[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [was] Notes on WAS Face to Face
Jeff, thanks for detail annotation notes, I incorporated them into the document and as you suggested, deleted this: <xsd:enumeration value="Injection.OS"/> FIXME: THIS IS A DUPLICATE of Injection.OSCommand and should be deleted. I also added BufferOverflow "super-category" that was missing. I didn't some minor changes in your wording of some, e.g. IntegerOverflow Modified .xsd and diff to the previous version are attached. Peter -----Original Message----- From: Jeff Williams [mailto:jeff.williams@aspectsecurity.com] Sent: Wednesday, March 31, 2004 8:49 PM To: Peter Michalek; 'Mark Curphey'; 'David Raphael' Cc: was@lists.oasis-open.org Subject: Re: [was] Notes on WAS Face to Face Here are some updated definitions. I'm not sure the syntax for annotations -- is it right to just have one big block for the whole list? Or should there be a separate annotation for each item in the list? ------------- <xsd:enumeration value="AccessControl"/> Used for problems that allow users to access assets or functions they are not authorized for. Frequently, there is no access control mechanism where there should be. A proper access control mechanism should enforce the principles of a reference monitor: non-bypassable, tamperproof, and analyzable. <xsd:enumeration value="ConfigurationManagement"/> Used to describe problems in the configuration of an application or application environment. <xsd:enumeration value="ConfigurationManagement.Administration"/> Used for problems in the application's mechanisms that enable remote administration, such as user management, credential management, database management, and other configuration options. <xsd:enumeration value="ConfigurationManagement.Application"/> Used to describe problems in the application's configuration, such as misconfigured security mechanisms, default programs, unused code, and unnecessarily enabled features. <xsd:enumeration value="ConfigurationManagement.Infrastructure"/> Used for problems with the configuration of the application's infrastructure, such as the web and application servers, filters, and external security mechanisms. <xsd:enumeration value="IntegerOverflow"/> Used for problems resulting from attempts to put a large number into a variable too small to hold it. This can occur when parsing problems occur or mathematical functions are misused. These errors are particularly dangerous when the overflowed variable is used to allocate memory. <xsd:enumeration value="DataProtection"/> Used for issues related to inappropriate disclosure of data. <xsd:enumeration value="DataProtection.Storage"/> Used for problems storing data securely, including storage of credentials, keys, and other sensitive information. Mistakes related to cryptographic mechanisms are examples, including poor sources of randomness, bad choice of algorithm, and poor implementation. <xsd:enumeration value="DataProtection.Transport"/> Used for problems related to secure transfer of information. Frequently, this will refer to problems with SSL or TLS configuration, but could include other protocols with security features. <xsd:enumeration value="InputValidation"/> Used for issues related to failure to validate untrusted input before it is relied on by an application. <xsd:enumeration value="InputValidation.User"/> Used for input validation problems where the input comes from a human user, such as HTTP request parameters, command line input, or input events from an application's GUI. <xsd:enumeration value="InputValidation.Network"/> Used for input validation problems where the input comes from a network protocol, such as HTTP headers, sequence numbers, or other protocol fields. <xsd:enumeration value="InputValidation.File"/> Used for input validation problems where the input comes from a file, such as a properties file, batch data file, flat-file databases, or other file based data. <xsd:enumeration value="Concurrency"/> Used for errors in multithreaded environments that allow data to be shared or corrupted. Examples include variables that are shared between threads and cause time-of-check-time-of-use (TOCTOU) problems, broken singleton patterns, and poor cache design. <xsd:enumeration value="AppDOS"/> Used for flaws that would allow an attacker to completely or partially prevent users from using an application properly. <xsd:enumeration value="AppDOS.Flood"/> Used for application denial of service problems that involve saturating some limited resource shared by all users of the application, such as disk space, CPU, network bandwidth, database connections, or memory. <xsd:enumeration value="AppDOS.Lockout"/> Used for application denial of service problems that involve using up some resource that is allocated to a user of the application, such as failed logon attempts, minutes, messages, or transactions. <xsd:enumeration value="BufferOverflow.Heap"/> Used for flaws that allow an attacker to overflow memory that is dynamically allocated by the application. <xsd:enumeration value="BufferOverflow.Stack"/> Used for flaws that allow an attacker to write data into the stack, causing the program to crash or transfer control. <xsd:enumeration value="BufferOverflow.Format"/> Used for flaws that allow an attacker to use format strings to overwrite locations in memory, allowing data to be changed, program control to be altered, or the program to crash. <xsd:enumeration value="Injection"/> Used for problems that allow an attacker to bury commands into data and have them interpreted by some system that the data reaches. <xsd:enumeration value="Injection.OS"/> FIXME: THIS IS A DUPLICATE of Injection.OSCommand and should be deleted. <xsd:enumeration value="Injection.SQL"/> Used for flaws that allow an attacker to inject special characters and commands into a SQL database and modify the intended query. The attack might attempt to change the meaning of the query, or might attempt to chain additional commands. <xsd:enumeration value="Injection.HTML"/> Used for flaws that allow an attacker to inject HTML into an application and modify the appearance of HTML generated by that application. For example, an attacker might inject an unwanted IMG tag into a guest book, and offend other users. <xsd:enumeration value="Injection.OSCommand"/> Used for flaws that allow an attacker to inject special characters and commands into the operating system command shell and modify the intended command. The attack might attempt to modify how a program is invoked, or might attempt to chain additional commands. <xsd:enumeration value="Injection.LDAP"/> Used for flaws that allow an attacker to inject special characters and search terms into an LDAP server and modify the intended query. <xsd:enumeration value="Injection.XSS"/> Used for flaws that allow an attacker to send malicious scripts through a web application and have them execute on victims' browsers. Stored XSS attacks involve storing the script in the web application for users to find. Reflected XSS attacks are bounced off a web application in real time and require a user to be tricked into sending the request containing the attack. <xsd:enumeration value="ErrorHandling"/> Used for problems in handling errors, including printing stack traces to the screen, fail open security mechanisms, allowing errors to affect the operation of the entire application, and revealing too much information about a failure. <xsd:enumeration value="Monitoring"/> Used for issues related to monitoring the security posture of a web application. <xsd:enumeration value="Monitoring.Logging"/> Used for issues concerning the proper logging of events, including what should be logged, how it should be logged, how logs should be reviewed, and other issues related to accountability. <xsd:enumeration value="Monitoring.Detection"/> Used for issues related to the detection of attacks on an application, how attacks should be handled, what information should be gathered, and who should be notified. <xsd:enumeration value="Cryptography"/> Used for problems related to encryption, decryption, signing, and verification. <xsd:enumeration value="Cryptography.Algorithm"/> Used for cryptographic algorithm selection, implementation, and analysis problems. <xsd:enumeration value="Cryptography.KeyManagement"/> Used for issues with certificate storage, tokens, revocation, certificates, key stores, issuing keys, and other key issues ;-) <xsd:enumeration value="Authentication"/> Used for problems related to determining the identity of individuals and authenticating that identity. <xsd:enumeration value="Authentication.User"/> Used for issues related to identification and authentication of people who are intended to use an application. Problems with usernames, passwords, tokens, smartcards, biometrics, and other credentials are examples. <xsd:enumeration value="Authentication.UserManagement"/> Used for problems related to managing a set of users, especially the security relevant information such as roles, privileges, authorizations, groups, social security numbers, credit card numbers, and other sensitive information. Also problems with creating new users, registration, granting rights, and terminating access. <xsd:enumeration value="Authentication.Entity"/> Used for problems with authenticating automated systems, such as web services, databases, directories, and others. Examples include secure credential storage, securing transport, changing credentials, and terminating access. <xsd:enumeration value="Authentication.SessionManagement"/> Used for problems with issuing, using, protecting, changing, and terminating session identifiers of all kinds. Session identifiers stand in the place of authentication credentials yet are freqently not protected as carefully. --Jeff ----- Original Message ----- From: Peter Michalek To: 'Mark Curphey' ; 'David Raphael' Cc: was@lists.oasis-open.org Sent: Wednesday, March 31, 2004 8:56 PM Subject: RE: [was] Notes on WAS Face to Face Mark, Attached is a (phase I) modification of the schema that we created at the face to face meeting and also diffs with this baseline: http://www.oasis-open.org/apps/org/workgroup/was/download.php/6134/oasis-was -version4.xsd This modification contains mainly new annotations for vulnTypes, also including the wording/explanation of why it's a collection (see previous email from Jeff Williams). Please see: 1) See: Line 38 - definition of Ids - how to we make them globally unique. 2) Line 308 - vulnList, vulnTypes - first attempt at documenting them, I think it needs more work, ideally with references to papers to make sure everyone understands the background behind each type. I didn't address any of the issues raised in other emails for now. I also think the suggestion to put this under version control is a good one, and will make it easier to evolve the schema into the final form. David, if you decide to do it, you can check this in. Peter -----Original Message----- From: Mark Curphey [mailto:mark.curphey@foundstone.com] Sent: Monday, March 29, 2004 10:44 AM To: Peter Michalek Cc: was@lists.oasis-open.org Subject: RE: [was] Notes on WAS Face to Face Peter, Feel free to clean up what you need to. Some of the older vuln info is still there and the original info of Attack Types etc from the older risk ranking model. I think we should take that out. Also what do you think about a structure of WAS Core.xsd that calls WAS Detect WAS Protect This allows for an easier development (less merge conflicts) but would also allow us to increment sub-elements moving forward without having to update the entire schema. Mark As a note Symantec will be joining WAS in an active role this week! -----Original Message----- From: Peter Michalek [mailto:peter@fortifysoftware.com] Sent: Monday, March 29, 2004 11:49 AM To: Mark Curphey Subject: RE: [was] Notes on WAS Face to Face Hi Mark, This is a good summary of vulnTypes that is useful, how we need to clean up and publishing as schema so that it has a more professional look. If you would be OK with that, we could go ahead with my proposal from Saturday and clean up and relatively finalize the stuff we came up with last week. You probably want to do it at your own pace and coordinate with other things, which is fine. Just let me know when you are ready. Peter -----Original Message----- From: Mark Curphey [mailto:mark.curphey@foundstone.com] Sent: Sunday, March 28, 2004 6:10 PM To: was@lists.oasis-open.org Subject: [was] Notes on WAS Face to Face As you will know from the notifications I have uploaded the meeting minutes from last weeks face to face and the updated working schema. It was a great meeting and we are making real progress. I am fairly confident we can publish the drafts of meta-data and profile as well the supporting documents before the end of April. The supporting documents will be; OASIS WAS Thesaurus (using VulnTypes) - this is the classification scheme OASIS WAS Vision Document OASIS WAS Core Schema Documented For those who don't read the minutes or look at the schema, I think some of the important schema is below. This will allow for rich metrics and measurement programs to be created by using the categories. <xsd:simpleType name="vulnList"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="AccessControl" /> <xsd:enumeration value="ConfigurationManagement" /> <xsd:enumeration value="ConfigurationManagement.Administration" /> <xsd:enumeration value="ConfigurationManagement.Application" /> <xsd:enumeration value="ConfigurationManagement.Infrastructure" /> <xsd:enumeration value="IntegerOverflow" /> <xsd:enumeration value="DataProtection" /> <xsd:enumeration value="DataProtection.Storage" /> <xsd:enumeration value="DataProtection.Transport" /> <xsd:enumeration value="InputValidation" /> <xsd:enumeration value="InputValidation.User" /> <xsd:enumeration value="InputValidation.Network" /> <xsd:enumeration value="InputValidation.File" /> <xsd:enumeration value="Concurrency" /> <xsd:enumeration value="AppDOS" /> <xsd:enumeration value="AppDOS.Flood" /> <xsd:enumeration value="AppDOS.Lockout" /> <xsd:enumeration value="BufferOverflow.Heap" /> <xsd:enumeration value="BufferOverflow.Stack" /> <xsd:enumeration value="BufferOverflow.Format" /> <xsd:enumeration value="Injection" /> <xsd:enumeration value="Injection.OS" /> <xsd:enumeration value="Injection.SQL" /> <xsd:enumeration value="Injection.HTML" /> <xsd:enumeration value="Injection.OSCommand" /> <xsd:enumeration value="Injection.LDAP" /> <xsd:enumeration value="Injection.XSS" /> <xsd:enumeration value="ErrorHandling" /> <xsd:enumeration value="Monitoring" /> <xsd:enumeration value="Monitoring.Logging" /> <xsd:enumeration value="Monitoring.Detection" /> <xsd:enumeration value="Cryptography" /> <xsd:enumeration value="Cryptography.Algorithm" /> <xsd:enumeration value="Cryptography.KeyManagement" /> <xsd:enumeration value="Authentication" /> <xsd:enumeration value="Authentication.User" /> <xsd:enumeration value="Authentication.UserManagement" /> <xsd:enumeration value="Authentication.Entity" /> <xsd:enumeration value="Authentication.SessionManagement" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="appType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="client-server" /> <xsd:enumeration value="web service" /> <xsd:enumeration value="standalone" /> <xsd:enumeration value="p2p" /> <xsd:enumeration value="web application" /> <xsd:enumeration value="server" /> <xsd:enumeration value="client" /> <xsd:enumeration value="mainframe" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="rootCauseType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="software defect" /> <xsd:enumeration value="config" /> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="RelatedProcesses"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="RequirementsAnalysis" /> <xsd:enumeration value="DesignAnalysis" /> <xsd:enumeration value="code" /> <xsd:enumeration value="SecurityTesting" /> <xsd:enumeration value="Deployment" /> </xsd:restriction> </xsd:simpleType> </xsd:schema> Mark Curphey Consulting Director Foundstone, Inc. Strategic Security 949.297.5600 x2070 Tel 781.738.0857 Cell 949.297.5575 Fax http://www.foundstone.com This email may contain confidential and privileged information for the sole use of the intended recipient. Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies of this message. Thank you. To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup .php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php . To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/was/members/leave_workgroup.php .
3c3 < <xsd:schema targetNamespace="http://www.oasis.org/was"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns="http://www.oasis.org/was"; elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0" id="WAS"> --- > <xsd:schema targetNamespace="http://www.oasis.org/was"; xmlns="http://www.oasis.org/was"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0" id="WAS"> 309c309 < By allowing multiple categories to be assigned to a single application security issue, we avoid many of the hierarchy/taxonomy/classification --- > By allowing multiple categories to be assigned to a single application secuirty issue, we avoid many of the hierarchy/taxonomy/classification 314d313 < <xsd:enumeration value="AccessControl"> 317,606c316,337 < Used for problems that allow users to access assets or functions they are not authorized for. Frequently, there is no access control mechanism where there should be. < A proper access control mechanism should enforce the principles of a reference monitor: non-bypassable, tamperproof, and analyzable. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="ConfigurationManagement"> < <xsd:annotation> < <xsd:appinfo> < Used to describe problems in the configuration of an application or application environment. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="ConfigurationManagement.Administration"> < <xsd:annotation> < <xsd:appinfo> < Used for problems in the application's mechanisms that enable remote administration, such as user management, credential management, < database management, and other configuration options. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="ConfigurationManagement.Application"> < <xsd:annotation> < <xsd:appinfo> < Used to describe problems in the application's configuration, such as misconfigured security mechanisms, default programs, unused code, and unnecessarily enabled features. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="ConfigurationManagement.Infrastructure"> < <xsd:annotation> < <xsd:appinfo> < Used for problems with the configuration of the application's infrastructure, such as the web and application servers, filters, and external security mechanisms. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="IntegerOverflow"> < <xsd:annotation> < <xsd:appinfo> < Used for problems resulting from attempts to put a large number into a variable too small to hold it. < This can occur when parsing problems occur or mathematical functions are misused. These errors are particularly dangerous when the overflowed variable is used to allocate memory. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="DataProtection"> < <xsd:annotation> < <xsd:appinfo> < Used for issues related to inappropriate disclosure of data. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="DataProtection.Storage"> < <xsd:annotation> < <xsd:appinfo> < Used for problems storing data securely, including storage of credentials, keys, and other sensitive information. < Mistakes related to cryptographic mechanisms are examples, including poor sources of randomness, bad choice of algorithm, and poor implementation. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="DataProtection.Transport"> < <xsd:annotation> < <xsd:appinfo> < Used for problems related to secure transfer of information. < Frequently, this will refer to problems with SSL or TLS configuration, but could include other protocols with security features. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="InputValidation"> < <xsd:annotation> < <xsd:appinfo> < Used for issues related to failure to validate untrusted input before it is relied on by an application. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="InputValidation.User"> < <xsd:annotation> < <xsd:appinfo> < Used for input validation problems where the input comes from a human user, such as HTTP request parameters, command line input, or input events from an application's GUI. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="InputValidation.Network"> < <xsd:annotation> < <xsd:appinfo> < Used for input validation problems where the input comes from a network protocol, such as HTTP headers, sequence numbers, or other protocol fields. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="InputValidation.File"> < <xsd:annotation> < <xsd:appinfo> < Used for input validation problems where the input comes from a file, such as a properties file, batch data file, flat-file databases, or other file based data. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Concurrency"> < <xsd:annotation> < <xsd:appinfo> < Used for errors in multithreaded environments that allow data to be shared or corrupted. Examples include variables that are shared between threads < and cause time-of-check-time-of-use (TOCTOU) problems, broken singleton patterns, and poor cache design. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="AppDOS"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that would allow an attacker to completely or partially prevent users from using an application properly. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="AppDOS.Flood"> < <xsd:annotation> < <xsd:appinfo> < Used for application denial of service problems that involve saturating some limited resource shared by all users of the application, < such as disk space, CPU, network bandwidth, database connections, or memory. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="AppDOS.Lockout"> < <xsd:annotation> < <xsd:appinfo> < Used for application denial of service problems that involve using up some resource that is allocated to a user of the application, < such as failed logon attempts, minutes, messages, or transactions. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="BufferOverflow"> < <xsd:annotation> < <xsd:appinfo> < Buffer overflow problems result from application code writing behind memory limits allocated for a program variable and < often allow for injection of malicious code into a target and its execution. < This vulnerability category is often associated with usage of certain functions in programming APIs without < first validating the input and is related to and can also be classified as InputValidation. < BufferOverflow is the principal method used to exploit software today. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="BufferOverflow.Heap"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to overflow memory that is dynamically allocated by the application. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="BufferOverflow.Stack"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to write data into the stack, causing the program to crash or transfer control. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="BufferOverflow.Format"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to use format strings to overwrite locations in memory, allowing data to be changed, program control to be altered, or the program to crash. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Injection"> < <xsd:annotation> < <xsd:appinfo> < Used for problems that allow an attacker to bury commands into data and have them interpreted by some system that the data reaches. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Injection.SQL"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to inject special characters and commands into a SQL database and modify the intended query. < The attack might attempt to change the meaning of the query, or might attempt to chain additional commands. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Injection.HTML"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to inject HTML into an application and modify the appearance of HTML generated by that application. < For example, an attacker might inject an unwanted IMG tag into a guest book, and offend other users. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Injection.OSCommand"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to inject special characters and commands into the operating system command shell and modify the intended command. < The attack might attempt to modify how a program is invoked, or might attempt to chain additional commands. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Injection.LDAP"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to inject special characters and search terms into an LDAP server and modify the intended query. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Injection.XSS"> < <xsd:annotation> < <xsd:appinfo> < Used for flaws that allow an attacker to send malicious scripts through a web application and have them execute on victims' browsers. < Stored XSS attacks involve storing the script in the web application for users to find. < Reflected XSS attacks are bounced off a web application in real time and require a user to be tricked into sending the request containing the attack. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="ErrorHandling"> < <xsd:annotation> < <xsd:appinfo> < Used for problems in handling errors, including printing stack traces to the screen, fail open security mechanisms, < allowing errors to affect the operation of the entire application, and revealing too much information about a failure. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Monitoring"> < <xsd:annotation> < <xsd:appinfo> < Used for issues related to monitoring the security posture of a web application. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Monitoring.Logging"> < <xsd:annotation> < <xsd:appinfo> < Used for issues concerning the proper logging of events, including what should be logged, how it should be logged, how logs should be reviewed, and other issues related to accountability. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Monitoring.Detection"> < <xsd:annotation> < <xsd:appinfo> < Used for issues related to the detection of attacks on an application, how attacks should be handled, what information should be gathered, and who should be notified. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Cryptography"> < <xsd:annotation> < <xsd:appinfo> < Used for problems related to encryption, decryption, signing, and verification. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Cryptography.Algorithm"> < <xsd:annotation> < <xsd:appinfo> < Used for cryptographic algorithm selection, implementation, and analysis problems. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Cryptography.KeyManagement"> < <xsd:annotation> < <xsd:appinfo> < Used for issues with certificate storage, tokens, revocation, certificates, key stores, issuing keys, and other key issues ;-) < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Authentication"> < <xsd:annotation> < <xsd:appinfo> < Used for problems related to determining the identity of individuals and authenticating that identity. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Authentication.User"> < <xsd:annotation> < <xsd:appinfo> < Used for issues related to identification and authentication of people who are intended to use an application. < Problems with usernames, passwords, tokens, smartcards, biometrics, and other credentials are examples. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Authentication.UserManagement"> < <xsd:annotation> < <xsd:appinfo> < Used for problems related to managing a set of users, especially the security relevant information such as roles, < privileges, authorizations, groups, social security numbers, credit card numbers, and other sensitive information. < Also problems with creating new users, registration, granting rights, and terminating access. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Authentication.Entity"> < <xsd:annotation> < <xsd:appinfo> < Used for problems with authenticating automated systems, such as web services, databases, directories, and others. < Examples include secure credential storage, securing transport, changing credentials, and terminating access. < </xsd:appinfo> < </xsd:annotation> < </xsd:enumeration> < <xsd:enumeration value="Authentication.SessionManagement"> < <xsd:annotation> < <xsd:appinfo> < Used for problems with issuing, using, protecting, changing, and terminating session identifiers of all kinds. < Session identifiers stand in the place of authentication credentials yet are freqently not protected as carefully. --- > AccessControl denotes access control related issues. > > ConfigurationManagement denotes access control related issues. > ConfigurationManagement.Administration - issues related to administration of the server application. > ConfigurationManagement.Application - issues related to application level misconfiguration. > ConfigurationManagement.Infrastructure - application related infrastructure. > > Note: IntegerOverflow should not to be mistaken with BufferOverflow which deals with problems related to overwriting memory areas. > DataProtection issues have to do with proper protection of data, such as log files (e.g. - DataProtection.Storage confidential data that is not encrypted ), or > unencrypted transport (DataProtection.Transport) > Concurrency is also known as TOCTOU (time-of-check-time-of-use) vulnerability. > AppDOS denotes Application Level (as opposed to network level) of Denial of Services vulnerability. AppDOS.Flood is a subcategory related to flooding the server resources so that > serving valid customers is limited. > AppDOS.Lockout refers to the situation where the server is effectively locks out accounts of valid users because of attacker's selection of > those user names for the attack. > Injection denotes a broad category of vulnerabilities that are caused by injecting invalid extranious data into the arguments of external > interfaces of the applications (e.g. into HTTP datastream of Web Applications). > Injection.OS - ?? > Injection.SQL SQL injection > ErrorHandling denotes issues related to error handling. > Cryptography categories denotes vulnerabilities related to incorrect use of cryptography. > 609c340,378 < </xsd:enumeration> --- > <xsd:enumeration value="AccessControl"/> > <xsd:enumeration value="ConfigurationManagement"/> > <xsd:enumeration value="ConfigurationManagement.Administration"/> > <xsd:enumeration value="ConfigurationManagement.Application"/> > <xsd:enumeration value="ConfigurationManagement.Infrastructure"/> > <xsd:enumeration value="IntegerOverflow"/> > <xsd:enumeration value="DataProtection"/> > <xsd:enumeration value="DataProtection.Storage"/> > <xsd:enumeration value="DataProtection.Transport"/> > <xsd:enumeration value="InputValidation"/> > <xsd:enumeration value="InputValidation.User"/> > <xsd:enumeration value="InputValidation.Network"/> > <xsd:enumeration value="InputValidation.File"/> > <xsd:enumeration value="Concurrency"/> > <xsd:enumeration value="AppDOS"/> > <xsd:enumeration value="AppDOS.Flood"/> > <xsd:enumeration value="AppDOS.Lockout"/> > <xsd:enumeration value="BufferOverflow.Heap"/> > <xsd:enumeration value="BufferOverflow.Stack"/> > <xsd:enumeration value="BufferOverflow.Format"/> > <xsd:enumeration value="Injection"/> > <xsd:enumeration value="Injection.OS"/> > <xsd:enumeration value="Injection.SQL"/> > <xsd:enumeration value="Injection.HTML"/> > <xsd:enumeration value="Injection.OSCommand"/> > <xsd:enumeration value="Injection.LDAP"/> > <xsd:enumeration value="Injection.XSS"/> > <xsd:enumeration value="ErrorHandling"/> > <xsd:enumeration value="Monitoring"/> > <xsd:enumeration value="Monitoring.Logging"/> > <xsd:enumeration value="Monitoring.Detection"/> > <xsd:enumeration value="Cryptography"/> > <xsd:enumeration value="Cryptography.Algorithm"/> > <xsd:enumeration value="Cryptography.KeyManagement"/> > <xsd:enumeration value="Authentication"/> > <xsd:enumeration value="Authentication.User"/> > <xsd:enumeration value="Authentication.UserManagement"/> > <xsd:enumeration value="Authentication.Entity"/> > <xsd:enumeration value="Authentication.SessionManagement"/>
<?xml version="1.0" encoding="UTF-8"?> <!-- edited with XMLSPY v2004 rel. 2 U (http://www.xmlspy.com) by Mark Curphey (OWASP) --> <xsd:schema targetNamespace="http://www.oasis.org/was"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns="http://www.oasis.org/was"; elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.0" id="WAS"> <!--Copyright © OASIS Open (2003). All Rights Reserved. This document and translations of it may be copied and furnished to others, and derivative works that comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice and this paragraph are included on all such copies and derivative works. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to OASIS, except as needed for the purpose of developing OASIS specifications, in which case the procedures for copyrights defined in the OASIS Intellectual Property Rights document must be followed, or as required to translate it into languages other than English. The limited permissions granted above are perpetual and will not be revoked by OASIS or its successors or assigns. This document and the information contained herein is provided on an "AS IS" basis and OASIS DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.--> <xsd:annotation> <xsd:appinfo> A WAS Test Case consists of 3 core elements. Meta- Data is used to manage the test cases themselves, Profile is used to describe the context of the test case and Test is the element that contains the test case. </xsd:appinfo> </xsd:annotation> <xsd:complexType name="metaData"> <xsd:complexContent> <xsd:restriction base="xsd:anyType"> <xsd:sequence> <xsd:element name="ID" type="ID"> <xsd:annotation> <xsd:appinfo>The ID element provides a mechanism to declare uniquely identifiable attributes for cataloging and referencing. The provider, author and vendor IDs allow cross referencing and trust models to be developed based on the source of the test case. Note: Need to define the XML:DigSig for these attributes and provide for a mecahism to sign an entire file (ie provide authenticity and integrity of the file outside of transport security). The ID Element should be derived from the following pieces of information: 1. Organization Label / Name - ex: Foundstone, in the case of large organization it is their responsibility to maintain organization level uniqueness. ... TODO: Define legal characters. 2. Current date - YYYY-MM-DD TODO: Thus a sample ID is: 2004-03-31-foundstone.com-0001 The id part after the company name should be unique within the company (i.e. last part of id namespace needs to be managed by the company. </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="provider" type="provider" minOccurs="0"> <xsd:annotation> <xsd:appinfo>The provider element provides a mechanism to reference the original provider of the signature. This maybe a trusted source of signatures or a commercial security intelligence provider or an internal source. This allows fast indexing of entries based on the provider without having to check signatures. </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="restrictions" type="restrictions"> <xsd:annotation> <xsd:appinfo>The restrictions element provides a mechanism to reference any usage restrictions on the test case itself. These may include copyright, licensing or potentially things like export restrictions where a test case contains cryptographic information. </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="history"> <xsd:complexType> <xsd:sequence> <xsd:element name="version" type="version" maxOccurs="unbounded"> <xsd:annotation> <xsd:appinfo>The date element provides a mechanism to declare time and historical related data. An example use case maybe, show me all of the issues within the last 3 months. </xsd:appinfo> </xsd:annotation> </xsd:element> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:restriction> </xsd:complexContent> </xsd:complexType> <xsd:complexType name="profile"> <xsd:sequence> <xsd:element name="vulnTypes" type="vulnTypes"> <xsd:annotation> <xsd:appinfo/> </xsd:annotation> </xsd:element> <xsd:element name="riskRanking" type="riskRanking"> <xsd:annotation> <xsd:appinfo>The ID element provides a mechansim to declare uniquely identifiable attributes for cataloging and referencing. The provider, author and vendor IDs allow cross referencing ands trust models to be developed based on the source of the test case. Note: Need to define the XML:DigSig for these attributes and provide for a mecahism to sign an entire file (ie provide authenticity and integrity of the file) </xsd:appinfo> </xsd:annotation> </xsd:element> <xsd:element name="references" type="references"> <xsd:annotation> <xsd:appinfo/> </xsd:annotation> </xsd:element> <xsd:element name="locationOfIssue" type="locationOfIssue"/> <xsd:element name="title" type="xsd:string"/> <xsd:element name="abstract" type="xsd:string"/> <xsd:element name="description" type="xsd:string"/> <xsd:element name="rootCause"> <xsd:complexType> <xsd:sequence> <xsd:element name="cause" type="rootCauseType"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="RelatedProcesses"> <xsd:complexType> <xsd:sequence> <xsd:element name="relatedProcess" type="RelatedProcesses"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:complexType name="ID"> <xsd:attribute name="testCaseID" type="xsd:ID" use="required"> <xsd:annotation> <xsd:appinfo>This element provides a uniquely identifiable key. This would be used as a fast and efficient way for two technolgies sharing the same test case database to exchange information. ie use xsd:was:ID:uid:007 </xsd:appinfo> </xsd:annotation> </xsd:attribute> </xsd:complexType> <xsd:complexType name="version"> <xsd:sequence> <xsd:element name="versionNumber" type="xsd:decimal"/> <xsd:element name="releaseDate" type="xsd:dateTime"/> <xsd:element name="changeDesc" type="xsd:string"/> <xsd:element name="author" type="author"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="author"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="email" type="xsd:anyURI"/> <xsd:element name="company" type="xsd:string"/> <xsd:element name="address" type="xsd:string"/> <xsd:element name="uri" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="provider"> <xsd:sequence> <xsd:element name="email" type="xsd:string"/> <xsd:element name="company" type="xsd:string"/> <xsd:element name="address" type="xsd:string"/> <xsd:element name="uri" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="restrictions"> <xsd:sequence> <xsd:element name="license" type="license"/> <xsd:element name="copyright" type="copyright" minOccurs="0"/> <xsd:element name="restrictionsUpdateURI" type="xsd:string" minOccurs="0"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="riskRanking"> <xsd:sequence> <xsd:element name="threat"/> <xsd:element name="impact"/> </xsd:sequence> </xsd:complexType> <xsd:simpleType name="threat"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[a-d]"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="impact"> <xsd:restriction base="xsd:string"> <xsd:pattern value="[a-d]"/> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="vulnTypes"> <xsd:sequence> <xsd:element name="vuln"> <xsd:complexType> <xsd:sequence> <xsd:element name="vuln" type="vulnList"/> </xsd:sequence> </xsd:complexType> </xsd:element> </xsd:sequence> </xsd:complexType> <xsd:simpleType name="attackSurfaceType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="system boundary"/> <xsd:enumeration value="component boundary"/> <xsd:enumeration value="source code"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="targetType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="application component"/> <xsd:enumeration value="infrastructure component"/> <xsd:enumeration value="end user"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="conditionType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="authenticated"/> <xsd:enumeration value="privilege"/> <xsd:enumeration value="port"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="consequenceType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="denial of service"/> <xsd:enumeration value="privilege elevation"/> <xsd:enumeration value="transfer of trust"/> <xsd:enumeration value="identity impersonation"/> <xsd:enumeration value="data disclosure"/> <xsd:enumeration value="security requirements violation"/> </xsd:restriction> </xsd:simpleType> <xsd:complexType name="license"> <xsd:sequence> <xsd:element name="licenseType" type="xsd:string"/> <xsd:element name="licenseText" type="xsd:string"/> <xsd:element name="licenseVersion" type="xsd:decimal"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="descriptions"> <xsd:sequence> <xsd:element name="abstract" type="xsd:string"/> <xsd:element name="longtDescription" type="xsd:string"/> <xsd:element name="title" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="references"> <xsd:sequence> <xsd:element name="vulnDatabase" type="vulnDatabase"/> <xsd:element name="whitePaper" type="furtherReading"/> <xsd:element name="article" type="article"/> <xsd:element name="newsExample" type="newsExample"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="vulnDatabase"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="location" type="xsd:anyURI"/> <xsd:element name="itemIdentifier" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="furtherReading"> <xsd:sequence> <xsd:element name="title" type="xsd:string"/> <xsd:element name="author" type="xsd:string"/> <xsd:element name="format" type="xsd:mimetype"/> <xsd:element name="date" type="xsd:date"/> <xsd:element name="location" type="xsd:anyURI"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="newsExample"> <xsd:sequence> <xsd:element name="title" type="xsd:string"/> <xsd:element name="publication" type="xsd:string"/> <xsd:element name="date" type="xsd:date"/> <xsd:element name="location" type="xsd:anyURI"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="copyright"> <xsd:sequence> <xsd:element name="copyrightHolder" type="xsd:string"/> <xsd:element name="copyrightNotice" type="xsd:string"/> <xsd:element name="copyrightDate" type="xsd:date"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="locationOfIssue"> <xsd:sequence> <xsd:element name="version" type="xsd:string"/> <xsd:element name="os" type="xsd:string"/> <xsd:element name="arch" type="xsd:string"/> <xsd:element name="vm" type="xsd:string"/> <xsd:element name="lang" type="xsd:string"/> <xsd:element name="pointer"> <xsd:complexType> <xsd:sequence> <xsd:element name="line" type="xsd:int"/> <xsd:element name="URI" type="xsd:string"/> <xsd:element name="stackTrace" type="xsd:string"/> <xsd:element name="filePath" type="xsd:string"/> <xsd:element name="module" type="xsd:string"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="application"> <xsd:complexType> <xsd:sequence> <xsd:element name="type" type="appType"/> </xsd:sequence> </xsd:complexType> </xsd:element> <xsd:element name="vendor" type="vendor"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="vendor"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="homepage" type="xsd:anyURI"/> <xsd:element name="contactEmail" type="xsd:string"/> </xsd:sequence> </xsd:complexType> <xsd:simpleType name="vulnList"> <xsd:annotation> <xsd:appinfo> vulnList provides a way to assign multiple vulnerability categories to a single instance of vulnerability. By allowing multiple categories to be assigned to a single application security issue, we avoid many of the hierarchy/taxonomy/classification problems that have plagued this type of effort in the past. </xsd:appinfo> </xsd:annotation> <xsd:restriction base="xsd:string"> <xsd:enumeration value="AccessControl"> <xsd:annotation> <xsd:appinfo> Used for problems that allow users to access assets or functions they are not authorized for. Frequently, there is no access control mechanism where there should be. A proper access control mechanism should enforce the principles of a reference monitor: non-bypassable, tamperproof, and analyzable. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="ConfigurationManagement"> <xsd:annotation> <xsd:appinfo> Used to describe problems in the configuration of an application or application environment. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="ConfigurationManagement.Administration"> <xsd:annotation> <xsd:appinfo> Used for problems in the application's mechanisms that enable remote administration, such as user management, credential management, database management, and other configuration options. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="ConfigurationManagement.Application"> <xsd:annotation> <xsd:appinfo> Used to describe problems in the application's configuration, such as misconfigured security mechanisms, default programs, unused code, and unnecessarily enabled features. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="ConfigurationManagement.Infrastructure"> <xsd:annotation> <xsd:appinfo> Used for problems with the configuration of the application's infrastructure, such as the web and application servers, filters, and external security mechanisms. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="IntegerOverflow"> <xsd:annotation> <xsd:appinfo> Used for problems resulting from attempts to put a large number into a variable too small to hold it. This can occur when parsing problems occur or mathematical functions are misused. These errors are particularly dangerous when the overflowed variable is used to allocate memory. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="DataProtection"> <xsd:annotation> <xsd:appinfo> Used for issues related to inappropriate disclosure of data. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="DataProtection.Storage"> <xsd:annotation> <xsd:appinfo> Used for problems storing data securely, including storage of credentials, keys, and other sensitive information. Mistakes related to cryptographic mechanisms are examples, including poor sources of randomness, bad choice of algorithm, and poor implementation. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="DataProtection.Transport"> <xsd:annotation> <xsd:appinfo> Used for problems related to secure transfer of information. Frequently, this will refer to problems with SSL or TLS configuration, but could include other protocols with security features. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="InputValidation"> <xsd:annotation> <xsd:appinfo> Used for issues related to failure to validate untrusted input before it is relied on by an application. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="InputValidation.User"> <xsd:annotation> <xsd:appinfo> Used for input validation problems where the input comes from a human user, such as HTTP request parameters, command line input, or input events from an application's GUI. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="InputValidation.Network"> <xsd:annotation> <xsd:appinfo> Used for input validation problems where the input comes from a network protocol, such as HTTP headers, sequence numbers, or other protocol fields. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="InputValidation.File"> <xsd:annotation> <xsd:appinfo> Used for input validation problems where the input comes from a file, such as a properties file, batch data file, flat-file databases, or other file based data. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Concurrency"> <xsd:annotation> <xsd:appinfo> Used for errors in multithreaded environments that allow data to be shared or corrupted. Examples include variables that are shared between threads and cause time-of-check-time-of-use (TOCTOU) problems, broken singleton patterns, and poor cache design. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="AppDOS"> <xsd:annotation> <xsd:appinfo> Used for flaws that would allow an attacker to completely or partially prevent users from using an application properly. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="AppDOS.Flood"> <xsd:annotation> <xsd:appinfo> Used for application denial of service problems that involve saturating some limited resource shared by all users of the application, such as disk space, CPU, network bandwidth, database connections, or memory. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="AppDOS.Lockout"> <xsd:annotation> <xsd:appinfo> Used for application denial of service problems that involve using up some resource that is allocated to a user of the application, such as failed logon attempts, minutes, messages, or transactions. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BufferOverflow"> <xsd:annotation> <xsd:appinfo> Buffer overflow problems result from application code writing behind memory limits allocated for a program variable and often allow for injection of malicious code into a target and its execution. This vulnerability category is often associated with usage of certain functions in programming APIs without first validating the input and is related to and can also be classified as InputValidation. BufferOverflow is the principal method used to exploit software today. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BufferOverflow.Heap"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to overflow memory that is dynamically allocated by the application. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BufferOverflow.Stack"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to write data into the stack, causing the program to crash or transfer control. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="BufferOverflow.Format"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to use format strings to overwrite locations in memory, allowing data to be changed, program control to be altered, or the program to crash. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Injection"> <xsd:annotation> <xsd:appinfo> Used for problems that allow an attacker to bury commands into data and have them interpreted by some system that the data reaches. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Injection.SQL"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to inject special characters and commands into a SQL database and modify the intended query. The attack might attempt to change the meaning of the query, or might attempt to chain additional commands. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Injection.HTML"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to inject HTML into an application and modify the appearance of HTML generated by that application. For example, an attacker might inject an unwanted IMG tag into a guest book, and offend other users. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Injection.OSCommand"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to inject special characters and commands into the operating system command shell and modify the intended command. The attack might attempt to modify how a program is invoked, or might attempt to chain additional commands. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Injection.LDAP"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to inject special characters and search terms into an LDAP server and modify the intended query. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Injection.XSS"> <xsd:annotation> <xsd:appinfo> Used for flaws that allow an attacker to send malicious scripts through a web application and have them execute on victims' browsers. Stored XSS attacks involve storing the script in the web application for users to find. Reflected XSS attacks are bounced off a web application in real time and require a user to be tricked into sending the request containing the attack. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="ErrorHandling"> <xsd:annotation> <xsd:appinfo> Used for problems in handling errors, including printing stack traces to the screen, fail open security mechanisms, allowing errors to affect the operation of the entire application, and revealing too much information about a failure. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Monitoring"> <xsd:annotation> <xsd:appinfo> Used for issues related to monitoring the security posture of a web application. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Monitoring.Logging"> <xsd:annotation> <xsd:appinfo> Used for issues concerning the proper logging of events, including what should be logged, how it should be logged, how logs should be reviewed, and other issues related to accountability. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Monitoring.Detection"> <xsd:annotation> <xsd:appinfo> Used for issues related to the detection of attacks on an application, how attacks should be handled, what information should be gathered, and who should be notified. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Cryptography"> <xsd:annotation> <xsd:appinfo> Used for problems related to encryption, decryption, signing, and verification. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Cryptography.Algorithm"> <xsd:annotation> <xsd:appinfo> Used for cryptographic algorithm selection, implementation, and analysis problems. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Cryptography.KeyManagement"> <xsd:annotation> <xsd:appinfo> Used for issues with certificate storage, tokens, revocation, certificates, key stores, issuing keys, and other key issues ;-) </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Authentication"> <xsd:annotation> <xsd:appinfo> Used for problems related to determining the identity of individuals and authenticating that identity. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Authentication.User"> <xsd:annotation> <xsd:appinfo> Used for issues related to identification and authentication of people who are intended to use an application. Problems with usernames, passwords, tokens, smartcards, biometrics, and other credentials are examples. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Authentication.UserManagement"> <xsd:annotation> <xsd:appinfo> Used for problems related to managing a set of users, especially the security relevant information such as roles, privileges, authorizations, groups, social security numbers, credit card numbers, and other sensitive information. Also problems with creating new users, registration, granting rights, and terminating access. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Authentication.Entity"> <xsd:annotation> <xsd:appinfo> Used for problems with authenticating automated systems, such as web services, databases, directories, and others. Examples include secure credential storage, securing transport, changing credentials, and terminating access. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> <xsd:enumeration value="Authentication.SessionManagement"> <xsd:annotation> <xsd:appinfo> Used for problems with issuing, using, protecting, changing, and terminating session identifiers of all kinds. Session identifiers stand in the place of authentication credentials yet are freqently not protected as carefully. </xsd:appinfo> </xsd:annotation> </xsd:enumeration> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="appType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="client-server"/> <xsd:enumeration value="web service"/> <xsd:enumeration value="standalone"/> <xsd:enumeration value="p2p"/> <xsd:enumeration value="web application"/> <xsd:enumeration value="server"/> <xsd:enumeration value="client"/> <xsd:enumeration value="mainframe"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="rootCauseType"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="software defect"/> <xsd:enumeration value="config"/> </xsd:restriction> </xsd:simpleType> <xsd:simpleType name="RelatedProcesses"> <xsd:restriction base="xsd:string"> <xsd:enumeration value="RequirementsAnalysis"/> <xsd:enumeration value="DesignAnalysis"/> <xsd:enumeration value="code"/> <xsd:enumeration value="SecurityTesting"/> <xsd:enumeration value="Deployment"/> </xsd:restriction> </xsd:simpleType> </xsd:schema>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]