[Owasp-o2-platform] Proposed workflow for breaking and analysing FVDL Files
dinis at ddplus.net
Fri Jul 29 23:50:52 EDT 2011
Following the multiple blog entries prosted about O2's support for Fortify's
FVDL <http://o2platform.wordpress.com/category/tools/fortify/>, (*sent to me
by an O2 user) here *is a description of a use-case that O2 should support:
*I would shoot for the ability to disposition large *.fpr/*.fvdl files.
**Here is a typical workflow:
*1. Scan is run code base generating an *.fpr file*
*2. Code Reviews receive the file but because it is too large it cannot
be opened by Fortify’s tool.*
*3. Code reviewer uses O2 to open file and disposition or suppress
issues by Category (XSS, SQL Injection, Path Tampering, etc.)*
*4. Code Reviewer then saves dispositions to *.fpr file.*
*5. The *.fpr is saved and on subsequent scan of the same application.
The new.fpr file is merged with the old.fpr file.*
*6. The code reviewer works on the merged.fpr to disposition items.*
*7. Wash, rinse, repeat.*
The data needs to be stored in the *.fpr file because most code assessment
processes relies on merging the old fpr with the new *.fpr/*.fvdl on
Next step(s) is to write a script(s) to implement this workflow, and try to
figure the best GUIs to enable it.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-o2-platform