OASIS WAS Update

["Mark Curphey" <mark () curphey com>]

I just wanted to send an update to webappsec subscribers about the OASIS WAS
project. 

OASIS WAS (Web Application Security) is an effort to create an XML based
language and format to describe web security issues in a uniform consistent
and comprehensive manner. WAS test cases will be able to be used in
assessment and protection tools and extends the work OWASP started with
VulnXML.

There are many significant advantages WAS can potentially offer including;

Vulnerabilities (and in the case of WAS positive security configurations)
will be able to be described in a consistent, repeatable, complete and open
manner. If a test case is in WAS format, it will contain all of the data and
references a security professional would need as well as all of the
technical data automated tools need to build actual tests or protection
signatures. The format is agnostic to the implementation technology that is
ultimately used.

By using a standards based format, the intelligent data that drives
assessment and IDS tools will become transportable and shareable between
technologies (both between assessment tools and between assessment and IDS
tools).

Like many volunteer based projects things take more time than anyone would
like, however we are making significant progress. Within the next month or
two we expect to have a basic schema defined and a reference implementation
of an assessment engine (in Java) for people to create their own test cases.
There is already an online database application to store and retrieve WAS
XML test cases at owasp.org that will be modified and enhanced as the schema
develops.

When we are ready I will send out a link to download the reference engine
and publish the first draft of the schema for public review.

The OASIS WAS project can be found at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

The OWASP VulnXML database is at www.owasp.org/vulnxml