Saturday 30 July 2011

Proposed workflow for breaking and analysing FVDL Files

Following the multiple blog entries prosted about O2's support for Fortify's FVDL, (sent to me by an O2 user) here is a description of a use-case that O2 should support:

I would shoot for the ability to disposition large *.fpr/*.fvdl files.

Here is a typical workflow:

1. Scan is run code base generating an *.fpr file
2. Code Reviews receive the file but because it is too large it cannot be opened by Fortify's tool.
3. Code reviewer uses O2 to open file and disposition or suppress issues by Category (XSS, SQL Injection, Path Tampering, etc.)
4. Code Reviewer then saves dispositions to *.fpr file.
5. The *.fpr is saved and on subsequent scan of the same application. The new.fpr file is merged with the old.fpr file.
6. The code reviewer works on the merged.fpr to disposition items.
7. Wash, rinse, repeat.

The data needs to be stored in the *.fpr file because most code assessment processes relies on merging the old fpr with the new *.fpr/*.fvdl on subsequent rereviews.

Next step(s) is to write a script(s) to implement this workflow, and try to figure the best GUIs to enable it.