OASIS Wants to Classify Web Security

Open standards consortium OASIS is working to create a
language that would help intrusion detection products and firewalls communicate during security attacks.

Members of the e-business standards group are calling the effort Web
Application Security (WAS). The new WAS technical committee said it has three goals: to create an XML schema (or database structure) to describe Web security conditions; a classification scheme for Web vulnerabilities, and guidance for threat, impact and risk ratings.

According to the group and analysts, the schema will go a long way toward mitigating serious security risks. It is complementary to the work of the OASIS
Application Vulnerability Description Language
(AVDL) technical
committee, which aims to standardize the way security products communicate.
AVDL, using WAS vulnerability classification, is expected to deliver a standard method for vulnerabilities to be described and communicated across products from different vendors.


Gartner Vice President for Internet Security John Pescatore said WAS fills a hole that has been a Holy Grail quest. Basically, WAS is a language that allows vulnerability tools and intrusion prevention products to communicate with a corporate firewall in the event of security threats.


“Until WAS, the industry had no way to take warning data from a scanner tool and give it to the firewall to block the vulnerability,” Pescatore told internetnews.com. “Take a company like SPI Dynamics for instance.
They have a detection product called Web Inspect. It tells me about the vulnerabilities but that’s going to take me awhile to block them at the firewall. WAS tells the firewall how to block it. So, firewall vendors can import data that will patch the network from the Slammer worm, for example.”

Pescatore said that although certain companies sell both intrusion detection
and firewall software, only one, KaVaDo, does something along the lines of
what WAS portends to do — offer a suite where the Web application firewall and scanner exchange data — but it’s proprietary. Under the auspices of OASIS,
WAS would be open to all who desired to use it to write applications. KaVaDo, though, has expressed its support for WAS, too.


Pescatore said he considered the standard so important that he advised major
firms such as Microsoft and Oracle to sign on with OASIS for this endeavor.


As for the classification, Mark Curphey, chair of the OASIS WAS technical
committee, discussed the need for the fine-tuned description of
vulnerabilities.


“Currently, security advisories are published in ambiguous textual forms or
proprietary data files. The same vulnerability is often described in several
different ways, using different languages and contexts that quantify risks
in different ways,” said Curphey. “WAS will allow vulnerabilities to be
published and received in a consistent manner. Risks will be universally
understood by law enforcement agencies, government representatives,
companies, and organizations, regardless of which tools or technologies are
used.”


ZapThink Senior Analyst Ronald Schmelzer discussed the importance of WAS and
AVDL as they apply to Web services , which is where software development is heading, and by extension, an area attackers could try to exploit.


Schmelzer said because Web services will provide access to systems through
an abstracted interface, it becomes harder for systems to get a grasp on who
is making a request for application functionality and whether that person is
authorized.

“While security specs like SAML, WS-Security, XKMS, and other specs are
focused on solving these authentication and authorization problems, there
are many ways in which these specs and tools can be misused or misapplied,
leading to serious security holes or vulnerabilities,” Schmelzer told internetnews.com.

“The security applications that use these specs will continuously need to be
on the look out for security vulnerabilities, and interact with each other
to provide a cohesive network of secured systems. AVDL and WAS are key parts
of this integrated security framework, where the security tool are doing the
actual security work and AVDL and WAS are doing the integration between the
security tools.”


Software makers NetContinuum, Qualys, Sanctum and SPI Dynamics are among
those that have signed on to WAS. OASIS also plans to consider contributions
of related work from other groups and companies, including the Open Web
Application Security Project (OWASP), an open source community group whose
Vulnerability Description Language (VulnXML) may be complementary to WAS.
The WAS technical committee will hold its first meeting July 3.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web