[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [was] WAS Schema first draft forwarded from Andrew Jaquith
|
I've reviewed the schema very closely, and I'm not convinced this is
heading the right direction. Under the proposed schema, a vulnerability has
5 types of information:
Vulnerability
- Attack Characteristics (group and
subgroup -- e.g. access control and authorization)
- Attack Surfaces (system boundary,
component boundary, source code)
- Target (application component,
infrastructure component, end user)
- Conditions (privilege,
port)
- Consequences (denial of service,
privilege elevation, transfer of trust, identity impersonation, data disclosure,
security requirements violation)
Many of these terms are not clear to me, nor am I convinced that every
vulnerability will have information in all of these categories. I also
believe that many types of useful information have no place in the proposed
schema.
I think our goal should be to create a language for communicating about web
application vulnerabilities that is rich enough to express all the information
we have about vulnerabilities, yet simple and clear enough for anyone to
understand. In my last message, I proposed a schema that would look
something like this:
Vulnerability
- Basic Characteristics
- Security
Characteristics
- Testing
Characteristics
- Exploit
Characteristics
- Remediation
Characteristics
Each of those types of characteristics was detailed as follows:
1 - Basic characteristics -- obvious, concrete characteristics are the best
for unique identification and searching purposes. Some examples (nowhere
near a complete list) I think would be useful to have documented for each
vulnerability are:
- The name, version of the targeted
application
- Platform info(servers,
versions) - HTTP info(method, headers, cookies, domain,
response code) - Parameter info (form name, field name, URL,
querystring)
- Code (language, method name, line number, error
message)
- Other common identifiers (filenames)
2 - Security characteristics -- these will "map" vulnerabilities
into a security space. Not as important for unique identification, but very
useful for risk analysis and understanding. By the way, I think using
characteristics is a cleaner way to handle the idea of 'groups':
- Security area (confidentiality, integrity,
availability, accountability, privacy)
- Vulnerability category (Top Ten, Mark's list below,
others -- this is where the thesaurus idea is best for aliases)
- Related security mechanisms (authentication,
authorization, encryption, filtering, logging, etc...) -
Likelihood of exploit (tools, difficulty) - Consequence (defacement, disclosure, corruption,
denial of service)
3 - Characteristics related to how to TEST for the vulnerability --
these are a step away from characteristics of the vulnerability, but I think
could be included in this model without too much difficulty. Note that these
won't help much at all with unique identification, but will help the user who
wants to know if they're susceptible.
- Finding in running application (proxy mitm, scanning,
tools to use)
- Finding in code (search strings, patterns to look for,
tools to use)
4 - Characteristics related to how to EXPLOIT the vulnerability -- as
discussed on the list, I don't think we should try to put specific exploit
recipes in XML -- it's too hard. This is for a brief text description of how to
exploit. Specific exploits are best represented in NASL, or libwhisker
perl, or something.
- Specific tools to use
- Methodology or process
5 - Characteristics related to how to REMEDY the vulnerability -- I think
these will be extremely useful if you want to find out if you've got a
vulnerability, and if you do, to determine how to fix it.
- Approaches (fix code, block requests, filter, apply
patch, start over)
- Forensics (how to search logs, other evidence of
exploit)
Thoughts?
--
Jeff
|
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]