WAS status report

[Peter Michalek <peter@michalek.org>]

Hello everyone,

This mailing list has been quiet for a while as I know many of you have
been busy with your primary work activities. During that quiet period, I
am sure some of you have been wondering if our WAS efforts will continue.

If you consider all the emphasis that has been made lately on
application security and the introduction of many new technologies from
both commercial and open-source projects, the work we have in front of
us is indeed more important than ever. I know many of us firmly believe
the effort is needed, useful and will help improve application security
practices and invigorate the security industry. With that I propose we
re-activate WAS and recommit our efforts towards this goal.

Due to time constraints, my former co-chairs on this TC, Mark Curphey
and David Raphael, will continue to dedicate time to WAS activities, but
will do so in an advisory role. I am greatly indebted to them both for
their guidance, leadership, and continued support. I would also like to
thank them for the great work they've done bringing WAS were it is
today. In to help fill this void, I have asked Roger Thornton, CTO and
founder of Fortify software to co-chair the group with me moving
forward. I have worked with Roger for a number of years and have come to
value his expertise, experience, and leadership.

I'll be posting a ballot on WAS TC web site for participants to
approvate the new co-chair.

We would like to propose the following outline for the short term and
long term plan/proposal to be developed and executed upon over the next
few weeks and months.

Regular Conference Calls
------------------------
Starting November 11, 2004, the group will start regular bi-weekly 
conference calls, at 8 AM Pacific Time.
I'll email the phone number and participant code in a separate email.

Short term plan
---------------
In the short term, we'd like to proceed with fast clean up and release 
of the current WAS schema. We'd like to call it EVDL 0.1, reflecting the
general nature of the schema which doesn't focus on Web Application 
security only, but has a more general application. EVDL 0.1 stands for 
Enterprise Vulnerability Description Language Version 0.1.

EVDL 0.1 will contain the following components, SCA being new addition 
that represents source code analysis security vertical/methodology:
Metadata
Profile
SCA (source code analysis)
Detect
Protect


Here is the tentative timeline for 0.1 release cycle:

Cleanup published:       11/10/2004
Feedback period:          12/1/2004
Incorporate feedback:   12/12/2004


Long Term Plan
--------------

We would like to develop a long term plan (1 year horizon) that will
include a methodical approach to define a comprehensive schema building
on the progress of efforts such as OWASP, AVDL, WAS, OVAL. This plan
will outline high-level goals, framework and schema that widen the focus
of EVDL 0.1 and address the duplication of terminology, classification
methods etc. in different schemas currently use in the industry.

The working name of this effort would be the EVDL 1.0 framework and
schema. We'd like to enlist the help of WAS participants to initially
define the scope of EVDL 1.0, its goals, objectives and timeline.

The current plan is to release the document describing goals resulting
from  this initial phase of EVDL 1.0 discussion on December 15, 2004.
The objectives will contain, among other items, an increased effort for
industry-wide participation and measurement guidelines for achieving this.


Please email me if you are interested in contributing to this phase of
the effort in this timeframe. I'll be emailing more details on EVDL 1.0
before the next upcoming conference call.

The progress of the discussions will be regularly published to this
mailing list.


Thanks,

Peter

Peter Michalek
peter at michalek.org
408-421-6417