STIX 2 Preferred

Self-Certification Program for Cyber Threat Intelligence Sharing

FAQ

What if I have more questions?

Any questions can be sent to stix-preferred@lists.oasis-open.org.

How can I get more involved?

New members are always welcome in the OASIS CTI Interoperability Subcommittee. In addition to developing self-certification test documents, the group coordinates plugfests, interop demos, and other activities. For details, see the CTI Interop Wiki and OASIS Membership Categories and Dues; contact join@oasis-open.org.

How do I know if a product has passed the interoperability tests?

Self-certifications submitted to OASIS are published here.

Is the self-certification binding?

Yes. By signing and submitting the Attestation, the software provider is declaring both to OASIS and to the general public the accuracy of its testing.

Is payment of a fee required to self-certify?

There is no cost to self-certify software as STIX 2 Preferred or STIX/TAXII 2 Preferred.

Who is operating the STIX/TAXII 2 Preferred program?

The OASIS international nonprofit consortium operates the STIX/TAXII2 Preferred program using test suites developed by members of the OASIS CTI Interoperability Subcommittee and approved by the OASIS Cyber Threat Intelligence (CTI) Technical Committee. Membership is open to all; see details on joining.

Do certifications expire?

Certification apply only to the product and specific major version of the product submitted to OASIS. Certifications do not apply to other products or other major versions of products. The test date is part of the certification.

Who can self-certify a product?

Any organization is eligible to self-certify its own product or service that implements version 2 of STIX alone or STIX and TAXII.

Why is a self-certification trustworthy?

The trustworthiness of self-certification is tied to the trustworthiness of the organization submitting the results on their products. When an organization makes a self-certification, it puts its reputation on the line.

How does self-certification differ from third party certification?

With STIX/TAXII2 Preferred self-certification, the software provider tests its own products using documents defined by members of the OASIS CTI Interoperability Subcommittee. The provider attests its successful results to OASIS.

Self-certification differs from third-party certification, where someone (typically an accredited auditor) reviews, tests, assesses, and verifies that conformance. Self-certification is easier, faster, and less expensive than third-party certification.

What is tested?

The CTI Interoperability test suite verifies compliance statements from the STIX and TAXII v2 specifications. It also goes beyond what is defined in specifications to test behaviors based on Personas. Some of the persona are as follows (for a complete list please refer to the STIX/TAXII 2 Interoperability Test Documents):

  • Data Feed Provider (DFP)
    Software instance that acts as a producer of STIX 2.0 content.
  • Threat Intelligence Platform (TIP)
    Software instance that acts as a producer and/or Respondent of STIX 2.0 content primarily used to aggregate, refine and share intelligence with other machines or security personnel operating other security infrastructure.
  • Security Incident and Event Management system (SIEM)
    Software instance that acts as a producer and/or Respondent of STIX 2.0 content. A SIEM that produces STIX content will typically create incidents and indicators. A SIEM that consumes STIX content will typically consume sightings, indicators.
  • Threat Mitigation System (TMS)
    Software instance that acts on courses of action and other threat mitigations such as a firewall or IPS, Endpoint Detection and Response (EDR) software, etc.
  • Threat Detection System (TDS)
    Software instance of any network product that monitors and/or detects network threats such as Intrusion Detection Software (IDS), Endpoint Detection and Response (EDR) software, web proxy, etc.
  • Threat Intelligence Sink (TIS)
    Software instance that consumes STIX 2.0 content in order to perform translations to domain specific formats consumable by enforcement and/or detection systems that do not natively support STIX 2.0. These consumers may or may not have the capability of reporting sightings. A (TIS) that consumes STIX content will typically consume indicators.
  • TAXII Server (TXS)
    Software instance that acts as a TAXII Server enabling sharing between producers and respondents of STIX 2 content.

See full details in the STIX/TAXII™ 2.0 Interoperability Test Document Part 1 (for STIX content independent of transport protocol) and Part 2 (for STIX sharing over TAXII).

What is the goal of the STIX/TAXII 2 Preferred self-certification program?

Organizations need to know that products claiming compliance with version 2 of STIX will work together “out of the box”. The STIX/TAXII 2 Preferred program helps provide that assurance.

ABOUT STIX/TAXII
STIX and TAXII standards enable the automated sharing of cyber threat intelligence. Using products that support STIX and TAXII, organizations can anticipate computer-based attacks and respond faster and more effectively.
 
ABOUT OASIS
OASIS is one of the most respected, member-driven standards bodies in the world, where the STIX/TAXII community comes together to develop the standards and interoperability guidelines.
USEFUL LINKS
 
Resources
Submission Form
Usage Guidelines
FAQ
CONTACT US
 
info@oasis-open.org
stix-preferred@lists.oasis-open.org