OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Current WAS XML Schemas


Hi,

OK back from the dead ;-)

I am attaching what I have as the latest schema we developed before
Christmas and wanted to send a basic summary of where I think we are so
that others can start thinking and even working on updates before the
next meeting. 

We agreed to spilt the WAS Schema into four main sections

Meta-Data
Profile
Test
Protect

The Meta-Data and Profile will be developed by the WAS Core Group
The Test will be developed by the WAS Test Group
The Protect will be developed by the WAS Protect group

The schema attached to this mail is a first draft of WAS Meta-Data and
Profile. The deliverables for this section will be

1. Documented Schema
2. Thesaurus / Dictionary of Terms
3. Risk Ranking Model
4. Developers Guide to WAS
5. Managers Guide to WAS

This group will also work with OWASP to enhance the current VulnXML
database to accept and managed WAS signatures. 

OWASP's VulnXML was being considered as the basis WAS Test. This is
currently in DTD format. The WAS Test group can decide whether to
enhance the DTD or convert to schema at this stage or later. It was
generally agreed that some enhancements to functionality would be
desirable but no conclusions as to what they are or how they would
manifest were made. The deliverables for this group are

1. Documented Schema
2. Reference Implementation of a WAS Execution engine in Java.

No work has yet been done on the protect element. The deliverables will
be

1. Documented Schema
2. Reference implementation (mod_security and CodeSeeker)

Notes:

1. We have set provisional dates of August to deliver all of the above
2. We can define WAS 1.0 and WAS 2.0 in order to manage scope !
3. The next meeting we will formalize who is working in each group. So
far Mark Curphey will run Core, Ivan Ristic Protect and TBC Ingo Struck
Test. 
4. We will meet monthly but use the mailing list as much as possible. 

I think that's it. 

Look forward to getting this kicked off again on Feb 9th and working
with you all again.

Mark



Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel 
781.738.0857 Cell
949.297.5575 Fax 

http://www.foundstone.com 

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you. 

was-core0.3.xsd



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]