Talk:Summit 2011/Open letter to WebAppSec Tool and Services vendors: Release your schemas and allow automation

From OWASP
Jump to: navigation, search

Rather than re-invent the wheel I suggest that OWASP start with the work that has been already done in this space.

1. There is already an open standard available for intermediate representations:

http://www.omg.org/technology/kdm/index.htm

Knowledge Discovery Metamodel (KDM) is a publicly available specification from the Object Management Group (OMG). KDM is a common intermediate representation for existing software systems and their operating environments, that defines common metadata required for deep semantic integration of Application Lifecycle Management tools.

2. There has been DHS funded work on standardizing output. Sean has already done the work of collecting schemas from analysis vendors

Software Assurance Findings Expression Schema (SAFES) Framework Sean Barnum, MITRE https://buildsecurityin.us-cert.gov/swa/presentations_201003/03/12%20Product-Benchmarking%20panel%20-%20SAFES%20-%20SwA%20Forum%20-%20Mar%202010%20-%20(Barnum).pdf

3. There has been some academic work on defining software model query rules

PQL: Program Query Language http://suif.stanford.edu/~jwhaley/papers/pods05.ppt http://pql.sourceforge.net/