[Owasp-o2-platform] Proposed workflow for breaking and analysing FVDL Files

Dinis Cruz dinis at ddplus.net
Mon Aug 1 11:20:12 EDT 2011


Ahh, interesting, well, I don't have a working copy of Fortify here, so its
up to you guys to figure out a way around this.

So what happens? does the Fortify Audit Workbench refuses to load a modified
FVDL?

Btw, what is Fortify's view on this? Surely there are very valid use-cases
where the FVDLs need be manipulated directly (for example as part of an
build script)

Dinis



On Sat, Jul 30, 2011 at 2:44 PM, Alvaro Muñoz <alvaro.picapau at gmail.com>wrote:

> The only problem I see is that the FPR file is signed so nobody modifies it
>
> A.
>
> El 30/07/2011, a las 15:39, Dinis Cruz <dinis at ddplus.net> escribió:
>
> Following the multiple blog entries prosted about O2's support for
> Fortify's FVDL <http://o2platform.wordpress.com/category/tools/fortify/>,
> (*sent to me by an O2 user) here *is a description of a use-case that O2
> should support:
>
> *I would shoot for the ability to disposition large *.fpr/*.fvdl files.
> **
> **Here is a typical workflow:
> **
> *
>
> *1.      Scan is run code base generating an *.fpr file*
>
> *2.      Code Reviews receive the file but because it is too large it
> cannot be opened by Fortify’s tool.*
>
> *3.      Code reviewer uses O2 to open file and disposition or suppress
> issues by Category (XSS, SQL Injection, Path Tampering, etc.)*
>
> *4.      Code Reviewer then saves dispositions to *.fpr file.*
>
> *5.      The *.fpr is saved and on subsequent scan of the same
> application.  The new.fpr file is merged with the old.fpr file.*
>
> *6.      The code reviewer works on the merged.fpr to disposition items.*
>
> *7.      Wash, rinse, repeat.*
>
> *
> The data needs to be stored in the *.fpr file because most code assessment
> processes relies on merging the old fpr with the new *.fpr/*.fvdl on
> subsequent rereviews.*
>
> *
> *
> *
> *
> Next step(s) is to write a script(s) to implement this workflow, and try to
> figure the best GUIs to enable it.
>
> Dinis Cruz
>
> _______________________________________________
> Owasp-o2-platform mailing list
> Owasp-o2-platform at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-o2-platform
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110801/1b5ce45a/attachment.html 


More information about the Owasp-o2-platform mailing list