RealTime IT News

OASIS Passes Flaw-Reporting Standard

A specification for letting products exchange information about security flaws in Web services and applications has been passed as a standard by OASIS.

The e-business standards body ratified Application Vulnerability Description Language (AVDL) version 1.0 Wednesday, although the spec is already being employed by companies and government agencies.

This includes the central security incident response organization for the U.S. Department of Energy (DOE) and the National Nuclear Security Administration (NNSA), which plans to AVDL-enable its Security Incident Response Portal.

The news comes at a time when concerns about the security of Web services remains a barrier, albeit one that is crumbling, to widespread adoption in the software market. Analysts also cite a lack of clear management and interoperability as obstacles, but shoring up security is a solid accomplishment.

Kevin Heineman, co-chair of the OASIS AVDL Technical Committee, said that before AVDL, managers had to pore over bug reports, then take the appropriate remediation steps and create firewall rules to secure their applications. This can be a time-consuming process.

Now, network managers can save time by importing vulnerability assessment data from application scanners that support AVDL, Heineman said, noting that AVDL frees administrators to focus on other tasks. Firewalls can configure appropriate rules, patch-management software can provide automatic remediation and event correlation products can include vulnerability data.

Gartner analyst John Pescatore said AVDL should help harness the mess of security incident announcements issued each week by developers and vendors who spot them.

"By employing solutions based on the AVDL OASIS standard, companies can reduce the threat they face from the moment a vulnerability is discovered to the time it takes them to first shield, then patch, their systems," Pescatore said in a statement.

The analyst added that as many as 80 applications vulnerabilities are announced per week, making AVDL a vital protocol for companies who use heavily commercial software from Microsoft, Oracle and other vendors in their networks and data centers.

AVDL is complementary to Web Application Security, a spec forged by OASIS last May to create a language that would help intrusion detection products and firewalls communicate during security attacks.