OASIS WAS TC Proposal for Changes

["Mark Curphey" <mark@curphey.com>]

Happy New Year !

Firstly an apology for my poor communication and lack of leadership over the
last 2 months. Several personal things collided. I will ensure that I
communicate faster and more clearly moving forward.=20

This email contains information on moving the OASIS WAS standard forward and
getting activity going again. This proposal is based on observations and
lessons learned so far. Essentially it proposes two main changes and several
smaller supporting changes. These will require a vote for eligible members
which I will setup today for close in 7 days. I will not set that vote up
until Monday so anyone can make suggestions or comments that could avoid a
re-vote.

Main Changes
*	New Time Scale
*	New Sub Committees

Supporting Changes
*	Refine Charter
*	New Meeting Schedule

General Observations Leading to this Suggestion
1.	When we initially conceived this project it was to provide a
format to describe a subset of issues that could be identified by black box
web application scanning tools and possibly used by protection tools. I
would characterize those issues as static issues, i.e. simple pre-defined
things such as "if I send request A to URL B, I get response C that enables
me to do D". The classic open source tools that look for these issues today
are Nikto and Nessus. I think we all agree that a more comprehensive
language for testing would be preferred and we slipped into trying to create
this as WAS 1.0 and not WAS 2.0.=20
2.	As with most projects active participation is lower than we all
hoped, whilst observation is high.=20
3.	Underestimating the amount of time and effort to complete this
work with competing work priorities is far too easy.
4.	Despite a mail asking for contacts from Sanctum regarding their
patent, I never heard anything.  This would only affect WAS 2.0 as far as
advice I have been given.

Based on this I would like to propose a new structure that will simply much
of the work, ensure that specific parts of the project don't hold up others
and restate our objectives.=20

New Sub-Committees
We have universally agreed there should be essentially 4 components to a WAS
signature.=20

*	Meta Data
*	Profile
*	Test
*	Protect
=09
Meta Data is required to manage a database of signatures including
versioning, author and content management etc.=20

Profile is needed to provide a consistent and comprehensive description and
reference information for the issue such as patch location, vuln database
ID's etc.

Test is required to perform the HTTP based test.

Protect is used to match an HTTP stream against and alert or stop HTTP
traffic to a system.

I think the bulk of Meta Data and Profile is complete but not documented or
formalized. I think 60% of Test is complete through VulnXML (currently in
DTD not Schema)

I don't believe any Protect has been created.

>From speaking to some potential end users, it seems that we need to
ensure that each section can be independent of the others, i.e. a few
financial services companies and consultancies would like to catalogue
issues using meta and profile but don't necessarily need or would use
protect.=20

New Sub-Committees
Therefore I propose we create 3 sub committees so that we can split the work
into more manageable chucks and have owners responsible for these smaller
pieces of work.

Core - This team will create and document the Profile and Meta-Data
Elements.

Test - This team will create and document the Test Element

Protect - This team will create and document the Protect element.=20

Each subcommittee can organize work as they see fit and we will hold a
monthly telephone conference to update and liaise.=20

Time-Scale
I propose we totally reset time expectations and aim to deliver the first
version of WAS 1.0 for consideration in six months. This gives everyone
plenty of time to complete the work needed, build prototypes etc.=20

Refine Charter
We will refine the charter to clearly spell out the scope of the WAS 1.0
(black box static issues).=20

New Meeting Schedule
As most of the work now needed is work rather than discussion I propose we
move to a monthly meeting schedule.  Foundstone will step up and sponsor the
meeting with conference call facilities.=20

So far I know that Ivan Ristic and Gabe Lawrence are interested in working
on Protect, myself and David Endler (press ganged) into working on Core and
Rogan Dawes on Test.=20

If anyone else now has time to actively participate in any of these
sub-committees please drop me a mail. I'll of course set stuff up online now
so the vote can start on Monday and we can start work again in a weeks time.

Thanks for your time.



Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel=20
949.297.5575 Fax=20

http://www.foundstone.com

This email may contain confidential and privileged information for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient, please contact
the sender and delete all copies of this message. Thank you.=20