Re: [was] Resources

[Mark Curphey <mark@curphey.com>]

Hi Nasseam,

Thanks for the mail. 

I don't want to pe-empt the discussion that will take place at the next (first working) meeting of the TC about classification schemes, but did want to clear up your question about AVDL and WAS. Debate about the classification work will start in earnest next week but I think its important we start on the right foot with the meeting so we can tackle the problem in a structured manner.

<snip> AVDL and VulnXML both have some kind of vulnerability testing scheme. Does WAS plan on using AVDL for testing and solely focus on ranking and classification? </snip>

If you read the charter we have clearly set out our position on AVDL and what we (WAS) will be creating/ delivering.

http://www.oasis-open.org/committees/was/charter.php

Cheers and have a great weekend.


Mark

---- nelkarra@opensec.org wrote:
> Hello all,

> 

> I just wanted to post some thoughts so we have some things to think about before the next meeting.

> 

> For risk ranking, we have all seen the common words: low, minor, moderate, medium, high, severe, serious, and critical. Don't forget my favorite--Microsoft's "Important".

> These words are often used in the context of "Severity" or "Priority".

> 

> Some like CERT use a number instead:

> http://www.kb.cert.org/vuls/html/fieldhelp#metric

> 

> Others might skip this ranking scheme because of difficulty and/or confusion. They choose to use words like "remote", "local", or a few words explaining the impact of the vulnerability such as, "Allows users to..."

> 

> A good thing to do is to browse security portals such as Bugtraq to get an idea of what methods people are using.

> 

> For vulnerability classification, the terms used are a bit more stable such as "Input validation error (Buffer overflow)" but others need more consistency.

> 

> Vulnerability classification links:

> http://icat.nist.gov/icat_documentation.htm

> http://www.securityfocus.com/bid/7230/help/

> 

> I think this TC is a good step towards cleaning up the mess of vulnerability info.

> 

> I have links to related standards on my website for those interested:

> http://www.opensec.org/resources.html

> 

> With ANML (http://www.opensec.org/anml/), I am working on the advisory itself and plan on having an assessment element with a type attribute such as:

> <assess type="vulnxml">

> <assess type="oval">

> <assess type="avdl">

> 

> For those not familiar with OVAL (http://oval.mitre.org/), the Open Vulnerability Assessment Language uses SQL for assessment logic but recently announced an XML version which I am helping with. OVAL differs in that it checks system characteristics and configuration attributes (e.g. file version is... or registry key exists) whereas AVDL and VulnXML work more intimately with the application to check the presence of vulnerabilities (e.g. sending HTTP requests, examining responses, sessions). I don't want to open a debate because they are different approaches and both are useful.

> 

> I have a question:

> AVDL and VulnXML both have some kind of vulnerability testing scheme. Does WAS plan on using AVDL for testing and solely focus on ranking and classification?

> 

> Thanks,

> Nasseam Elkarra

> nelkarra@opensec.org
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: was-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: was-help@lists.oasis-open.org
> 
> 
>