xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard
Rationale and Objective
In accordance with OMB Memorandum M-15-13, which mandates the exclusive use of HTTPS with HSTS across all Federal government web services, it stands to reason that as a DoD initative, xAPI should hold itself, at a minimum, to that standard.
This document intends to establish a set of best practices for secure xAPI usage, hopefully leading to a standard extending xAPI, provisionally termed xAPIsec.
- Slack: https://xapisec.slack.com
- Signup Form: https://goo.gl/forms/EHKDqSBjHqdwQPKx1
- Google Group: https://groups.google.com/forum/#!forum/xapisec
- Github Pages: http://xapisec.github.io
- Github repo: https://github.com/xapisec/xapisec
- Gitter Chat (for developers): https://gitter.im/xapisec/xapisec
The following have been identified as items that should be established as best practices for secure xAPI usage with regards to transport-level security, i.e. the security of the external interface of an LRS:
- Strong signing algorithm SHA-256
- Strong key exchange (Elliptic-Curve Diffie-Hellman)
- HSTS with long duration - including subdomains - and preload directive
These mitigate or prevent:
- message interception
- MITM attacks
- message/statement alteration between AP and LRS
Second Tier: What to Consider
- Infosec standards for Activity Providers considered in isolation from LRS
- Information architecture
- Secure network hierarchy for SaaS
- Data persistence mechanism reliability
Third Tier: What to Consider
- Best practices for intrusion detection sytems
- Alarm response times
- Response to zero-day vulnerabilities
- CVE response time standards
The xAPIsec Effort
It is our desire to establish an industry-driven protocol and standard for xAPI information security.
We would like input from the broad xAPI community and would ask ADL to assist in pushing out the call for feedback. We will be discussing this at the xAPI Bootcamp in July as the effort came out of the work we’ve done in building and testing scalability and security matters throughout the build of our learning record store and visualization layer.
This document should be considered a general draft outline.