OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Schema Started


OK I started to write some schema...first time for me and this is *really* early (I am going to continue tonight and tomorrow so should have a working model by the end of the week) but I wanted to send it on so people can start chewing on ideas.  There isn't really enough to even review but thought I would remind you I am still alive ;-)
 
It seems logical to import the WAS Thesaurus and WAS Risk Ranking schemas into WAS Core ?
 
The basic question I have (for this mail anyway) is what do we want the overall structure to look like ? Jeff Williams sent an email out a while back with a proposal for 5 main sections.
 
  1 - basic characteristics of the vulnerability
  2 - security characteristics of the vulnerability
  3 - characteristics related to finding the vulnerability
  4 - characteristics related to exploiting the vulnerability
  5 - characteristics related to remedying the vulnerability
 
What I started to do was pick off elements one by one and as I did so I think there are naturally three sections.
 
Reference Data (including the thesaurus, version info etc)
Test Case (the actual technical data to describe the HTTP test)
Exploit (the actual exploit test)
 
The first is the descriptive data about the signature, the reference. This will obviously be the easy bit. Why I started there ;-) The second is the XML to describe the test case and the third is the content to provide an exploit. As we discussed on the call this maybe an external language like Java or C# (XSLT provides for this hand off to more powerful processing languages well). I am not a modeler but it may be prudent to import a WAS Exploit schema into the WAS Core (test part) as well ? I personally like this model as the exploit section could be optional.
 
Unless I hear from anyone I will work on this prespace and try to complete at least the first run of the Reference section before the end of this week.
 
I am also attaching the start (yeah I am sorry for two partially started and incomplete things) of a requirements doc. I suspect that before we can create a good first pass at the test section and exploit sections we will need to firm up on the requirements / functionality.  If anyone has any time or desire to flesh this out then it may serve as a good reference but not needed. So far it is just the requirements I put forward at last weeks meeting. Again I will work towards a completed draft before the end of the week unless someone else can help.
 
In the reference section of WAS Core I intended to include
 
SignatureIdentity
Date
SigAuthor
SignatureProvider
NaturalLanguage
Copyright
Version
License
ExternalRefs
 
(import) WASThesaurus
(import(WASRiskRanking)
 
What else and why ?
 
Mark
 
Throughout I was remembering this is not just about vulnerabilities but also about describing positive security
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema targetNamespace="http://oasis-open.org/was.xsd' elementFormDefault="qualified" attributeFormDefault="unqualified">
	
	<xs:element name="signatureIdentifier">
		<xs:annotation>
			<xs:appinfo/>
			<xs:documentation>The signature Identifier element provides a mechansim to declare uniquely identifyable attributes for catalouging and referencing	 />
		</xs:annotation>
		<xs:complexType>
			<xs:attribute name="WASUID" use="required" type="int"/>
			<xs:attribute name="vendorID" type="int"/>
			<xs:attribute name="providerID" type="int"/>
		</xs:complexType>
	</xs:element>
	
	<xs:element name="Date">
		<xs:annotation>
			<xs:appinfo/>
			<xs:documentation>The Data element provides a mechanism to declare the original date of release for the signature, the last release date of the signature and version release dates />
		</xs:annotation>
		<xs:complexType>
			<xs:attribute name="originalReleaseDate" use="required" type="date"/>
			<xs:attribute name="lastRevisionDate" use="required" type="date"/>
			<xs:attribute name="versionRevisionDate" type="date"/>
		</xs:complexType>
	</xs:element>

	<xs:element name="signatureAuthor">
		<xs:annotation>
			<xs:appinfo/>
			<xs:documentation>The Data element provides a mechanism to reference the original author />
		</xs:annotation>
		<xs:complexType>
			<xs:attribute name="name" use="required" type="string"/>
			<xs:attribute name="company" type="string"/>
			<xs:attribute name="email" type="string"/>
		</xs:complexType>
	</xs:element>

	<xs:element name="naturalLanguage">
		<xs:annotation>
			<xs:appinfo/>
			<xs:documentation>Uses RFC 1766 and valid values from XML:Lang />
		</xs:annotation>
			<xs:simpleType name="Language" use="required" type="language" />
	</xs:element>






Provider (name, copany, email, signature)
Version
Copyright
License

WAS Thesaurus

Risk Ranking

References
	CVE, Bugtraq etc









</xs:schema>

WASRequirements.doc



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]