RealTime IT News

OASIS Wants to Classify Web Security

Open standards consortium OASIS is working to create a language that would help intrusion detection products and firewalls communicate during security attacks.

Members of the e-business standards group are calling the effort Web Application Security (WAS). The new WAS technical committee said it has three goals: to create an XML schema (or database structure) to describe Web security conditions; a classification scheme for Web vulnerabilities, and guidance for threat, impact and risk ratings.

According to the group and analysts, the schema will go a long way toward mitigating serious security risks. It is complementary to the work of the OASIS Application Vulnerability Description Language (AVDL) technical committee, which aims to standardize the way security products communicate. AVDL, using WAS vulnerability classification, is expected to deliver a standard method for vulnerabilities to be described and communicated across products from different vendors.

Gartner Vice President for Internet Security John Pescatore said WAS fills a hole that has been a Holy Grail quest. Basically, WAS is a language that allows vulnerability tools and intrusion prevention products to communicate with a corporate firewall in the event of security threats.

"Until WAS, the industry had no way to take warning data from a scanner tool and give it to the firewall to block the vulnerability," Pescatore told internetnews.com. "Take a company like SPI Dynamics for instance. They have a detection product called Web Inspect. It tells me about the vulnerabilities but that's going to take me awhile to block them at the firewall. WAS tells the firewall how to block it. So, firewall vendors can import data that will patch the network from the Slammer worm, for example."

Pescatore said that although certain companies sell both intrusion detection and firewall software, only one, KaVaDo, does something along the lines of what WAS portends to do -- offer a suite where the Web application firewall and scanner exchange data -- but it's proprietary. Under the auspices of OASIS, WAS would be open to all who desired to use it to write applications. KaVaDo, though, has expressed its support for WAS, too.

Pescatore said he considered the standard so important that he advised major firms such as Microsoft and Oracle to sign on with OASIS for this endeavor.

As for the classification, Mark Curphey, chair of the OASIS WAS technical committee, discussed the need for the fine-tuned description of vulnerabilities.

"Currently, security advisories are published in ambiguous textual forms or proprietary data files. The same vulnerability is often described in several different ways, using different languages and contexts that quantify risks in different ways," said Curphey. "WAS will allow vulnerabilities to be published and received in a consistent manner. Risks will be universally understood by law enforcement agencies, government representatives, companies, and organizations, regardless of which tools or technologies are used."

ZapThink Senior Analyst Ronald Schmelzer discussed the importance of WAS and AVDL as they apply to Web services , which is where software development is heading, and by extension, an area attackers could try to exploit.

Schmelzer said because Web services will provide access to systems through an abstracted interface, it becomes harder for systems to get a grasp on who is making a request for application functionality and whether that person is authorized.

"While security specs like SAML, WS-Security, XKMS, and other specs are focused on solving these authentication and authorization problems, there are many ways in which these specs and tools can be misused or misapplied, leading to serious security holes or vulnerabilities," Schmelzer told internetnews.com.

"The security applications that use these specs will continuously need to be on the look out for security vulnerabilities, and interact with each other to provide a cohesive network of secured systems. AVDL and WAS are key parts of this integrated security framework, where the security tool are doing the actual security work and AVDL and WAS are doing the integration between the security tools."

Software makers NetContinuum, Qualys, Sanctum and SPI Dynamics are among those that have signed on to WAS. OASIS also plans to consider contributions of related work from other groups and companies, including the Open Web Application Security Project (OWASP), an open source community group whose Vulnerability Description Language (VulnXML) may be complementary to WAS. The WAS technical committee will hold its first meeting July 3.