Could someone suggest around how to determine from ZAP report alerts that which alert fall under which OWASP top 10 vulnerability. For example, i had seen one example ZAP report where Reference column had OWASP top 10 URL as a value.
There are following columns in my ZAP report:
Title
Description
URL
Instances
Solution
Reference
CWE ID
WASC ID
Source ID
Following are OWASP top 10 vulnerabilities:
https://owasp.org/www-project-top-ten/
Injection Broken
Authentication
Sensitive Data Exposure
XML External Entities (XXE)
Broken Access control
Security misconfigurations
Cross Site Scripting (XSS)
Insecure Deserialization
Using Components with known vulnerabilities
Insufficient logging and monitoring
Although, it is obvious to say that we need to go through each alert in detail and logically map it to OWASP top 10. But was wondering if any alert attribute can help to figure it out.
There's a document which maps various ZAP functionality top the top 10, here: https://www.zaproxy.org/docs/guides/zapping-the-top-10/
Related
Is it possible to update the screen tips and descriptions of fields in Cognos Analytics 11.0.8 dynamically? We want to have a Data Definition Catalog and use it to update Cognos. The only methods I can find are fairly manual, including BPS Meta Manager.
Look at the steps to integrate InfoSphere Business Glossary into Cognos. I haven't done it, but I've heard people say that the configuration steps can be used for other catalogs, besides the InfoSphere product.
Since the configuration is just a URL, you could point this to a web server you control. Then use the web server logs to identify what Cognos appends to the URL or posts to the URL to identify the field.
https://www.ibm.com/support/knowledgecenter/en/SSEP7J_11.0.0/com.ibm.swg.ba.cognos.ug_cra.doc/t_configure_business_glossary.html#Configure_Business_Glossary
Have started using cucumber framework for testing of my project.
Able to generate cucumber html , json and xml report.
I am looking for something like JIRA ID link to be represented against feature representation in report.
Can anyone help me in this.
In the past, I have used tags to represent JIRA tickets in scenarios/features. For example, if you have a JIRA ticket with ID JIRA-123, your scenario could look like this:
#JIRA-123
Scenario: ...
You should then be able to see from the cucumber reports which features/scenarios are marked with which tags. You can build a custom report that fetches all the JIRA tags and retrieves ticket information from JIRA in runtime using for example JS and the JIRA API.
A major flaw in what you are trying to do is that Jira tickets are historical whilst scenarios are current.
Jira tickets document what was being done at a particular time in the projects lifecyle whilst scenarios document the current state of the application.
Scenarios have current knowledge of the application. Jira tickets only have the knowledge that was available when they were created.
Trying to link these two very different things has some negative consequences including:
You stop people from refactoring scenarios to reflect the current state of the application, because they need to maintain the links with the jira history.
Your links mislead, a scenario changes over time to reflect the current application but your links imply that what is in the jira ticket still applies.
Link management becomes very confusing, scenarios end up with multiple links and links get removed or applied to un-related scenarios as refactoring takes place.
Point 1 is particularly important. Scenarios can very easily become slow, unreliable and unwieldy. They can significantly increase the cost of change for an application unless they are very well managed. Anything that stops this management is detrimental.
I'm looking into upgrading a .net 2.0 app. The app is used by the public authorities of a certain city to keep track of expenses and generate reports and forms.
The reports and forms were generated in VS2005 using Crystal report. They follow a well defined layout, like official documents usually do.
I am looking at options to upgrade the application and the main problem I have is in determining how to deal with the crystal report files.
I have successfully upgraded to VS2008, but any version after that doesn't have CR anymore, so my company would have to pruchase CR separately and because the client and my company are both tight, I'm looking at alternatives...
The obvious one is using SSRS. I have never touched it before in my life, but after playing around with it for a bit, I get the impression that it is not very well suited to generating forms with lots of non-tabular content and lots of formatting. Or am I wrong?
It seems that every line has to be drawn separately. There is no (that I can see) accurate way of positioning lines for formatting...
But I'm just a beginner, so I might be getting this all wrong?
If that is the case, are there any other alternatives to CR and SSRS?
I was thinking of maybe having a separate MVC web site project in the solution. Have that generate the layout in html and css with data from my entity model, then view the result in a (built-in or not) web browser. Am I overcomplicating on this?
I really need advice from somebody who's done that kind of thing before.
What SSRS is good for:
Talking to SQL Server, much faster than other products as it in many cases retains the database better when in other programs IMHO they repeat query at times.
Designing collapsable grids and chart objects from datasets. You can have 'groups' that can nest aggregates of collapsed values and can be un collapsed or collapsed on demand based on expressions, parameters, or a recusive parent set.
A web service for deployment ease where you can deploy one or many objects. You can also write add ons for this service with C# and the ReportingService.asmx web service.
You can talk to the web service directly in a 'form' object in HTML and manipulate it's output.
You can schedule reports to send out via email and file saves automatically to clients or internal users.
What SSRS IS NOT GOOD FOR:
It is not event driven hardly at all except for parameters. You cannot click on many things and get other parts on the form itself to update. You may do an 'action' that goes to another location, report, or site. But in essence you are calling a seperate object, not the same instance again.
Multiple layers of reporting. Beyond tweaking tool tips you cannot do 'hover over' reporting without hacking SSRS. You can make javascript windows show other reports but it is not baked in to SSRS. So you are either clicking into new reports or tab stops in a report but not getting hover over quick objects beyond text and expressions that are in tool tips.
What do you want before considering what you need to impement?
I want to input and export things while talking to my database - ASP.NET with potentially HTML 5 or MVC4 if you want to be very new. ASP.NET is made for actively talking to a server and taking commands IN as well as OUT.
I want a form to auto update periodically on a page as a landing site and dashboard - AJAX and Javascript on top of HTML, Java or ASP.NET.
I want to create reports that exist on a Server and can be hosted on a wide variety of platforms in .NET via web service calls - SSRS.
SSRS's biggest selling point to me is it's reusability once you dial a report in. They are pretty easy to create, easy to configure, easy to deploy, and if you get a little advanced in calling the webservice you can get SSRS report objects in other technologies if you want.
There is Crystal reports for VS2010 and VS2012. It is just not shipped with them. You can download the installation from here: http://scn.sap.com/docs/DOC-7824
I am running through the same decision process at this time. There is a .NET product from a company called "Windward" that will allow you to design your reports in Microsoft Office. If you are in the MS ecosystem already or want your users to design reports instead of always calling on you, this might help.
Their template design tool is called AutoTag and you can deploy these template to their .NET based engine in a few lines of code.
I know the question is regarding SSRS vs. Crystal comparison but thought you should know there are other alternatives and some can make life easier
Ryan
I have following problem with my Sharepoint website. (The view cannot be displayed because the number of lookup and workflow columns it contains exceeds the threshold (8) enforced by the administrator) but any solution I have found online points me to change the throttle settings in web applications settings under central administration. My problem is I simply do not have Central Administration > Web Applications etc... The problem is appearing on a document library for me and I have explored very settings options on the site but cannot find anything about trottleing or column threshold. I just have Site Settings > Library settings etc...
How can I increase the column threshold in this case?
I am working on a Sharepoint website and have Workspace and Designer 2010.
The information you found is correct. You must access the Central Administration site from the server itself. It sounds like you are not logging into the server, but using SPD and the Sharepoint site from your workstation. If you don't have access to RDP to the server, you must contact someone who has access.
On another note, it's not recommended to increase that threshold.
Application Management > Manage Web Application.
In the Web Application list, select the web application you need.
Then go to General Settings > Resource Throttling.
In the Resource Throttling window, scroll down to List View Lookup Threshold and change the value to the number that suits your needs.
Use caution when changing this setting:
This does have a very significant impact on SQL performance. In the article below you can see that in this persons tests, using 8 and executing the query there was about 7% CPU utilization on SQL. Moving that to 10 and executing a query that pulls back 10 columns increases the CPU utilization to almost 40%.
http://sympmarc.com/2012/07/23/sharepoints-list-view-lookup-threshold-and-why-we-dont-change-it/
You can also read the whitepaper here: http://technet.microsoft.com/en-us/library/ff608068(office.14).aspx
We are using WSS 3 SP2. I'd like to preface this by saying that while I have been programming for some time, I have not done any Sharepoint development before now, so I am very much a newbie in that respect.
Basically what we have is a Sharepoint wiki that contains support documentation about each of the various applications throughout our organization. Each application has a wiki page containing some of the more pertinent info (vendor support #, etc), and these wiki pages are created from a template.
Currently, there is one "choice" column on the template that lists all of our department work groups, and users can edit the individual wiki pages to check off their particular work group after they've verified that the relevant wiki page information is correct. Example:
[Checkbox] Help Desk
[Checkbox] Programming
[Checkbox] Networking
What I've been tasked with is adding functionality to the template column that does the following:
list the date that each checkbox was checked
Indicate the user identity that checked the checkbox (logged on username is fine)
display the percentage of checkboxes that have been checked
Example:
Application Verification: 66%
[Checkbox] Help Desk - verified by JohnDoe on 8/26/10
[Checkbox] Programming - Unverified
[Checkbox] Networking - verified by JaneDoe on 7/21/10
I have been playing around with web parts trying to get my feet wet, but I don't know enough about Sharepoint yet to understand if a new web part is the way to go or if I can extend the choice column to do this.
What is the best way to accomplish this with Sharepoint? Can someone point me in the proper direction?
The direction I would start in would be developing a custom field, that would store your info internally in some sort of custom structure (XML, comma-separated, whatever). Then in the render control you will need to serialize and deserialize this value into your representation. Take a look at the following tutorial to get you started on custom fields:
http://vspug.com/nicksevens/2007/08/31/create-custom-field-types-for-sharepoint/