OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [was] Notes on WAS Face to Face

Thanks Mark. The meeting was very productive and I'm looking to the next

One quick note for those reviewing this list -- by allowing multiple of
these to be assigned to a single application secuirty issue, we avoid many
of the hierarchy/taxonomy/classification problems that have plagued this
type of effort in the past.


Jeff Williams, CEO
Aspect Security

----- Original Message ----- 
From: Mark Curphey
To: was@lists.oasis-open.org
Sent: Sunday, March 28, 2004 9:10 PM
Subject: [was] Notes on WAS Face to Face

As you will know from the notifications I have uploaded the meeting
minutes from last weeks face to face and the updated working schema.

It was a great meeting and we are making real progress. I am fairly
confident we can publish the drafts of meta-data and profile as well the
supporting documents before the end of April.

The supporting documents will be;

OASIS WAS Thesaurus (using VulnTypes) - this is the classification
OASIS WAS Vision Document
OASIS WAS Core Schema Documented

For those who don't read the minutes or look at the schema, I think some
of the important schema is below. This will allow for rich metrics and
measurement programs to be created by using the categories.

<xsd:simpleType name="vulnList">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="AccessControl" />
<xsd:enumeration value="ConfigurationManagement"
value="ConfigurationManagement.Administration" />
value="ConfigurationManagement.Application" />
value="ConfigurationManagement.Infrastructure" />
<xsd:enumeration value="IntegerOverflow" />
<xsd:enumeration value="DataProtection" />
<xsd:enumeration value="DataProtection.Storage"
value="DataProtection.Transport" />
<xsd:enumeration value="InputValidation" />
<xsd:enumeration value="InputValidation.User" />
<xsd:enumeration value="InputValidation.Network"
<xsd:enumeration value="InputValidation.File" />
<xsd:enumeration value="Concurrency" />
<xsd:enumeration value="AppDOS" />
<xsd:enumeration value="AppDOS.Flood" />
<xsd:enumeration value="AppDOS.Lockout" />
<xsd:enumeration value="BufferOverflow.Heap" />
<xsd:enumeration value="BufferOverflow.Stack" />
<xsd:enumeration value="BufferOverflow.Format"
<xsd:enumeration value="Injection" />
<xsd:enumeration value="Injection.OS" />
<xsd:enumeration value="Injection.SQL" />
<xsd:enumeration value="Injection.HTML" />
<xsd:enumeration value="Injection.OSCommand" />
<xsd:enumeration value="Injection.LDAP" />
<xsd:enumeration value="Injection.XSS" />
<xsd:enumeration value="ErrorHandling" />
<xsd:enumeration value="Monitoring" />
<xsd:enumeration value="Monitoring.Logging" />
<xsd:enumeration value="Monitoring.Detection" />
<xsd:enumeration value="Cryptography" />
<xsd:enumeration value="Cryptography.Algorithm"
value="Cryptography.KeyManagement" />
<xsd:enumeration value="Authentication" />
<xsd:enumeration value="Authentication.User" />
value="Authentication.UserManagement" />
<xsd:enumeration value="Authentication.Entity"
value="Authentication.SessionManagement" />
<xsd:simpleType name="appType">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="client-server" />
<xsd:enumeration value="web service" />
<xsd:enumeration value="standalone" />
<xsd:enumeration value="p2p" />
<xsd:enumeration value="web application" />
<xsd:enumeration value="server" />
<xsd:enumeration value="client" />
<xsd:enumeration value="mainframe" />
<xsd:simpleType name="rootCauseType">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="software defect" />
<xsd:enumeration value="config" />
<xsd:simpleType name="RelatedProcesses">
<xsd:restriction base="xsd:string">
<xsd:enumeration value="RequirementsAnalysis" />
<xsd:enumeration value="DesignAnalysis" />
<xsd:enumeration value="code" />
<xsd:enumeration value="SecurityTesting" />
<xsd:enumeration value="Deployment" />

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel
781.738.0857 Cell
949.297.5575 Fax


This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you.

To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]