Today knowledge about a security problem and exactly how its being testing is typically buried deep inside tools. This leads to a high degree of false positives and false negatives. Most security processionals use a suite of tools but without a data exchange format, and open unambiguous testing knowledge it is almost impossible to choose the best tool for the job and keep a consistent set of tests and results persisted across applications.This project will facilitate putting a comprehensive set of technical data about web applications into the public domain as well as facilitate its open exchange and expansion.

We believe it may be possible in the future to create SOAP services based on such a XML specification to allow the open source community to publish new vulnerabilities in real-time to tools which are capable of reading the specification.

This idea is certainly not new. David Curry and Herve Debar published the Intrusion Detection Message Exchange Format Data Model and Extensible Markup Language (XML) Document Type Definition (DTD) to promote the free exchange of Intrusion detection. The Internet RFC draft can be found at ftp://ftp.isi.edu/in-notes/search.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-05.txt. Silicon defense have since created an IDMEF plug-in for Snort at http://www.silicondefense.com/idwg/snort-idmef/.

The data schema will need to be extensible and provide support for the description of generic cases like cross site scripting (including ranges and bounds conditions) as well as specific instances of those vulnerabilities like CVE-2000-0942 found at http://www.cve.mitre.org. The generic cases will likely initially be an extension of the OWASP Application Security Attack Components.

This project will start in early 2002.