WebApp Sec mailing list archives
OASIS WAS Thesaurus (coming soon)
From: "Mark Curphey" <mark.curphey () foundstone com>
Date: Sun, 28 Mar 2004 21:34:42 -0500
FYI - The OASIS Technical Committee has just placed the latest working copy of the draft schema online from last weeks meeting in Washington DC. http://www.oasis-open.org/committees/documents.php?wg_abbrev=was One of things this includes is an element called VulnTypes. VulnTypes are essentially lists of things such as SQL Injection and Overflows that can be used as the basis for creating, vulnerability reporting, classification schemes and metrics programs. By using an official standard, companies can ensure that they are consistent; comparing apples to apples when writing vulnerability reports or comparing reports from systems, technologies or vendors. If services vendors adopt the scheme (like my company and others have already committed to) they can deliver reports to clients who can feed the data into their specific metrics and measurement programs seamlessly. WAS is being designed to deal with vulnerabilities input from Humans and different technologies like Source Code Scanners and Black Box Scanners. This may be tweaked over the coming weeks, but we will be publish an OASIS WAS Thesaurus at the end of April. If anyone used to use the OWASP ASAC for grouping or reporting this will replace that. It is essentially a textual document that contains a short and long description of each of the Vuln Types in the schema. I will be contacting those who wrote to me to proof read that doc over the next week or so.
Current thread:
- OASIS WAS Thesaurus (coming soon) Mark Curphey (Mar 28)