[Owasp-o2-platform] FW: Wow

Dan Cornell dan at denimgroup.com
Mon Jan 4 14:55:29 EST 2010

Wanted to forward this since I wasn't an 02 platform mailing list member before.


From: Dan Cornell
Sent: Monday, January 04, 2010 12:05 PM
To: dinis cruz; owasp-o2-platform at lists.owasp.org
Cc: John Steven; Dan Cornell
Subject: RE: Wow

Dan, can you send me an example of the type of data you guys are currently creating?

We don’t actually create or export raw vulnerability data – we import it and then allow you to connect it to other systems.

Right now we can import from:
-IBM Rational AppScan (XML, binary)
-Fortify SCA (internal use only)
-WhiteHat Sentinel
-OWASP Orizon
With some other stuff either roughly prototyped or in the works (Ounce Labs/AppScan Source Edition, Mavituna NetSparker, Checkmarx).

Internally the vulnerabilities are represented as Vulnerability objects that have one or more VulnerabilitySourceInfo subclassed objects attached to them.  These can either provide an AttackSurfaceLocation or a CodeLocation depending on whether they are from dynamic or static tool imports.  Each importer typically implements a technology-specific VulnerabilitySourceInfo subclass.  The object model is pretty straightforward and has proven remarkably durable as we’ve written importers for more technologies.

So we can pull in results from a number of static or dynamic analysis tools, attach them to different applications in an application portfolio, de-dupe and merge the results and then use that data to track metrics, auto-generate virtual patches for WAFs and IDS/IPS and combine vulnerabilities to be sent to defect tracking systems as defects and then track the status of those defects in the external systems.  (We can also track SAMM maturity levels for different application development teams, but that isn’t directly related to the vulnerability manipulation stuff we’re talking about.)

So we have some overlap w/ O2 because we have importers for the results of a bunch of different scanning technologies (as does O2), but our app is a multi-user server-side web application to be used by app security managers and app operations personnel whereas O2 is a thick-client tool and more typically targeted at application pen testers and/or code reviewers (please correct me if I’m wrong) so I think for the most part we’re working on somewhat different but related problems.  We’d love to be able to import the results of an analyst’s use of O2 into our portfolio tracking.  We could do this either in an Ounce-compatible format or an “OFS” format.

Does that answer your question?  Or just create new ones?



More information about the Owasp-o2-platform mailing list