index.html

<!DOCTYPE html>
<html>
  <head>
    <meta charset='utf-8'>
    <meta http-equiv="X-UA-Compatible" content="chrome=1">

    <link rel="stylesheet" type="text/css" href="stylesheets/stylesheet.css" media="screen">
    <link rel="stylesheet" type="text/css" href="stylesheets/github-dark.css" media="screen">
    <link rel="stylesheet" type="text/css" href="stylesheets/print.css" media="print">
    <link rel="alternate" href="http://xapisec.org" hreflang="en-us">

    <title>xAPISec</title>
  </head>

  <body>

    <header>
      <div class="container">
        <h1>xAPISec</h1>
        <h2>xAPI Security Policy</h2>

        <section id="downloads">
          <a href="https://github.com/xapisec/xapisec/zipball/master" class="btn">Download as .zip</a>
          <a href="https://github.com/xapisec/xapisec/tarball/master" class="btn">Download as .tar.gz</a>
          <a href="https://github.com/xapisec/xapisec" class="btn btn-github"><span class="icon"></span>View on GitHub</a>
        </section>
      </div>
    </header>

    <div class="container">
      <section id="main_content">
        <div id="table-of-contents">
<h2>
<a id="table-of-contents" class="anchor" href="#table-of-contents" aria-hidden="true"><span class="octicon octicon-link"></span></a>Table of Contents</h2>
<div id="text-table-of-contents">
<ul>
<li><a href="#orgheadline1">1. xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard</a></li>
<li><a href="#orgheadline2">2. Rationale and Objective</a></li>
<li><a href="#orgheadline3">3. Initial suggestions</a></li>
<li><a href="#orgheadline4">4. Second Tier: What to Consider</a></li>
<li><a href="#orgheadline5">5. Third Tier: What to Consider</a></li>
<li><a href="#orgheadline6">6. The xAPIsec Effort</a></li>
</ul>
</div>

<p></p>
</div>

<h1>
<a id="xapisec-a-proposal-for-an-industry-led-xapi-information-security-standard" class="anchor" href="#xapisec-a-proposal-for-an-industry-led-xapi-information-security-standard" aria-hidden="true"><span class="octicon octicon-link"></span></a>xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard<a id="orgheadline1"></a>
</h1>

<h1>
<a id="rationale-and-objective" class="anchor" href="#rationale-and-objective" aria-hidden="true"><span class="octicon octicon-link"></span></a>Rationale and Objective<a id="orgheadline2"></a>
</h1>

<p>In accordance with <a href="https://www.whitehouse.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf">OMB Memorandum M-15-13</a>, which mandates the exclusive use of
HTTPS with HSTS across all Federal government web services, it stands to reason
that as a DoD initative, <a href="http://www.adlnet.gov/capabilities/tla/experience-api.html">xAPI</a> should hold itself, at a minimum, to that standard.</p>

<p>This document intends to establish a set of best practices for secure xAPI usage,
hopefully leading to a standard extending xAPI, provisionally termed xAPIsec.</p>

<h1>
<a id="initial-suggestions" class="anchor" href="#initial-suggestions" aria-hidden="true"><span class="octicon octicon-link"></span></a>Initial suggestions<a id="orgheadline3"></a>
</h1>

<p>The following have been identified as items that should be established as best
practices for secure xAPI usage with regards to transport-level security, i.e.
the security of the external interface of an LRS:</p>

<ul>
<li>  Strong signing algorithm SHA-256</li>
<li>  Strong key exchange (Elliptic-Curve Diffie-Hellman)</li>
<li>  HSTS with long duration - including subdomains - and preload directive</li>
</ul>

<p>These mitigate or prevent:</p>

<ul>
<li>  message interception</li>
<li>  MITM attacks</li>
<li>  message/statement alteration between AP and LRS</li>
</ul>

<h1>
<a id="second-tier-what-to-consider" class="anchor" href="#second-tier-what-to-consider" aria-hidden="true"><span class="octicon octicon-link"></span></a>Second Tier: What to Consider<a id="orgheadline4"></a>
</h1>

<ul>
<li>  Infosec standards for Activity Providers considered in isolation from LRS</li>
<li>  Internals</li>
<li>  Information architecture</li>
<li>  Secure network hierarchy for SaaS</li>
<li>  Data persistence mechanism reliability</li>
</ul>

<h1>
<a id="third-tier-what-to-consider" class="anchor" href="#third-tier-what-to-consider" aria-hidden="true"><span class="octicon octicon-link"></span></a>Third Tier: What to Consider<a id="orgheadline5"></a>
</h1>

<ul>
<li>  Full-stack</li>
<li>  Best practices for intrusion detection sytems</li>
<li>  Alarm response times</li>
<li>  Auditing</li>
<li>  Response to zero-day vulnerabilities</li>
<li>  CVE response time standards</li>
</ul>

<h1>
<a id="the-xapisec-effort" class="anchor" href="#the-xapisec-effort" aria-hidden="true"><span class="octicon octicon-link"></span></a>The xAPIsec Effort<a id="orgheadline6"></a>
</h1>

<p>It is our desire to establish an industry-driven protocol and standard for
xAPI information security.</p>

<p>We would like input from the broad xAPI community and would ask ADL to
assist in pushing out the call for feedback. We will be discussing this
at the xAPI Bootcamp in July as the effort came out of the work we’ve done
in building and testing scalability and security matters throughout the
build of our learning record store and visualization layer.</p>

<p>This document should be considered a general draft outline.</p>
      </section>
    </div>

              <script type="text/javascript">
            var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");
            document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
          </script>
          <script type="text/javascript">
            try {
              var pageTracker = _gat._getTracker("UA-70801960-1");
            pageTracker._trackPageview();
            } catch(err) {}
          </script>

  </body>
</html>