OASIS WAS Thesaurus (coming soon)

["Mark Curphey" <mark.curphey () foundstone com>]

FYI - The OASIS Technical Committee has just placed the latest working
copy of the draft schema online from last weeks meeting in Washington
DC.

http://www.oasis-open.org/committees/documents.php?wg_abbrev=was

One of things this includes is an element called VulnTypes. VulnTypes
are essentially lists of things such as SQL Injection and Overflows that
can be used as the basis for creating, vulnerability reporting,
classification schemes and metrics programs. By using an official
standard, companies can ensure that they are consistent; comparing
apples to apples when writing vulnerability reports or comparing reports
from systems, technologies or vendors. 

If services vendors adopt the scheme (like my company and others have
already committed to) they can deliver reports to clients who can feed
the data into their specific metrics and measurement programs
seamlessly. WAS is being designed to deal with vulnerabilities input
from Humans and different technologies like Source Code Scanners and
Black Box Scanners. 

This may be tweaked over the coming weeks, but we will be publish an
OASIS WAS Thesaurus at the end of April. If anyone used to use the OWASP
ASAC for grouping or reporting this will replace that. It is essentially
a textual document that contains a short and long description of each of
the Vuln Types in the schema. 

I will be contacting those who wrote to me to proof read that doc over
the next week or so.