[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: WAS status report
Hello everyone, This mailing list has been quiet for a while as I know many of you have been busy with your primary work activities. During that quiet period, I am sure some of you have been wondering if our WAS efforts will continue. If you consider all the emphasis that has been made lately on application security and the introduction of many new technologies from both commercial and open-source projects, the work we have in front of us is indeed more important than ever. I know many of us firmly believe the effort is needed, useful and will help improve application security practices and invigorate the security industry. With that I propose we re-activate WAS and recommit our efforts towards this goal. Due to time constraints, my former co-chairs on this TC, Mark Curphey and David Raphael, will continue to dedicate time to WAS activities, but will do so in an advisory role. I am greatly indebted to them both for their guidance, leadership, and continued support. I would also like to thank them for the great work they've done bringing WAS were it is today. In to help fill this void, I have asked Roger Thornton, CTO and founder of Fortify software to co-chair the group with me moving forward. I have worked with Roger for a number of years and have come to value his expertise, experience, and leadership. I'll be posting a ballot on WAS TC web site for participants to approvate the new co-chair. We would like to propose the following outline for the short term and long term plan/proposal to be developed and executed upon over the next few weeks and months. Regular Conference Calls ------------------------ Starting November 11, 2004, the group will start regular bi-weekly conference calls, at 8 AM Pacific Time. I'll email the phone number and participant code in a separate email. Short term plan --------------- In the short term, we'd like to proceed with fast clean up and release of the current WAS schema. We'd like to call it EVDL 0.1, reflecting the general nature of the schema which doesn't focus on Web Application security only, but has a more general application. EVDL 0.1 stands for Enterprise Vulnerability Description Language Version 0.1. EVDL 0.1 will contain the following components, SCA being new addition that represents source code analysis security vertical/methodology: Metadata Profile SCA (source code analysis) Detect Protect Here is the tentative timeline for 0.1 release cycle: Cleanup published: 11/10/2004 Feedback period: 12/1/2004 Incorporate feedback: 12/12/2004 Long Term Plan -------------- We would like to develop a long term plan (1 year horizon) that will include a methodical approach to define a comprehensive schema building on the progress of efforts such as OWASP, AVDL, WAS, OVAL. This plan will outline high-level goals, framework and schema that widen the focus of EVDL 0.1 and address the duplication of terminology, classification methods etc. in different schemas currently use in the industry. The working name of this effort would be the EVDL 1.0 framework and schema. We'd like to enlist the help of WAS participants to initially define the scope of EVDL 1.0, its goals, objectives and timeline. The current plan is to release the document describing goals resulting from this initial phase of EVDL 1.0 discussion on December 15, 2004. The objectives will contain, among other items, an increased effort for industry-wide participation and measurement guidelines for achieving this. Please email me if you are interested in contributing to this phase of the effort in this timeframe. I'll be emailing more details on EVDL 1.0 before the next upcoming conference call. The progress of the discussions will be regularly published to this mailing list. Thanks, Peter Peter Michalek peter at michalek.org 408-421-6417
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]