Description
This is in continuation with some of the topics that were discussed in last meeting.
Ref: Original Kevin Heineman mail:
Continued the discussion regarding the information that should be contained within the standard. The following items were discussed:
1) Discussed the possibility of splitting the standard into 4 sections of information. The sections are version, test description, content type (e.g., request and response), and block schema or fix methodology. Srinivas Mantripragada will post an example of this format to the AVDL site for
people to review and comment. Some of the fields that should be included in the content type section are Web Server, OS, Date vulnerability was found, Date ID was entered, Reference to Bug Track, URL pointer to get reference info, WebServer Tag, Host Tag, File extension type, Test
description (not part of the request type), raw request and raw response.
The top-level suggestion is to have 4 main sections of information containers.
(1) Version
(2) TestDescription
(3) SessionDetails
(4) FixMethodology
(1) Version provides the information state on the specific vulnerability.
(2) TestDescription provides details on the environment under which this vulnerability applies.
(3) SessionDetails provides specific request-header, response-header and vulnerability information.
(4) FixMethodology contains schemas to provide necessary information to remediary engines, block engines, user fixes etc.
Attached is a preliminary schema. More details in today's meeting.
thx,
-Srinivas
