[Openvas-commits] r450 - in trunk/doc/website: . pix

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Oct 18 16:23:45 CEST 2007


Author: jan
Date: 2007-10-18 16:23:45 +0200 (Thu, 18 Oct 2007)
New Revision: 450

Added:
   trunk/doc/website/creation-process-nvt.htm4
   trunk/doc/website/pix/OpenVAS-NVT-creation-process.png
Modified:
   trunk/doc/website/template_header.m4
Log:
Adding a page about NVT creation process.


Added: trunk/doc/website/creation-process-nvt.htm4
===================================================================
--- trunk/doc/website/creation-process-nvt.htm4	2007-10-17 20:31:35 UTC (rev 449)
+++ trunk/doc/website/creation-process-nvt.htm4	2007-10-18 14:23:45 UTC (rev 450)
@@ -0,0 +1,125 @@
+m4_dnl -*-html-*-
+m4_include(`template.m4')
+
+m4_dnl OpenVAS
+m4_dnl $Id$
+m4_dnl Description: Description of the creation process for Network Vulnerability Tests (NVTs)
+m4_dnl
+m4_dnl Authors:
+m4_dnl Jan-Oliver Wagner <jan-oliver.wagner at intevation.de>
+m4_dnl
+m4_dnl Copyright:
+m4_dnl Copyright (C) 2007 Intevation GmbH
+m4_dnl
+m4_dnl This program is free software; you can redistribute it and/or modify
+m4_dnl it under the terms of the GNU General Public License version 2,
+m4_dnl as published by the Free Software Foundation.
+m4_dnl
+m4_dnl This program is distributed in the hope that it will be useful,
+m4_dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+m4_dnl GNU General Public License for more details.
+m4_dnl
+m4_dnl You should have received a copy of the GNU General Public License
+m4_dnl along with this program; if not, write to the Free Software
+m4_dnl Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+
+PAGE_START
+
+<h2>Creation Process for Network Vulnerability Tests (NVTs)</h2>
+
+<img align="right" src="pix/OpenVAS-NVT-creation-process.png"/>
+
+<p>
+<b>
+Note: The process described here is a proposal and not yet implemented.
+Please submit any comments or suggestions to the openvas-discuss mailing list.
+</b>
+</p>
+
+<h3>Overview</h3>
+
+<p>
+This document describes the creation process for Network Vulnerability Tests (NVTs)
+for the network security scanner OpenVAS.
+NVTs are test routines that check for presence of a vulerability at a target system.
+OpenVAS coordinates the execution of many of such tests to many target systems
+and collects the results.
+</p>
+
+<p>
+The process starts with collecting upcoming security alerts and ends with the release
+of a newly developed NVT that checks for the reported vulnerability.
+</p>
+
+<p>
+The most important phases of this process are: Initial priorisation (Evaluation),
+final priorisation (Decision), implementation, Quality assurance und release/distribution.
+</p>
+
+<p>
+These phases as well as supporting technolgies are described in more detail below.
+</p>
+
+<h3>Short summary</h3>
+
+<p>
+Before the actual implementation of a NVT starts, a evaluation matrix
+is applied to find out about the initial priority of a security advisory.
+After that, the security advisory is added to the overall priority list.
+This step is performed by the evaluation team.
+</p>
+
+<p>
+The used sources of security advisories are carefully selected
+and connected with a automatic notification process.
+Thus, the intial priorisation is an ongoing process driven by
+such notifications.
+</p>
+
+<p>
+At certain intervals, a decision team does a final priorisation
+which actually rules for which security advisories corresponding NVTs are
+to be developed.
+</p>
+
+<p>
+The relevance and the level of complexity for the defined target systems is
+considered for both, the initial and the final priorisation.
+</p>
+
+<h3>The whole process with 5 main steps</h3>
+
+<ul>
+
+<li>Evaluation: The evaluation team, alerted by a security advisory notification,
+    applies the evaluation matrix and thus comes to the intial priorisation.
+    This information is added to the general priority overview.
+
+<li>Decision: The decision team selects those security alerts for which the implementation
+    of a corrsponding NVT is highly desired (final prioristation). This decision making
+    takes place according to a defined schedule.
+
+<li>Implementation: The development team actually implements a NVT.
+    In case of problems (solution strategy unclear or effort very high)
+    the issue is handed back to the decision team for reconsideration.
+
+<li>Quality Assurance: The QS team executes the quality assurance for the results
+    of the development team. If a NVT does not meet the quality standard, the
+    issue is handed back to the development team.
+
+<li>Release/Distribution: The release (transfer of new NWT into NWT distribution mechanism)
+    is the last step to be done by the QS team in case the NVT passes quality tests.
+
+</ul>
+
+<p>
+Multiple roles as given with the various teams could be fulfilled by one person as long
+as it is ensured that he or she never does implementation and quality assurance for
+the same NVT.
+</p>
+
+<p>
+It is a integral feature of this process that the experiences gained from daily practice
+will lead to changes or refinements of the process whenever regarded useful or required.
+</p>

Added: trunk/doc/website/pix/OpenVAS-NVT-creation-process.png
===================================================================
(Binary files differ)


Property changes on: trunk/doc/website/pix/OpenVAS-NVT-creation-process.png
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Modified: trunk/doc/website/template_header.m4
===================================================================
--- trunk/doc/website/template_header.m4	2007-10-17 20:31:35 UTC (rev 449)
+++ trunk/doc/website/template_header.m4	2007-10-18 14:23:45 UTC (rev 450)
@@ -67,6 +67,7 @@
      <h1>Information</h1>
      <p>
      <a href="sources-for-security-issues-information.html">Security info sources</a><br>
+     <a href="creation-process-nvt.html">NVT creation process</a><br>
      </p>
     </div>
 



More information about the Openvas-commits mailing list