[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [was] Notes on WAS Face to Face
Peter, Feel free to clean up what you need to. Some of the older vuln info is still there and the original info of Attack Types etc from the older risk ranking model. I think we should take that out. Also what do you think about a structure of WAS Core.xsd that calls WAS Detect WAS Protect This allows for an easier development (less merge conflicts) but would also allow us to increment sub-elements moving forward without having to update the entire schema. Mark As a note Symantec will be joining WAS in an active role this week! -----Original Message----- From: Peter Michalek [mailto:peter@fortifysoftware.com] Sent: Monday, March 29, 2004 11:49 AM To: Mark Curphey Subject: RE: [was] Notes on WAS Face to Face Hi Mark, This is a good summary of vulnTypes that is useful, how we need to clean up and publishing as schema so that it has a more professional look. If you would be OK with that, we could go ahead with my proposal from Saturday and clean up and relatively finalize the stuff we came up with last week. You probably want to do it at your own pace and coordinate with other things, which is fine. Just let me know when you are ready. Peter -----Original Message----- From: Mark Curphey [mailto:mark.curphey@foundstone.com] Sent: Sunday, March 28, 2004 6:10 PM To: was@lists.oasis-open.org Subject: [was] Notes on WAS Face to Face As you will know from the notifications I have uploaded the meeting minutes from last weeks face to face and the updated working schema. It was a great meeting and we are making real progress. I am fairly confident we can publish the drafts of meta-data and profile as well the supporting documents before the end of April. The supporting documents will be; OASIS WAS Thesaurus (using VulnTypes) - this is the classification scheme OASIS WAS Vision Document OASIS WAS Core Schema Documented For those who don't read the minutes or look at the schema, I think some of the important schema is below. This will allow for rich metrics and measurement programs to be created by using the categories. <xsd:simpleType name="vulnList"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="AccessControl" /> <xsd:enumeration value="ConfigurationManagement" /> <xsd:enumeration value="ConfigurationManagement.Administration" /> <xsd:enumeration value="ConfigurationManagement.Application" /> <xsd:enumeration value="ConfigurationManagement.Infrastructure" /> <xsd:enumeration value="IntegerOverflow" /> <xsd:enumeration value="DataProtection" /> <xsd:enumeration value="DataProtection.Storage" /> <xsd:enumeration value="DataProtection.Transport" /> <xsd:enumeration value="InputValidation" /> <xsd:enumeration value="InputValidation.User" /> <xsd:enumeration value="InputValidation.Network" /> <xsd:enumeration value="InputValidation.File" /> <xsd:enumeration value="Concurrency" /> <xsd:enumeration value="AppDOS" /> <xsd:enumeration value="AppDOS.Flood" /> <xsd:enumeration value="AppDOS.Lockout" /> <xsd:enumeration value="BufferOverflow.Heap" /> <xsd:enumeration value="BufferOverflow.Stack" /> <xsd:enumeration value="BufferOverflow.Format" /> <xsd:enumeration value="Injection" /> <xsd:enumeration value="Injection.OS" /> <xsd:enumeration value="Injection.SQL" /> <xsd:enumeration value="Injection.HTML" /> <xsd:enumeration value="Injection.OSCommand" /> <xsd:enumeration value="Injection.LDAP" /> <xsd:enumeration value="Injection.XSS" /> <xsd:enumeration value="ErrorHandling" /> <xsd:enumeration value="Monitoring" /> <xsd:enumeration value="Monitoring.Logging" /> <xsd:enumeration value="Monitoring.Detection" /> <xsd:enumeration value="Cryptography" /> <xsd:enumeration value="Cryptography.Algorithm" /> <xsd:enumeration value="Cryptography.KeyManagement" /> <xsd:enumeration value="Authentication" /> <xsd:enumeration value="Authentication.User" /> <xsd:enumeration value="Authentication.UserManagement" /> <xsd:enumeration value="Authentication.Entity" /> <xsd:enumeration value="Authentication.SessionManagement" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="appType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="client-server" /> <xsd:enumeration value="web service" /> <xsd:enumeration value="standalone" /> <xsd:enumeration value="p2p" /> <xsd:enumeration value="web application" /> <xsd:enumeration value="server" /> <xsd:enumeration value="client" /> <xsd:enumeration value="mainframe" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="rootCauseType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="software defect" /> <xsd:enumeration value="config" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="RelatedProcesses"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="RequirementsAnalysis" /> <xsd:enumeration value="DesignAnalysis" /> <xsd:enumeration value="code" /> <xsd:enumeration value="SecurityTesting" /> <xsd:enumeration value="Deployment" /> </xsd:restriction> </xsd:simpleType> </xsd:schema> Mark Curphey Consulting Director Foundstone, Inc. Strategic Security 949.297.5600 x2070 Tel 781.738.0857 Cell 949.297.5575 Fax http://www.foundstone.com This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message. Thank you. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup .php .
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]