[Owasp-o2-platform] Proposed workflow for breaking and analysing FVDL Files

Dinis Cruz dinis at ddplus.net
Fri Jul 29 23:50:52 EDT 2011


Following the multiple blog entries prosted about O2's support for Fortify's
FVDL <http://o2platform.wordpress.com/category/tools/fortify/>, (*sent to me
by an O2 user) here *is a description of a use-case that O2 should support:

*I would shoot for the ability to disposition large *.fpr/*.fvdl files.
**
**Here is a typical workflow:
**
*

*1.      Scan is run code base generating an *.fpr file*

*2.      Code Reviews receive the file but because it is too large it cannot
be opened by Fortify’s tool.*

*3.      Code reviewer uses O2 to open file and disposition or suppress
issues by Category (XSS, SQL Injection, Path Tampering, etc.)*

*4.      Code Reviewer then saves dispositions to *.fpr file.*

*5.      The *.fpr is saved and on subsequent scan of the same application.
The new.fpr file is merged with the old.fpr file.*

*6.      The code reviewer works on the merged.fpr to disposition items.*

*7.      Wash, rinse, repeat.*

*
The data needs to be stored in the *.fpr file because most code assessment
processes relies on merging the old fpr with the new *.fpr/*.fvdl on
subsequent rereviews.*

*
*
*
*
Next step(s) is to write a script(s) to implement this workflow, and try to
figure the best GUIs to enable it.

Dinis Cruz
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110730/6c4971cc/attachment-0001.html 


More information about the Owasp-o2-platform mailing list