-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathparams.json
1 lines (1 loc) · 3.19 KB
/
params.json
1
{"name":"xAPISec","tagline":"xAPI Security Policy","body":"<div id=\"table-of-contents\">\r\n<h2>Table of Contents</h2>\r\n<div id=\"text-table-of-contents\">\r\n<ul>\r\n<li><a href=\"#orgheadline1\">1. xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard</a></li>\r\n<li><a href=\"#orgheadline2\">2. Rationale and Objective</a></li>\r\n<li><a href=\"#orgheadline3\">3. Initial suggestions</a></li>\r\n<li><a href=\"#orgheadline4\">4. Second Tier: What to Consider</a></li>\r\n<li><a href=\"#orgheadline5\">5. Third Tier: What to Consider</a></li>\r\n<li><a href=\"#orgheadline6\">6. The xAPIsec Effort</a></li>\r\n</ul>\r\n</div>\r\n</div>\r\n\r\n\r\n# xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard<a id=\"orgheadline1\"></a>\r\n\r\n# Rationale and Objective<a id=\"orgheadline2\"></a>\r\n\r\nIn accordance with [OMB Memorandum M-15-13](https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf), which mandates the exclusive use of\r\nHTTPS with HSTS across all Federal government web services, it stands to reason\r\nthat as a DoD initative, [xAPI](http://www.adlnet.gov/capabilities/tla/experience-api.html) should hold itself, at a minimum, to that standard.\r\n\r\nThis document intends to establish a set of best practices for secure xAPI usage,\r\nhopefully leading to a standard extending xAPI, provisionally termed xAPIsec.\r\n\r\n# Initial suggestions<a id=\"orgheadline3\"></a>\r\n\r\nThe following have been identified as items that should be established as best\r\npractices for secure xAPI usage with regards to transport-level security, i.e.\r\nthe security of the external interface of an LRS:\r\n\r\n- Strong signing algorithm SHA-256\r\n- Strong key exchange (Elliptic-Curve Diffie-Hellman)\r\n- HSTS with long duration - including subdomains - and preload directive\r\n\r\nThese mitigate or prevent:\r\n\r\n- message interception\r\n- MITM attacks\r\n- message/statement alteration between AP and LRS\r\n\r\n# Second Tier: What to Consider<a id=\"orgheadline4\"></a>\r\n\r\n- Infosec standards for Activity Providers considered in isolation from LRS\r\n- Internals\r\n- Information architecture\r\n- Secure network hierarchy for SaaS\r\n- Data persistence mechanism reliability\r\n\r\n# Third Tier: What to Consider<a id=\"orgheadline5\"></a>\r\n\r\n- Full-stack\r\n- Best practices for intrusion detection sytems\r\n- Alarm response times\r\n- Auditing\r\n- Response to zero-day vulnerabilities\r\n- CVE response time standards\r\n\r\n# The xAPIsec Effort<a id=\"orgheadline6\"></a>\r\n\r\nIt is our desire to establish an industry-driven protocol and standard for\r\nxAPI information security.\r\n\r\nWe would like input from the broad xAPI community and would ask ADL to\r\nassist in pushing out the call for feedback. We will be discussing this\r\nat the xAPI Bootcamp in July as the effort came out of the work we’ve done\r\nin building and testing scalability and security matters throughout the\r\nbuild of our learning record store and visualization layer.\r\n\r\nThis document should be considered a general draft outline.","google":"UA-70801960-1","note":"Don't delete this file! It's used internally to help with page regeneration."}