enterprise security fabric. We continue to support open source initiatives that elevate that level of collaboration, and being part of the vendor community actively engaged in the Open Cybersecurity Alliance (OCA) is another important step forward. By creating a framework to share data that improves communication and effectiveness among an ecosystem of software solutions, OCA is helping to enrich and improve the effectiveness of security solutions, while enabling organizations to increase adoption to better defend against cyberattacks.”
Adam Bosnian, executive vice president, global business development – CyberArk

“Focus on tools detracts from the task at hand: doing security. It’s our job to make our tools and the seams among them more and more transparent. Going deeper than check box integration and finding ways to move up the stack is the goal of the OCA. We have to develop a new generation of protocols and interoperability that put the end user and the process of security front and center. If we do that, we’ll not only remove waste but can provide every advantage to defender in cyber conflict.”
Sam Curry, chief security officer – Cybereason

“As an automation and orchestration vendor, DFLabs is keenly aware of the importance of open standards in efficiently and effectively sharing information and working collaboratively with different technologies throughout the security stack. DFLabs is proud to be a part of shaping the standards which will move the security industry towards enhanced information sharing and interoperability through the OCA.”
Michele Zambelli, CTO – DFLabs

“Fortinet is focused on integrating and collaborating with industry’s top technology vendors to provide end-to-end security through our Fabric-Ready Partner Program. We’re pleased to advance this commitment by joining the OCA’s industry-wide initiative focused on data sharing and interoperability across cybersecurity products. Alongside our Fabric-Ready Partners IBM Security and McAfee, as well as other vendors, we look forward to developing open code, standards and tooling that can help solve some of the industry’s biggest challenges.”
John Maddison, executive vice president of products and CMO – Fortinet

“With IT (information technology) and OT (operational technology) systems converging, sharing security information is essential for detecting and remediating threats. As a global leader in Industrial Cybersecurity and a member of the OCA, we are all working together to ensure customers can seamlessly integrate intelligence from OT and IT to protect their industrial operations. We’re proud to extend full visibility, security and control of OT environments to this important partnership.”
Mille Gandelsman, CTO and co-founder – Indegy

“New Context is proud to be a founding member of the Open Cybersecurity Alliance. We look forward to working with our fellow OCA members to develop and promote open source resources and best practices to support the cybersecurity community.”
Patrick Duggan, chief of staff – New Context

“At ReversingLabs, we are committed to providing complete visibility and insight into every destructive object—unwanted, vulnerable and malware-infected destructive files, emails, attachments, binaries, and third-party and open source code—by integrating and optimizing existing enterprise security investments. With the establishment of the Open Cybersecurity Alliance (OCA) we can now more easily extend those integrations through open source content and code to amplify line of sight into hidden objects and deliver the breadth and depth of visibility enterprise organizations need to seek out and remediate the most dangerous and complex threats.”
Mario Vuksan, CEO and co-founder – ReversingLabs

“SafeBreach, a leader in breach and attack simulation, was built on the mission to extend cybersecurity awareness and measure cybersecurity controls throughout every organization. To join this consortium of like-minded vendors is a testament to the commitment and innovation that we all see necessary to drive cybersecurity excellence in the community through information sharing and intelligence.”
Itzik Kotler, CTO and co-founder – SafeBreach

“At ThreatQuotient we are interested in fostering an open cybersecurity ecosystem where products can freely exchange information to help defenders protect their environments. We are also proud to support protocols and standards to simplify the exchange of information from several different vendors and technologies. With this in mind, we are happy to be a part of the OCA to support the initiative and work with other stakeholders.”
Haig Colter, director, Alliances – ThreatQuotient

“Fostering an open exchange of information among vendors, end users, thought leaders, and individuals is more crucial than ever in today’s cybersecurity ecosystem. We are excited to be part of the important work that the OCA is doing to bring our community together to help drive mutually agreed upon technologies, procedures, and security standards.”
Pamela Cyr, senior vice president business development – Tufin Technologies

To learn more visit www.opencybersecurityalliance.org.

About OASIS

One of the most respected, member-driven standards bodies in the world, OASIS offers projects – including open source projects – a path to standardization and de jure approval for reference in international policy and procurement. OASIS has a broad technical agenda encompassing cybersecurity, privacy, cryptography, cloud computing and IoT – any initiative for developing code, APIs, specifications or reference implementations can find a home at OASIS. # # #

24 September 2019 – Members of the OASIS nonprofit consortium are working together to create an international standard that implements the course-of-action playbook model for cybersecurity operations. The work of the new OASIS Collaborative Automated Course of Action Operations (CACAO) for Cybersecurity Technical Committee will describe and document the steps needed to prevent, mitigate, and monitor responses to attacks.

“The best way organizations can defend against threats is to document their prevention, mitigation, and remediation steps into course-of-action playbooks,” said Allan Thomson of LookingGlass Cyber Solutions, co-chair of the OASIS CACAO Technical Committee. “Unfortunately, most playbooks are one-off’s at this point. CACAO represents a significant opportunity to define a standard mechanism for playbooks, so they can be executed and shared across organizational boundaries and technology solutions.”

Bret Jordan of Symantec, co-chair of the OASIS CACAO Technical Committee, added, “The need for automated and shareable cyber security playbooks is critical to improving operational cyber security. CACAO will not only define how playbooks are created, the standard will also describe how playbooks are distributed across networks, business units, organizations, and systems.”

Each CACAO playbook will consist of a sequence of cyber defense actions that can be executed by various technological solutions. CACAO playbooks will be referenceable by other cyber threat intelligence that provides support for related data such as threat actors, campaigns, intrusion sets, malware, attack patterns, and other adversarial techniques, tactics, and procedures.

Participation in the CACAO Technical Committee is open to all through membership in OASIS. Security Vendors, Incident Responders, Security Operation Centers (SOCs), Security Orchestration, Automation and Response (SOAR) solution, CSIRTS, Cyber Defense Centers, Threat Intelligence Analysts, Large Enterprises, Governments, MSSPs, and others are invited to join the group.

Support for CACAO

Accenture Managing Director, Anup Ghosh, said, “The lack of standardized playbooks for interoperability between vendor products has advantaged cybercriminals. The efforts of the CACAO Technical Committee to standardize and share their operations playbooks can now tilt the balance in favor of defenders. We are excited to contribute to the CACAO technical committee to address this issue and to enable the development of standardized playbooks for security operation centers.”

Cisco Systems Senior Technical Leader, Security Business Group, Jyoti Verma, said, “The deliverables of the new OASIS CACAO TC are of paramount importance in the fight against advanced threat actors; by defining cyber defense actions that can be executed in the form of machine-readable playbooks. These playbooks could be used to capture security processes around detection, investigation and response of cyber security threats. Having a standard way to represent these playbooks would enable organizations to share and leverage known techniques for SOC operational efficiency.”

Cyware Labs VP of Research and Innovation, Avkash Kathiriya, said, “We are proud to join forces with the CACAO initiative as they mature the threat intelligence domain. By empowering security teams to go beyond the simple sharing of information, this initiative will ensure organizations can take action and yield results that will improve their ability to proactively block threats. The initiative will also work towards the standardization of COA Playbooks so customers can speak the common language of preventing, defending and remediating threats.”

EclecticIQ Director, Intelligence Collaboration, Chris O’Brien, said, “It is critical to continuously improve the ways that we collaborate on threat intelligence within the cyber security community. The work that OASIS has put into these efforts cannot be valued highly enough. With the launch of the CACAO TC, we take the next important step to develop a protocol that will further streamline collaboration on remediation in the form of standardized playbook languages for courses of action.”

FireEye Chief Engineering Architect & Distinguished Engineer, Paul Patrick, said, “The ability for an organization to create a playbook that can be shared and utilized by other organizations creates a true force multiplier across the security industry. Threat actors are constantly changing their tactics and implementing new targeting techniques. By creating a standardized response framework that works across technologies already in place, security teams will be able to thwart and respond to future attempts without prior knowledge of the attack.”

Fornetix CTO, Charles White, said, “In regards to Collaborative Automated Course of Action Operations, the Fornetix Team is proud to support this new technical committee. Orchestration for Courses of Action is critical for building Cyber Resiliency in the enterprise. We look forward to contributing to the CACAO specification.”

IBM Security Chief Architect of Threat Management, Jason Keirstead, said, “The ability to efficiently collaborate across vendors on incident response actions and playbooks, will fill a critical gap in the cybersecurity operations ecosystem, and enable better outcomes for our clients. IBM Security is proud to support the formation of this TC.”

New Context CEO and Founder, Daniel Riedel, said, “Rapid response time is vital for protecting society from cyberattacks. Today, the Internet is integrated into every aspect of our world. It is imperative that the knowledge on how to react to those threats is an open standard that can be shared between public and private sectors. CACAO will enable common threat remediations to be shared between organizations regardless of their technology footprint. In the end, CACAO will advance innovation and improve technologies that will enhance our ability to respond to cyber threats rapidly and keep the connected world safe. Which is why New Context is honored to be part of the Committee.”

Syncurity Founder & CSO, JP Bourget, said, “Syncurity is excited to join the CACAO Technical Committee for Cyber Security. Agile playbooks will enable Blue Teams to share TTPs [Tactics, Techniques & Procedures] and produce a unified response across the organization. A standardized framework will vastly improve content-sharing beyond the enterprise and will rapidly improve our collective defenses. Syncurity is committed to the development of open, interoperable standards that will defend enterprises against attackers.”

ThreatQuotient CTO and Co-Founder, Ryan Trost, said, “The opportunity for industry peers to collaborate in a meaningful way, as led by the CACAO Technical Committee, will play an important role in standardizing the documentation and sharing of security operations playbooks. With a shared mission of providing organizations with more clarity and efficiency in their cybersecurity operations, ThreatQuotient supports the efforts of CACAO to further the capabilities of today’s defenders.”

More information
https://www.oasis-open.org/committees/cacao

About OASIS
One of the most respected, member-driven standards bodies in the world, OASIS offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement. OASIS has a broad technical agenda encompassing cybersecurity, privacy, cryptography, cloud computing, IoT, augmented reality, and other areas. Each project operates independently under industry-approved process and IPR policies. OASIS members can be found in 100+ countries on virtually every continent. Major multinational companies, SMEs, government agencies, universities, research institutions, consulting groups, and individuals are represented. http://www.oasis-open.org Media inquiries: communications@oasis-open.org; +1.941.284.0403