[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Schema Started
OK I started to write some schema...first time for
me and this is *really* early (I am going to continue tonight and tomorrow so
should have a working model by the end of the week) but I wanted to send it
on so people can start chewing on ideas. There isn't really enough to even
review but thought I would remind you I am still alive ;-)
It seems logical to import the WAS Thesaurus and
WAS Risk Ranking schemas into WAS Core ?
The basic question I have (for this mail anyway) is
what do we want the overall structure to look like ? Jeff Williams sent an email
out a while back with a proposal for 5 main sections.
1 - basic characteristics of the vulnerability
2 - security characteristics of the vulnerability
3 - characteristics related to finding the vulnerability
4 - characteristics related to exploiting the vulnerability
5 - characteristics related to remedying the vulnerability
What I started to do was pick off elements one by
one and as I did so I think there are naturally three sections.
Reference Data (including the thesaurus, version
info etc)
Test Case (the actual technical data to describe
the HTTP test)
Exploit (the actual exploit test)
The first is the descriptive data about the
signature, the reference. This will obviously be the easy bit. Why I
started there ;-) The second is the XML to describe the test case and
the third is the content to provide an exploit. As we discussed on the call this
maybe an external language like Java or C# (XSLT provides for this hand off to
more powerful processing languages well). I am not a modeler but it may be
prudent to import a WAS Exploit schema into the WAS Core (test part) as well ? I
personally like this model as the exploit section could be
optional.
Unless I hear from anyone I will work on this
prespace and try to complete at least the first run of the Reference section
before the end of this week.
I am also attaching the start (yeah I am sorry for
two partially started and incomplete things) of a requirements doc. I
suspect that before we can create a good first pass at the test section and
exploit sections we will need to firm up on the requirements /
functionality. If anyone has any time or desire to flesh this out then it
may serve as a good reference but not needed. So far it is just the requirements
I put forward at last weeks meeting. Again I will work towards a completed draft
before the end of the week unless someone else can help.
In the reference section of WAS Core I
intended to include
SignatureIdentity
Date
SigAuthor
SignatureProvider
NaturalLanguage
Copyright
Version
License
ExternalRefs
(import) WASThesaurus
(import(WASRiskRanking)
What else and why ?
Mark
Throughout I was remembering this is not just about
vulnerabilities but also about describing positive security
|
<?xml version="1.0" encoding="UTF-8"?> <xs:schema xmlns:xs='http://www.w3.org/2001/XMLSchema targetNamespace="http://oasis-open.org/was.xsd' elementFormDefault="qualified" attributeFormDefault="unqualified"> <xs:element name="signatureIdentifier"> <xs:annotation> <xs:appinfo/> <xs:documentation>The signature Identifier element provides a mechansim to declare uniquely identifyable attributes for catalouging and referencing /> </xs:annotation> <xs:complexType> <xs:attribute name="WASUID" use="required" type="int"/> <xs:attribute name="vendorID" type="int"/> <xs:attribute name="providerID" type="int"/> </xs:complexType> </xs:element> <xs:element name="Date"> <xs:annotation> <xs:appinfo/> <xs:documentation>The Data element provides a mechanism to declare the original date of release for the signature, the last release date of the signature and version release dates /> </xs:annotation> <xs:complexType> <xs:attribute name="originalReleaseDate" use="required" type="date"/> <xs:attribute name="lastRevisionDate" use="required" type="date"/> <xs:attribute name="versionRevisionDate" type="date"/> </xs:complexType> </xs:element> <xs:element name="signatureAuthor"> <xs:annotation> <xs:appinfo/> <xs:documentation>The Data element provides a mechanism to reference the original author /> </xs:annotation> <xs:complexType> <xs:attribute name="name" use="required" type="string"/> <xs:attribute name="company" type="string"/> <xs:attribute name="email" type="string"/> </xs:complexType> </xs:element> <xs:element name="naturalLanguage"> <xs:annotation> <xs:appinfo/> <xs:documentation>Uses RFC 1766 and valid values from XML:Lang /> </xs:annotation> <xs:simpleType name="Language" use="required" type="language" /> </xs:element> Provider (name, copany, email, signature) Version Copyright License WAS Thesaurus Risk Ranking References CVE, Bugtraq etc </xs:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]