RE: [was] Notes on WAS Face to Face

["Mark Curphey" <mark.curphey@foundstone.com>]

Peter,

Feel free to clean up what you need to. Some of the older vuln info is
still there and the original info of Attack Types etc from the older
risk ranking model. I think we should take that out. 

Also what do you think about a structure of 

WAS Core.xsd that calls
	WAS Detect
	WAS Protect

This allows for an easier development (less merge conflicts) but would
also allow us to increment sub-elements moving forward without having to
update the entire schema. 

Mark

As a note Symantec will be joining WAS in an active role this week!
	


-----Original Message-----
From: Peter Michalek [mailto:peter@fortifysoftware.com] 
Sent: Monday, March 29, 2004 11:49 AM
To: Mark Curphey
Subject: RE: [was] Notes on WAS Face to Face

Hi Mark,

This is a good summary of vulnTypes that is useful, how we need to clean
up and publishing as schema so that it has a more professional look. If
you would be OK with that, we could go ahead with my proposal from
Saturday and clean up and relatively finalize the stuff we came up with
last week. You probably want to do it at your own pace and coordinate
with other things, which is fine. Just let me know when you are ready.

Peter


-----Original Message-----
From: Mark Curphey [mailto:mark.curphey@foundstone.com]
Sent: Sunday, March 28, 2004 6:10 PM
To: was@lists.oasis-open.org
Subject: [was] Notes on WAS Face to Face

As you will know from the notifications I have uploaded the meeting
minutes from last weeks face to face and the updated working schema.

It was a great meeting and we are making real progress. I am fairly
confident we can publish the drafts of meta-data and profile as well the
supporting documents before the end of April.

The supporting documents will be;

OASIS WAS Thesaurus (using VulnTypes) - this is the classification
scheme OASIS WAS Vision Document OASIS WAS Core Schema Documented

For those who don't read the minutes or look at the schema, I think some
of the important schema is below. This will allow for rich metrics and
measurement programs to be created by using the categories. 


	<xsd:simpleType name="vulnList">
		<xsd:restriction base="xsd:string">
			<xsd:enumeration value="AccessControl" />
			<xsd:enumeration value="ConfigurationManagement"
/>
			<xsd:enumeration
value="ConfigurationManagement.Administration" />
			<xsd:enumeration
value="ConfigurationManagement.Application" />
			<xsd:enumeration
value="ConfigurationManagement.Infrastructure" />
			<xsd:enumeration value="IntegerOverflow" />
			<xsd:enumeration value="DataProtection" />
			<xsd:enumeration value="DataProtection.Storage"
/>
			<xsd:enumeration
value="DataProtection.Transport" />
			<xsd:enumeration value="InputValidation" />
			<xsd:enumeration value="InputValidation.User" />
			<xsd:enumeration value="InputValidation.Network"
/>
			<xsd:enumeration value="InputValidation.File" />
			<xsd:enumeration value="Concurrency" />
			<xsd:enumeration value="AppDOS" />
			<xsd:enumeration value="AppDOS.Flood" />
			<xsd:enumeration value="AppDOS.Lockout" />
			<xsd:enumeration value="BufferOverflow.Heap" />
			<xsd:enumeration value="BufferOverflow.Stack" />
			<xsd:enumeration value="BufferOverflow.Format"
/>
			<xsd:enumeration value="Injection" />
			<xsd:enumeration value="Injection.OS" />
			<xsd:enumeration value="Injection.SQL" />
			<xsd:enumeration value="Injection.HTML" />
			<xsd:enumeration value="Injection.OSCommand" />
			<xsd:enumeration value="Injection.LDAP" />
			<xsd:enumeration value="Injection.XSS" />
			<xsd:enumeration value="ErrorHandling" />
			<xsd:enumeration value="Monitoring" />
			<xsd:enumeration value="Monitoring.Logging" />
			<xsd:enumeration value="Monitoring.Detection" />
			<xsd:enumeration value="Cryptography" />
			<xsd:enumeration value="Cryptography.Algorithm"
/>
			<xsd:enumeration
value="Cryptography.KeyManagement" />
			<xsd:enumeration value="Authentication" />
			<xsd:enumeration value="Authentication.User" />
			<xsd:enumeration
value="Authentication.UserManagement" />
			<xsd:enumeration value="Authentication.Entity"
/>
			<xsd:enumeration
value="Authentication.SessionManagement" />
		</xsd:restriction>
	</xsd:simpleType>
	<xsd:simpleType name="appType">
		<xsd:restriction base="xsd:string">
			<xsd:enumeration value="client-server" />
			<xsd:enumeration value="web service" />
			<xsd:enumeration value="standalone" />
			<xsd:enumeration value="p2p" />
			<xsd:enumeration value="web application" />
			<xsd:enumeration value="server" />
			<xsd:enumeration value="client" />
			<xsd:enumeration value="mainframe" />
		</xsd:restriction>
	</xsd:simpleType>
	<xsd:simpleType name="rootCauseType">
		<xsd:restriction base="xsd:string">
			<xsd:enumeration value="software defect" />
			<xsd:enumeration value="config" />
		</xsd:restriction>
	</xsd:simpleType>
	<xsd:simpleType name="RelatedProcesses">
		<xsd:restriction base="xsd:string">
			<xsd:enumeration value="RequirementsAnalysis" />
			<xsd:enumeration value="DesignAnalysis" />
			<xsd:enumeration value="code" />
			<xsd:enumeration value="SecurityTesting" />
			<xsd:enumeration value="Deployment" />
		</xsd:restriction>
	</xsd:simpleType>
</xsd:schema>

Mark Curphey
Consulting Director
Foundstone, Inc.
Strategic Security

949.297.5600 x2070 Tel
781.738.0857 Cell
949.297.5575 Fax 

http://www.foundstone.com 

This email may contain confidential and privileged information for the
sole use of the intended recipient. Any review or distribution by others
is strictly prohibited. If you are not the intended recipient, please
contact the sender and delete all copies of this message. Thank you. 

To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup
.php
.