SAN FRANCISCO — With an eye to guarding against online vulnerabilities, members of an Internet interoperability consortium Monday announced plans for a new computer language designed for securing Web services
The Organization for the Advancement of Structured Information Standards (OASIS) said it plans to define its Application Vulnerability Description Language (AVDL) as soon as next month. The XML-based technology would allow communication between products that find, block, fix, and report application security holes.
Although there are several over the counter products available that help companies discover application vulnerabilities, block application-layer attacks, repair vulnerable Web sites, distribute patches and manage security events, the consortium said there is currently no universal way for these products to communicate with one another, making pragmatic risk management a highly manual, often complex process.
“The goal of AVDL is to enable companies to manage and simplify the full application security lifecycle by providing a uniform way to communicate application security vulnerabilities, policies and events using XML,” Kevin Heineman of SPI Dynamics, co-chair of the OASIS AVDL Technical Committee said in a statement.
In anticipation of developing the language, OASIS established a Technical Committee including Booz Allen Hamilton, NetContinuum, Reed Elsevier, Sanctum and SPI Dynamics. Participation remains open to all organizations and individuals
The group will focus on defining a schema that enables easier communication and coordination between any of the various security entities that address application security, including, but not limited to: application vulnerability assessment tools, application security gateways, reporting tools, correlation systems, and remediation tools.
Initial members of the OASIS AVDL Technical Committee, and OASIS will host an open mail list for public comment. The committee will hold its first meeting on 15 May 2003. The first candidate AVDL specification will be posted for comment by Q3, 2003 with a final AVDL 1.0 specification posted by Q4, 2003. The committee is expected to further comment on its specification at the RSA Security conference here Wednesday.
The AVDL language is the brainchild of application security vendors Citadel Security Software
, GuardedNet, NetContinuum, SPI Dynamics and Teros
The group says AVDL will give security administrators far more freedom in managing application security risk. Application vulnerability assessment tools, for example, could create an AVDL file for a particular application that could be read by an attack prevention product to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to determine the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.
AVDL is one of three new specifications impacting Web services this week.
The Information Security Systems Association (ISSA) is also expected to announce it will take over the Generally Accepted Information Security Principles (GAISP) specification. The former Generally Accepted System Security Principles (GASSP) standard was authored in response to a 1990 U.S. National Research Council report, “Computers at Risk.”
“With the growing adoption of Web-based technologies, applications have become far more dynamic, often changing daily, or even hourly,” Jan Bialkowski of NetContinuum, co-chair of the OASIS AVDL Technical Committee said in a statement. “Keeping pace with these rapidly changing threats will increasingly require close cooperation between various security components.”