[Owasp-o2-platform] Proposed workflow for breaking and analysing FVDL Files
alvaro.picapau at gmail.com
Sat Jul 30 09:44:11 EDT 2011
The only problem I see is that the FPR file is signed so nobody modifies it
El 30/07/2011, a las 15:39, Dinis Cruz <dinis at ddplus.net> escribió:
Following the multiple blog entries prosted about O2's support for Fortify's
FVDL <http://o2platform.wordpress.com/category/tools/fortify/>, (*sent to me
by an O2 user) here *is a description of a use-case that O2 should support:
*I would shoot for the ability to disposition large *.fpr/*.fvdl files.
**Here is a typical workflow:
*1. Scan is run code base generating an *.fpr file*
*2. Code Reviews receive the file but because it is too large it cannot
be opened by Fortify’s tool.*
*3. Code reviewer uses O2 to open file and disposition or suppress
issues by Category (XSS, SQL Injection, Path Tampering, etc.)*
*4. Code Reviewer then saves dispositions to *.fpr file.*
*5. The *.fpr is saved and on subsequent scan of the same application.
The new.fpr file is merged with the old.fpr file.*
*6. The code reviewer works on the merged.fpr to disposition items.*
*7. Wash, rinse, repeat.*
The data needs to be stored in the *.fpr file because most code assessment
processes relies on merging the old fpr with the new *.fpr/*.fvdl on
Next step(s) is to write a script(s) to implement this workflow, and try to
figure the best GUIs to enable it.
Owasp-o2-platform mailing list
Owasp-o2-platform at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-o2-platform