[Owasp-o2-platform] Proposed workflow for breaking and analysing FVDL Files

Alvaro Muñoz alvaro.picapau at gmail.com
Sat Jul 30 09:44:11 EDT 2011

The only problem I see is that the FPR file is signed so nobody modifies it


El 30/07/2011, a las 15:39, Dinis Cruz <dinis at ddplus.net> escribió:

Following the multiple blog entries prosted about O2's support for Fortify's
FVDL <http://o2platform.wordpress.com/category/tools/fortify/>, (*sent to me
by an O2 user) here *is a description of a use-case that O2 should support:

*I would shoot for the ability to disposition large *.fpr/*.fvdl files.
**Here is a typical workflow:

*1.      Scan is run code base generating an *.fpr file*

*2.      Code Reviews receive the file but because it is too large it cannot
be opened by Fortify’s tool.*

*3.      Code reviewer uses O2 to open file and disposition or suppress
issues by Category (XSS, SQL Injection, Path Tampering, etc.)*

*4.      Code Reviewer then saves dispositions to *.fpr file.*

*5.      The *.fpr is saved and on subsequent scan of the same application.
The new.fpr file is merged with the old.fpr file.*

*6.      The code reviewer works on the merged.fpr to disposition items.*

*7.      Wash, rinse, repeat.*

The data needs to be stored in the *.fpr file because most code assessment
processes relies on merging the old fpr with the new *.fpr/*.fvdl on
subsequent rereviews.*

Next step(s) is to write a script(s) to implement this workflow, and try to
figure the best GUIs to enable it.

Dinis Cruz

Owasp-o2-platform mailing list
Owasp-o2-platform at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110730/6c136d48/attachment.html 

More information about the Owasp-o2-platform mailing list