[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: OASIS WAS TC Proposal for Changes
Happy New Year ! Firstly an apology for my poor communication and lack of leadership over the last 2 months. Several personal things collided. I will ensure that I communicate faster and more clearly moving forward.=20 This email contains information on moving the OASIS WAS standard forward and getting activity going again. This proposal is based on observations and lessons learned so far. Essentially it proposes two main changes and several smaller supporting changes. These will require a vote for eligible members which I will setup today for close in 7 days. I will not set that vote up until Monday so anyone can make suggestions or comments that could avoid a re-vote. Main Changes * New Time Scale * New Sub Committees Supporting Changes * Refine Charter * New Meeting Schedule General Observations Leading to this Suggestion 1. When we initially conceived this project it was to provide a format to describe a subset of issues that could be identified by black box web application scanning tools and possibly used by protection tools. I would characterize those issues as static issues, i.e. simple pre-defined things such as "if I send request A to URL B, I get response C that enables me to do D". The classic open source tools that look for these issues today are Nikto and Nessus. I think we all agree that a more comprehensive language for testing would be preferred and we slipped into trying to create this as WAS 1.0 and not WAS 2.0.=20 2. As with most projects active participation is lower than we all hoped, whilst observation is high.=20 3. Underestimating the amount of time and effort to complete this work with competing work priorities is far too easy. 4. Despite a mail asking for contacts from Sanctum regarding their patent, I never heard anything. This would only affect WAS 2.0 as far as advice I have been given. Based on this I would like to propose a new structure that will simply much of the work, ensure that specific parts of the project don't hold up others and restate our objectives.=20 New Sub-Committees We have universally agreed there should be essentially 4 components to a WAS signature.=20 * Meta Data * Profile * Test * Protect =09 Meta Data is required to manage a database of signatures including versioning, author and content management etc.=20 Profile is needed to provide a consistent and comprehensive description and reference information for the issue such as patch location, vuln database ID's etc. Test is required to perform the HTTP based test. Protect is used to match an HTTP stream against and alert or stop HTTP traffic to a system. I think the bulk of Meta Data and Profile is complete but not documented or formalized. I think 60% of Test is complete through VulnXML (currently in DTD not Schema) I don't believe any Protect has been created. >From speaking to some potential end users, it seems that we need to ensure that each section can be independent of the others, i.e. a few financial services companies and consultancies would like to catalogue issues using meta and profile but don't necessarily need or would use protect.=20 New Sub-Committees Therefore I propose we create 3 sub committees so that we can split the work into more manageable chucks and have owners responsible for these smaller pieces of work. Core - This team will create and document the Profile and Meta-Data Elements. Test - This team will create and document the Test Element Protect - This team will create and document the Protect element.=20 Each subcommittee can organize work as they see fit and we will hold a monthly telephone conference to update and liaise.=20 Time-Scale I propose we totally reset time expectations and aim to deliver the first version of WAS 1.0 for consideration in six months. This gives everyone plenty of time to complete the work needed, build prototypes etc.=20 Refine Charter We will refine the charter to clearly spell out the scope of the WAS 1.0 (black box static issues).=20 New Meeting Schedule As most of the work now needed is work rather than discussion I propose we move to a monthly meeting schedule. Foundstone will step up and sponsor the meeting with conference call facilities.=20 So far I know that Ivan Ristic and Gabe Lawrence are interested in working on Protect, myself and David Endler (press ganged) into working on Core and Rogan Dawes on Test.=20 If anyone else now has time to actively participate in any of these sub-committees please drop me a mail. I'll of course set stuff up online now so the vote can start on Monday and we can start work again in a weeks time. Thanks for your time. Mark Curphey Consulting Director Foundstone, Inc. Strategic Security 949.297.5600 x2070 Tel=20 949.297.5575 Fax=20 http://www.foundstone.com This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message. Thank you.=20
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]