WebApp Sec mailing list archives
OASIS WAS Update
From: "Mark Curphey" <mark () curphey com>
Date: Wed, 22 Oct 2003 21:16:25 -0400
I just wanted to send an update to webappsec subscribers about the OASIS WAS project. OASIS WAS (Web Application Security) is an effort to create an XML based language and format to describe web security issues in a uniform consistent and comprehensive manner. WAS test cases will be able to be used in assessment and protection tools and extends the work OWASP started with VulnXML. There are many significant advantages WAS can potentially offer including; Vulnerabilities (and in the case of WAS positive security configurations) will be able to be described in a consistent, repeatable, complete and open manner. If a test case is in WAS format, it will contain all of the data and references a security professional would need as well as all of the technical data automated tools need to build actual tests or protection signatures. The format is agnostic to the implementation technology that is ultimately used. By using a standards based format, the intelligent data that drives assessment and IDS tools will become transportable and shareable between technologies (both between assessment tools and between assessment and IDS tools). Like many volunteer based projects things take more time than anyone would like, however we are making significant progress. Within the next month or two we expect to have a basic schema defined and a reference implementation of an assessment engine (in Java) for people to create their own test cases. There is already an online database application to store and retrieve WAS XML test cases at owasp.org that will be modified and enhanced as the schema develops. When we are ready I will send out a link to download the reference engine and publish the first draft of the schema for public review. The OASIS WAS project can be found at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was The OWASP VulnXML database is at www.owasp.org/vulnxml
Current thread:
- OASIS WAS Update Mark Curphey (Oct 22)