Author: jan
Date: 2007-10-18 16:23:45 +0200 (Thu, 18 Oct 2007)
New Revision: 450
Added:
trunk/doc/website/creation-process-nvt.htm4
trunk/doc/website/pix/OpenVAS-NVT-creation-process.png
Modified:
trunk/doc/website/template_header.m4
Log:
Adding a page about NVT creation process.
Added: trunk/doc/website/creation-process-nvt.htm4
===================================================================
--- trunk/doc/website/creation-process-nvt.htm4 2007-10-17 20:31:35 UTC (rev
449)
+++ trunk/doc/website/creation-process-nvt.htm4 2007-10-18 14:23:45 UTC (rev
450)
@@ -0,0 +1,125 @@
+m4_dnl -*-html-*-
+m4_include(`template.m4')
+
+m4_dnl OpenVAS
+m4_dnl $Id$
+m4_dnl Description: Description of the creation process for Network
Vulnerability Tests (NVTs)
+m4_dnl
+m4_dnl Authors:
+m4_dnl Jan-Oliver Wagner <[EMAIL PROTECTED]>
+m4_dnl
+m4_dnl Copyright:
+m4_dnl Copyright (C) 2007 Intevation GmbH
+m4_dnl
+m4_dnl This program is free software; you can redistribute it and/or modify
+m4_dnl it under the terms of the GNU General Public License version 2,
+m4_dnl as published by the Free Software Foundation.
+m4_dnl
+m4_dnl This program is distributed in the hope that it will be useful,
+m4_dnl but WITHOUT ANY WARRANTY; without even the implied warranty of
+m4_dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+m4_dnl GNU General Public License for more details.
+m4_dnl
+m4_dnl You should have received a copy of the GNU General Public License
+m4_dnl along with this program; if not, write to the Free Software
+m4_dnl Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301
USA.
+
+PAGE_START
+
+<h2>Creation Process for Network Vulnerability Tests (NVTs)</h2>
+
+<img align="right" src="pix/OpenVAS-NVT-creation-process.png"/>
+
+<p>
+<b>
+Note: The process described here is a proposal and not yet implemented.
+Please submit any comments or suggestions to the openvas-discuss mailing list.
+</b>
+</p>
+
+<h3>Overview</h3>
+
+<p>
+This document describes the creation process for Network Vulnerability Tests
(NVTs)
+for the network security scanner OpenVAS.
+NVTs are test routines that check for presence of a vulerability at a target
system.
+OpenVAS coordinates the execution of many of such tests to many target systems
+and collects the results.
+</p>
+
+<p>
+The process starts with collecting upcoming security alerts and ends with the
release
+of a newly developed NVT that checks for the reported vulnerability.
+</p>
+
+<p>
+The most important phases of this process are: Initial priorisation
(Evaluation),
+final priorisation (Decision), implementation, Quality assurance und
release/distribution.
+</p>
+
+<p>
+These phases as well as supporting technolgies are described in more detail
below.
+</p>
+
+<h3>Short summary</h3>
+
+<p>
+Before the actual implementation of a NVT starts, a evaluation matrix
+is applied to find out about the initial priority of a security advisory.
+After that, the security advisory is added to the overall priority list.
+This step is performed by the evaluation team.
+</p>
+
+<p>
+The used sources of security advisories are carefully selected
+and connected with a automatic notification process.
+Thus, the intial priorisation is an ongoing process driven by
+such notifications.
+</p>
+
+<p>
+At certain intervals, a decision team does a final priorisation
+which actually rules for which security advisories corresponding NVTs are
+to be developed.
+</p>
+
+<p>
+The relevance and the level of complexity for the defined target systems is
+considered for both, the initial and the final priorisation.
+</p>
+
+<h3>The whole process with 5 main steps</h3>
+
+<ul>
+
+<li>Evaluation: The evaluation team, alerted by a security advisory
notification,
+ applies the evaluation matrix and thus comes to the intial priorisation.
+ This information is added to the general priority overview.
+
+<li>Decision: The decision team selects those security alerts for which the
implementation
+ of a corrsponding NVT is highly desired (final prioristation). This
decision making
+ takes place according to a defined schedule.
+
+<li>Implementation: The development team actually implements a NVT.
+ In case of problems (solution strategy unclear or effort very high)
+ the issue is handed back to the decision team for reconsideration.
+
+<li>Quality Assurance: The QS team executes the quality assurance for the
results
+ of the development team. If a NVT does not meet the quality standard, the
+ issue is handed back to the development team.
+
+<li>Release/Distribution: The release (transfer of new NWT into NWT
distribution mechanism)
+ is the last step to be done by the QS team in case the NVT passes quality
tests.
+
+</ul>
+
+<p>
+Multiple roles as given with the various teams could be fulfilled by one
person as long
+as it is ensured that he or she never does implementation and quality
assurance for
+the same NVT.
+</p>
+
+<p>
+It is a integral feature of this process that the experiences gained from
daily practice
+will lead to changes or refinements of the process whenever regarded useful or
required.
+</p>
Added: trunk/doc/website/pix/OpenVAS-NVT-creation-process.png
===================================================================
(Binary files differ)
Property changes on: trunk/doc/website/pix/OpenVAS-NVT-creation-process.png
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Modified: trunk/doc/website/template_header.m4
===================================================================
--- trunk/doc/website/template_header.m4 2007-10-17 20:31:35 UTC (rev
449)
+++ trunk/doc/website/template_header.m4 2007-10-18 14:23:45 UTC (rev
450)
@@ -67,6 +67,7 @@
<h1>Information</h1>
<p>
<a href="sources-for-security-issues-information.html">Security info
sources</a><br>
+ <a href="creation-process-nvt.html">NVT creation process</a><br>
</p>
</div>
_______________________________________________
Openvas-commits mailing list
[email protected]
http://lists.wald.intevation.org/mailman/listinfo/openvas-commits
