This project is setting out to define
a data format and procedures that can
be used to exchange web application
security vulnerability information between
both systems and users.The goal is to
encourage interoperability between commercial,
open source and research tools and ensure
that all users can consume a credible,
up to date and open set of knowledge.
A formal XML specification will be published
with a reference implementation of a
testing tool written in Java.
Today knowledge about a security
problem and exactly how its being
testing is typically buried deep inside
tools. This leads to a high degree
of false positives and false negatives.
Most security processionals use a
suite of tools but without a data
exchange format, and open unambiguous
testing knowledge it is almost impossible
to choose the best tool for the job
and keep a consistent set of tests
and results persisted across applications.This
project will facilitate putting a
comprehensive set of technical data
about web applications into the public
domain as well as facilitate its open
exchange and expansion.
We believe it may be possible in
the future to create SOAP services
based on such a XML specification
to allow the open source community
to publish new vulnerabilities in
real-time to tools which are capable
of reading the specification.
This idea is certainly not new. David
Curry and Herve Debar published the
Intrusion Detection Message Exchange
Format Data Model and Extensible Markup
Language (XML) Document Type Definition
(DTD) to promote the free exchange
of Intrusion detection. The Internet
RFC draft can be found at ftp://ftp.isi.edu/in-notes/search.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-05.txt.
Silicon defense have since created
an IDMEF plug-in for Snort at http://www.silicondefense.com/idwg/snort-idmef/.
The data schema will need to be extensible
and provide support for the description
of generic cases like cross site scripting
(including ranges and bounds conditions)
as well as specific instances of those
vulnerabilities like CVE-2000-0942
found at http://www.cve.mitre.org.
The generic cases will likely initially
be an extension of the OWASP Application
Security Attack Components.
This project will start in early 2002.
|