[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [was] Notes on WAS Face to Face
Mark, Attached is a (phase I) modification of the schema that we created at the face to face meeting and also diffs with this baseline: http://www.oasis-open.org/apps/org/workgroup/was/download.php/6134/oasis-was -version4.xsd This modification contains mainly new annotations for vulnTypes, also including the wording/explanation of why it's a collection (see previous email from Jeff Williams). Please see: 1) See: Line 38 - definition of Ids - how to we make them globally unique. 2) Line 308 - vulnList, vulnTypes - first attempt at documenting them, I think it needs more work, ideally with references to papers to make sure everyone understands the background behind each type. I didn't address any of the issues raised in other emails for now. I also think the suggestion to put this under version control is a good one, and will make it easier to evolve the schema into the final form. David, if you decide to do it, you can check this in. Peter -----Original Message----- From: Mark Curphey [mailto:mark.curphey@foundstone.com] Sent: Monday, March 29, 2004 10:44 AM To: Peter Michalek Cc: was@lists.oasis-open.org Subject: RE: [was] Notes on WAS Face to Face Peter, Feel free to clean up what you need to. Some of the older vuln info is still there and the original info of Attack Types etc from the older risk ranking model. I think we should take that out. Also what do you think about a structure of WAS Core.xsd that calls WAS Detect WAS Protect This allows for an easier development (less merge conflicts) but would also allow us to increment sub-elements moving forward without having to update the entire schema. Mark As a note Symantec will be joining WAS in an active role this week! -----Original Message----- From: Peter Michalek [mailto:peter@fortifysoftware.com] Sent: Monday, March 29, 2004 11:49 AM To: Mark Curphey Subject: RE: [was] Notes on WAS Face to Face Hi Mark, This is a good summary of vulnTypes that is useful, how we need to clean up and publishing as schema so that it has a more professional look. If you would be OK with that, we could go ahead with my proposal from Saturday and clean up and relatively finalize the stuff we came up with last week. You probably want to do it at your own pace and coordinate with other things, which is fine. Just let me know when you are ready. Peter -----Original Message----- From: Mark Curphey [mailto:mark.curphey@foundstone.com] Sent: Sunday, March 28, 2004 6:10 PM To: was@lists.oasis-open.org Subject: [was] Notes on WAS Face to Face As you will know from the notifications I have uploaded the meeting minutes from last weeks face to face and the updated working schema. It was a great meeting and we are making real progress. I am fairly confident we can publish the drafts of meta-data and profile as well the supporting documents before the end of April. The supporting documents will be; OASIS WAS Thesaurus (using VulnTypes) - this is the classification scheme OASIS WAS Vision Document OASIS WAS Core Schema Documented For those who don't read the minutes or look at the schema, I think some of the important schema is below. This will allow for rich metrics and measurement programs to be created by using the categories. <xsd:simpleType name="vulnList"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="AccessControl" /> <xsd:enumeration value="ConfigurationManagement" /> <xsd:enumeration value="ConfigurationManagement.Administration" /> <xsd:enumeration value="ConfigurationManagement.Application" /> <xsd:enumeration value="ConfigurationManagement.Infrastructure" /> <xsd:enumeration value="IntegerOverflow" /> <xsd:enumeration value="DataProtection" /> <xsd:enumeration value="DataProtection.Storage" /> <xsd:enumeration value="DataProtection.Transport" /> <xsd:enumeration value="InputValidation" /> <xsd:enumeration value="InputValidation.User" /> <xsd:enumeration value="InputValidation.Network" /> <xsd:enumeration value="InputValidation.File" /> <xsd:enumeration value="Concurrency" /> <xsd:enumeration value="AppDOS" /> <xsd:enumeration value="AppDOS.Flood" /> <xsd:enumeration value="AppDOS.Lockout" /> <xsd:enumeration value="BufferOverflow.Heap" /> <xsd:enumeration value="BufferOverflow.Stack" /> <xsd:enumeration value="BufferOverflow.Format" /> <xsd:enumeration value="Injection" /> <xsd:enumeration value="Injection.OS" /> <xsd:enumeration value="Injection.SQL" /> <xsd:enumeration value="Injection.HTML" /> <xsd:enumeration value="Injection.OSCommand" /> <xsd:enumeration value="Injection.LDAP" /> <xsd:enumeration value="Injection.XSS" /> <xsd:enumeration value="ErrorHandling" /> <xsd:enumeration value="Monitoring" /> <xsd:enumeration value="Monitoring.Logging" /> <xsd:enumeration value="Monitoring.Detection" /> <xsd:enumeration value="Cryptography" /> <xsd:enumeration value="Cryptography.Algorithm" /> <xsd:enumeration value="Cryptography.KeyManagement" /> <xsd:enumeration value="Authentication" /> <xsd:enumeration value="Authentication.User" /> <xsd:enumeration value="Authentication.UserManagement" /> <xsd:enumeration value="Authentication.Entity" /> <xsd:enumeration value="Authentication.SessionManagement" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="appType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="client-server" /> <xsd:enumeration value="web service" /> <xsd:enumeration value="standalone" /> <xsd:enumeration value="p2p" /> <xsd:enumeration value="web application" /> <xsd:enumeration value="server" /> <xsd:enumeration value="client" /> <xsd:enumeration value="mainframe" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="rootCauseType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="software defect" /> <xsd:enumeration value="config" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="RelatedProcesses"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="RequirementsAnalysis" /> <xsd:enumeration value="DesignAnalysis" /> <xsd:enumeration value="code" /> <xsd:enumeration value="SecurityTesting" /> <xsd:enumeration value="Deployment" /> </xsd:restriction> </xsd:simpleType> </xsd:schema> Mark Curphey Consulting Director Foundstone, Inc. Strategic Security 949.297.5600 x2070 Tel 781.738.0857 Cell 949.297.5575 Fax http://www.foundstone.com This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message. Thank you. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup .php .
<?xml version="1.0" encoding="UTF-8"?> <!-- edited with XMLSPY v2004 rel. 2 U (http://www.xmlspy.com) by Mark Curphey (OWASP) --> <xsd:schema targetNamespace="http://www.oasis.org/was"; xmlns="http://www.oasis.org/was"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0" id="WAS"> <!--Copyright © OASIS Open (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.--> <xsd:annotation> <xsd:appinfo> A WAS Test Case consists of 3 core elements. Meta- Data is used to manage the test cases themselves, Profile is used to describe the context of the test case and Test is the element that contains the test case. </xsd:appinfo> </xsd:annotation> <xsd:complexType name="metaData"> <xsd:complexContent> <xsd:restriction base="xsd:anyType"> <xsd:sequence> <xsd:element name="ID" type="ID"> <xsd:annotation> <xsd:appinfo>The ID element provides a mechanism to declare uniquely identifiable attributes for cataloging and referencing. The provider, author and vendor IDs allow cross referencing and trust models to be developed based on the source of the test case. Note: Need to define the XML:DigSig for these attributes and provide for a mecahism to sign an entire file (ie provide authenticity and integrity of the file outside of transport security). The ID Element should be derived from the following pieces of information: 1. Organization Label / Name - ex: Foundstone, in the case of large organization it is their responsibility to maintain organization level uniqueness. ... TODO: Define legal characters. 2. Current date - YYYY-MM-DD TODO: Thus a sample ID is: 2004-03-31-foundstone.com-0001 The id part after the company name should be unique within the company (i.e. last part of id namespace needs to be managed by the company. </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="provider" type="provider" minOccurs="0"> <xsd:annotation> <xsd:appinfo>The provider element provides a mechanism to reference the original provider of the signature. This maybe a trusted source of signatures or a commercial security intelligence provider or an internal source. This allows fast indexing of entries based on the provider without having to check signatures. </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="restrictions" type="restrictions"> <xsd:annotation> <xsd:appinfo>The restrictions element provides a mechanism to reference any usage restrictions on the test case itself. These may include copyright, licensing or potentially things like export restrictions where a test case contains cryptographic information. </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="history"> <xsd:complexType> <xsd:sequence> <xsd:element name="version" type="version" maxOccurs="unbounded"> <xsd:annotation> <xsd:appinfo>The date element provides a mechanism to declare time and historical related data. An example use case maybe, show me all of the issues within the last 3 months. </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:restriction> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="profile"> <xsd:sequence> <xsd:element name="vulnTypes" type="vulnTypes"> <xsd:annotation> <xsd:appinfo/> </xsd:annotation> </xsd:element> <xsd:element name="riskRanking" type="riskRanking"> <xsd:annotation> <xsd:appinfo>The ID element provides a mechansim to declare uniquely identifiable attributes for cataloging and referencing. The provider, author and vendor IDs allow cross referencing ands trust models to be developed based on the source of the test case. Note: Need to define the XML:DigSig for these attributes and provide for a mecahism to sign an entire file (ie provide authenticity and integrity of the file) </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="references" type="references"> <xsd:annotation> <xsd:appinfo/> </xsd:annotation> </xsd:element> <xsd:element name="locationOfIssue" type="locationOfIssue"/> <xsd:element name="title" type="xsd:string"/> <xsd:element name="abstract" type="xsd:string"/> <xsd:element name="description" type="xsd:string"/> <xsd:element name="rootCause"> <xsd:complexType> <xsd:sequence> <xsd:element name="cause" type="rootCauseType"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="RelatedProcesses"> <xsd:complexType> <xsd:sequence> <xsd:element name="relatedProcess" type="RelatedProcesses"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:complexType name="ID"> <xsd:attribute name="testCaseID" type="xsd:ID" use="required"> <xsd:annotation> <xsd:appinfo>This element provides a uniquely identifiable key. This would be used as a fast and efficient way for two technolgies sharing the same test case database to exchange information. ie use xsd:was:ID:uid:007 </xsd:appinfo> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="version"> <xsd:sequence> <xsd:element name="versionNumber" type="xsd:decimal"/> <xsd:element name="releaseDate" type="xsd:dateTime"/> <xsd:element name="changeDesc" type="xsd:string"/> <xsd:element name="author" type="author"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="author"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="email" type="xsd:anyURI"/> <xsd:element name="company" type="xsd:string"/> <xsd:element name="address" type="xsd:string"/> <xsd:element name="uri" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="provider"> <xsd:sequence> <xsd:element name="email" type="xsd:string"/> <xsd:element name="company" type="xsd:string"/> <xsd:element name="address" type="xsd:string"/> <xsd:element name="uri" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="restrictions"> <xsd:sequence> <xsd:element name="license" type="license"/> <xsd:element name="copyright" type="copyright" minOccurs="0"/> <xsd:element name="restrictionsUpdateURI" type="xsd:string" minOccurs="0"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="riskRanking"> <xsd:sequence> <xsd:element name="threat"/> <xsd:element name="impact"/> </xsd:sequence> </xsd:complexType> <xsd:simpleType name="threat"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[a-d]"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="impact"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[a-d]"/> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="vulnTypes"> <xsd:sequence> <xsd:element name="vuln"> <xsd:complexType> <xsd:sequence> <xsd:element name="vuln" type="vulnList"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:simpleType name="attackSurfaceType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="system boundary"/> <xsd:enumeration value="component boundary"/> <xsd:enumeration value="source code"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="targetType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="application component"/> <xsd:enumeration value="infrastructure component"/> <xsd:enumeration value="end user"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="conditionType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="authenticated"/> <xsd:enumeration value="privilege"/> <xsd:enumeration value="port"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="consequenceType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="denial of service"/> <xsd:enumeration value="privilege elevation"/> <xsd:enumeration value="transfer of trust"/> <xsd:enumeration value="identity impersonation"/> <xsd:enumeration value="data disclosure"/> <xsd:enumeration value="security requirements violation"/> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="license"> <xsd:sequence> <xsd:element name="licenseType" type="xsd:string"/> <xsd:element name="licenseText" type="xsd:string"/> <xsd:element name="licenseVersion" type="xsd:decimal"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="descriptions"> <xsd:sequence> <xsd:element name="abstract" type="xsd:string"/> <xsd:element name="longtDescription" type="xsd:string"/> <xsd:element name="title" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="references"> <xsd:sequence> <xsd:element name="vulnDatabase" type="vulnDatabase"/> <xsd:element name="whitePaper" type="furtherReading"/> <xsd:element name="article" type="article"/> <xsd:element name="newsExample" type="newsExample"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="vulnDatabase"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="location" type="xsd:anyURI"/> <xsd:element name="itemIdentifier" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="furtherReading"> <xsd:sequence> <xsd:element name="title" type="xsd:string"/> <xsd:element name="author" type="xsd:string"/> <xsd:element name="format" type="xsd:mimetype"/> <xsd:element name="date" type="xsd:date"/> <xsd:element name="location" type="xsd:anyURI"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="newsExample"> <xsd:sequence> <xsd:element name="title" type="xsd:string"/> <xsd:element name="publication" type="xsd:string"/> <xsd:element name="date" type="xsd:date"/> <xsd:element name="location" type="xsd:anyURI"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="copyright"> <xsd:sequence> <xsd:element name="copyrightHolder" type="xsd:string"/> <xsd:element name="copyrightNotice" type="xsd:string"/> <xsd:element name="copyrightDate" type="xsd:date"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="locationOfIssue"> <xsd:sequence> <xsd:element name="version" type="xsd:string"/> <xsd:element name="os" type="xsd:string"/> <xsd:element name="arch" type="xsd:string"/> <xsd:element name="vm" type="xsd:string"/> <xsd:element name="lang" type="xsd:string"/> <xsd:element name="pointer"> <xsd:complexType> <xsd:sequence> <xsd:element name="line" type="xsd:int"/> <xsd:element name="URI" type="xsd:string"/> <xsd:element name="stackTrace" type="xsd:string"/> <xsd:element name="filePath" type="xsd:string"/> <xsd:element name="module" type="xsd:string"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="application"> <xsd:complexType> <xsd:sequence> <xsd:element name="type" type="appType"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="vendor" type="vendor"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="vendor"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="homepage" type="xsd:anyURI"/> <xsd:element name="contactEmail" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:simpleType name="vulnList"> <xsd:annotation> <xsd:appinfo> vulnList provides a way to assign multiple vulnerability categories to a single instance of vulnerability. By allowing multiple categories to be assigned to a single application secuirty issue, we avoid many of the hierarchy/taxonomy/classification problems that have plagued this type of effort in the past. </xsd:appinfo> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:annotation> <xsd:appinfo> AccessControl denotes access control related issues. ConfigurationManagement denotes access control related issues. ConfigurationManagement.Administration - issues related to administration of the server application. ConfigurationManagement.Application - issues related to application level misconfiguration. ConfigurationManagement.Infrastructure - application related infrastructure. Note: IntegerOverflow should not to be mistaken with BufferOverflow which deals with problems related to overwriting memory areas. DataProtection issues have to do with proper protection of data, such as log files (e.g. - DataProtection.Storage confidential data that is not encrypted ), or unencrypted transport (DataProtection.Transport) Concurrency is also known as TOCTOU (time-of-check-time-of-use) vulnerability. AppDOS denotes Application Level (as opposed to network level) of Denial of Services vulnerability. AppDOS.Flood is a subcategory related to flooding the server resources so that serving valid customers is limited. AppDOS.Lockout refers to the situation where the server is effectively locks out accounts of valid users because of attacker's selection of those user names for the attack. Injection denotes a broad category of vulnerabilities that are caused by injecting invalid extranious data into the arguments of external interfaces of the applications (e.g. into HTTP datastream of Web Applications). Injection.OS - ?? Injection.SQL SQL injection ErrorHandling denotes issues related to error handling. Cryptography categories denotes vulnerabilities related to incorrect use of cryptography. </xsd:appinfo> </xsd:annotation> <xsd:enumeration value="AccessControl"/> <xsd:enumeration value="ConfigurationManagement"/> <xsd:enumeration value="ConfigurationManagement.Administration"/> <xsd:enumeration value="ConfigurationManagement.Application"/> <xsd:enumeration value="ConfigurationManagement.Infrastructure"/> <xsd:enumeration value="IntegerOverflow"/> <xsd:enumeration value="DataProtection"/> <xsd:enumeration value="DataProtection.Storage"/> <xsd:enumeration value="DataProtection.Transport"/> <xsd:enumeration value="InputValidation"/> <xsd:enumeration value="InputValidation.User"/> <xsd:enumeration value="InputValidation.Network"/> <xsd:enumeration value="InputValidation.File"/> <xsd:enumeration value="Concurrency"/> <xsd:enumeration value="AppDOS"/> <xsd:enumeration value="AppDOS.Flood"/> <xsd:enumeration value="AppDOS.Lockout"/> <xsd:enumeration value="BufferOverflow.Heap"/> <xsd:enumeration value="BufferOverflow.Stack"/> <xsd:enumeration value="BufferOverflow.Format"/> <xsd:enumeration value="Injection"/> <xsd:enumeration value="Injection.OS"/> <xsd:enumeration value="Injection.SQL"/> <xsd:enumeration value="Injection.HTML"/> <xsd:enumeration value="Injection.OSCommand"/> <xsd:enumeration value="Injection.LDAP"/> <xsd:enumeration value="Injection.XSS"/> <xsd:enumeration value="ErrorHandling"/> <xsd:enumeration value="Monitoring"/> <xsd:enumeration value="Monitoring.Logging"/> <xsd:enumeration value="Monitoring.Detection"/> <xsd:enumeration value="Cryptography"/> <xsd:enumeration value="Cryptography.Algorithm"/> <xsd:enumeration value="Cryptography.KeyManagement"/> <xsd:enumeration value="Authentication"/> <xsd:enumeration value="Authentication.User"/> <xsd:enumeration value="Authentication.UserManagement"/> <xsd:enumeration value="Authentication.Entity"/> <xsd:enumeration value="Authentication.SessionManagement"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="appType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="client-server"/> <xsd:enumeration value="web service"/> <xsd:enumeration value="standalone"/> <xsd:enumeration value="p2p"/> <xsd:enumeration value="web application"/> <xsd:enumeration value="server"/> <xsd:enumeration value="client"/> <xsd:enumeration value="mainframe"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="rootCauseType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="software defect"/> <xsd:enumeration value="config"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="RelatedProcesses"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="RequirementsAnalysis"/> <xsd:enumeration value="DesignAnalysis"/> <xsd:enumeration value="code"/> <xsd:enumeration value="SecurityTesting"/> <xsd:enumeration value="Deployment"/> </xsd:restriction> </xsd:simpleType> </xsd:schema>
3c3,5 < <xsd:schema targetNamespace="http://www.oasis.org/was"; xmlns="http://www.oasis.org/was"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0" id="WAS"> --- > <xsd:schema targetNamespace="http://www.oasis.org/was"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns="http://www.oasis.org/was"; elementFormDefault="qualified" attributeFormDefault="unqualified" > version="1.0" id="WAS"> 38,41c40 < <xsd:appinfo>The ID element provides a mechanism to declare uniquely identifiable attributes for cataloging and referencing. < The provider, author and vendor IDs allow cross referencing and trust models to be developed based on the source of the test case. < Note: Need to define the XML:DigSig for these attributes and provide for a mecahism to sign an entire file (ie provide authenticity and integrity of the file outside of transport security). < --- > <xsd:appinfo>The ID element provides a mechansim to declare uniquely identifiable attributes for cataloging and referencing. The provider, author and vendor IDs allow cross referencing ands trust models to be developed based on the source of the test case. Note: Need to define the XML:DigSig for these attributes and provide for a mecahism to sign an entire file (ie provide authenticity and integrity of the file outside of transport security). 46,49d44 < < Thus a sample ID is: 2004-03-31-foundstone.com-0001 < The id part after the company name should be unique within the company (i.e. last part of id namespace needs to be < managed by the company. 85c80 < <xsd:appinfo/> --- > <xsd:appinfo></xsd:appinfo> 96c91 < <xsd:appinfo/> --- > <xsd:appinfo></xsd:appinfo> 99c94 < <xsd:element name="locationOfIssue" type="locationOfIssue"/> --- > <xsd:element name="locationOfIssue" type="locationOfIssue"></xsd:element> 219c214 < <xsd:element name="licenseType" type="xsd:string"/> --- > <xsd:element name="licenseType" type="licenseType" /> 295c290 < <xsd:element name="vendor" type="vendor"/> --- > <xsd:element name="vendor" type="vendor"></xsd:element> 306,312d300 < <xsd:annotation> < <xsd:appinfo> < vulnList provides a way to assign multiple vulnerability categories to a single instance of vulnerability. < By allowing multiple categories to be assigned to a single application secuirty issue, we avoid many of the hierarchy/taxonomy/classification < problems that have plagued this type of effort in the past. < </xsd:appinfo> < </xsd:annotation> 314,339d301 < <xsd:annotation> < <xsd:appinfo> < AccessControl denotes access control related issues. < < ConfigurationManagement denotes access control related issues. < ConfigurationManagement.Administration - issues related to administration of the server application. < ConfigurationManagement.Application - issues related to application level misconfiguration. < ConfigurationManagement.Infrastructure - application related infrastructure. < < Note: IntegerOverflow should not to be mistaken with BufferOverflow which deals with problems related to overwriting memory areas. < DataProtection issues have to do with proper protection of data, such as log files (e.g. - DataProtection.Storage confidential data that is not encrypted ), or < unencrypted transport (DataProtection.Transport) < Concurrency is also known as TOCTOU (time-of-check-time-of-use) vulnerability. < AppDOS denotes Application Level (as opposed to network level) of Denial of Services vulnerability. AppDOS.Flood is a subcategory related to flooding the server resources so that < serving valid customers is limited. < AppDOS.Lockout refers to the situation where the server is effectively locks out accounts of valid users because of attacker's selection of < those user names for the attack. < Injection denotes a broad category of vulnerabilities that are caused by injecting invalid extranious data into the arguments of external < interfaces of the applications (e.g. into HTTP datastream of Web Applications). < Injection.OS - ?? < Injection.SQL SQL injection < ErrorHandling denotes issues related to error handling. < Cryptography categories denotes vulnerabilities related to incorrect use of cryptography. < < </xsd:appinfo> < </xsd:annotation>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]