Jeff Williams
Jeff Williams
Some evidence we would like to provide related to measuring at runtime * we found the right libraries -- libraries that are not in the code repo (appserver, runtime platform)...
Here is the section of the SARIF spec that focuses on tool description. We are still wrestling with this... particularly how to capture configuration and runtime environment. Obviously can get...
* IAST (evidence from complete running app/API stack, including exactly which libraries, classes, and methods are loaded and run. Also evidence of vulnerability testing, all exposed routes, all backend connections...
I'm trying to understand this through the lens of the typical claim-evidence structure. Here we make some claims about the library identity (name, version, etc...).and I can imagine some evidence...
@stevespringett - SARIF already supports multiple forms of analysis, including IAST and DAST. They're considering changing the name to Security Analysis Results Interchange Format (instead of Static). Here's an example...
Wouldn't hash match be 1.0? Just want to make sure I'm not misunderstanding this.
@stevespringett - we're still including the option to include callstack evidence, right?
> @planetlevel Would you like it included? If so, is the proposal adequate or does it need revision? If it's ok as is, I'll update the PR to include it....
I think you missed the point of my comment. I'm saying that organizing by the source of potential attacks is orthogonal to the rest of your categories. Why not have...
I understand how hard it is to create groupings. But one key requirement that you left off the list is that you have to cover all the top risks to...