[prev in list] [next in list] [prev in thread] [next in thread] 

List:       spike
Subject:    Re: RES: [Spike] Re: Just joined the list
From:       Mark Curphey <mark () curphey ! com>
Date:       2002-11-22 18:38:48
[Download RAW message or body]

The VulnXML app works with three roles. A user who can submit a check, a
QA engineer who responsiblity it is to ensure its a valid check and that
it works and an approver who sends it from the candidate queue to
production database.

When we launch this project we expect to get a team of about 20 QA
enginners. Some of them will be dedicated to monitoring say bugtraq and
converting alerts from that forum to vulnxml.

If you want to join as a QA engineer let me know and I will get you in
touch with the project manager.


On Fri, 2002-11-22 at 11:13, Mads Rasmussen wrote:
> > -----Mensagem original-----
> > De: Mark Curphey [mailto:mark@curphey.com]
> > Enviada em: sexta-feira, 22 de novembro de 2002 14:22
> > Para: spike@immunitysec.com
> > Assunto: [Spike] Re: Just joined the list
> > 
> > OWASP are Building (and nearly completed) an online database of
> VulnXML
> > checks.
> > The database will be integrated into an owasp portal which is also in
> > development
> > and scheduled for January deployment.
> 
> I really look forward to this - also the work on the framework for
> testing seems really nice.
> I have tried to get a draft but so far to no avail :(
>  
> > Essentially anyone can go to the database and submit a check by
> completing
> > an online form or
> > uploading a validated xml document. The check will go though a QA
> workflow
> > process and be released into a
> > production data feed (tar.gz file for now). The aim is that we can all
> > start sharing our knowledge and making
> > it available to everyone irrelevant of if you use Spike or another
> tool.
> > The open source model will hopefully mean
> > well get a vast number of well QA'd checked available very quickly and
> > that when a new vuln is found it will be fast to be
> > submitted and can be used. Some people like iDefense will prob also
> > release advisories that are webappsec related with the vulnxml
> > checks attached which will be very cool indeed.
> 
> Agreed, I just hope that there will be some proof of the vuln before it
> enters production because some things might be vulnerable in OS X with
> service pack Y but not with service pack Y+1.
> 
> Of cause the community could provide this proof by identifying where it
> works and where it doesn't, although this seems a slower process.
> 
> Hmm - maybe I misinterpreted the idea of the Q&A, I guess it could
> provide enough details to identify precisely where the vuln resides and
> in what environment.
> 
> Mads
> 
-- 
Mark Curphey <mark@curphey.com>


_______________________________________________
Spike mailing list
Spike@immunitysec.com
http://www.immunitysec.com/mailman/listinfo/spike
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic