The Next Frontier

[paco at cigital.com (Paco Hope)]

On 6/26/07 5:00 PM, "McGovern, James F (HTSC, IT)" <James.McGovern at thehartford.com> wrote:

Would there be value in terms of defining an XML schema that all tools could emit audit information to?

You might want to take a look at what the Fortify guys already do. Their "FVDL" (Fortify Vulnerability Description 
Language) is XML written to a specific schema. Here's a snippet:

<?xml version="1.0" encoding="UTF-8"?>
<FVDL xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
version="1.5" xsi:type="FVDL">
<CreatedTS xmlns="xmlns://www.fortifysoftware.com/schema/fvdl" date="2007-06-27" time="16:27:37"/>
<Build xmlns="xmlns://www.fortifysoftware.com/schema/fvdl">
    <BuildID>curl-7.11.1</BuildID>
    <NumberFiles>42</NumberFiles>
    <LOC>23572</LOC>
    <SourceBasePath>/Users/paco/Documents/Fortify/curl-7.11.1/lib</SourceBasePath>
    <SourceFiles>
        <File size="20098" timestamp="1079527605000">connect.c</File>
        <File size="11584" timestamp="1077710136000">krb4.c</File>
[..snip..]
<Vulnerability xmlns="xmlns://www.fortifysoftware.com/schema/fvdl">
    <ClassInfo>
        <ClassID>28424EC3-FFAC-40C0-94D9-3D8283B2F57C</ClassID>
        <Kingdom>Input Validation and Representation</Kingdom>
        <Type>Buffer Overflow</Type>
        <AnalyzerName>dataflow</AnalyzerName>
        <DefaultSeverity>4.0</DefaultSeverity>
    </ClassInfo>
    <InstanceInfo>
        <InstanceID>005542ED81D54F3C72BF3669EA8D130A</InstanceID>
        <InstanceSeverity>4.0</InstanceSeverity>
        <Confidence>3.4</Confidence>
    </InstanceInfo>
[..snip..]

Some of their XML seems quite reusable to me, and some of it seems pretty proprietary. It doesn't seem like they share 
a DTD or a schema publicly. Perhaps a little coaxing would get them to release it.

Paco
--
Paco Hope, CISSP
Technical Manager, Cigital, Inc
http://www.cigital.com/ * +1.703.585.7868
Software Confidence. Achieved.