A specification for letting products exchange information about security
flaws in Web services and applications has been passed as a standard by
OASIS.
The e-business standards body ratified Application
Vulnerability Description Language (AVDL) version 1.0 Wednesday,
although the spec is already being employed by companies and government
agencies.
This includes the central security incident response organization for the
U.S. Department of Energy (DOE) and the National Nuclear Security
Administration (NNSA), which plans to AVDL-enable its Security Incident
Response Portal.
The news comes at a time when concerns about the security of Web services
remains a barrier, albeit one that is crumbling, to widespread adoption in
the software market. Analysts also cite a lack of clear management and
interoperability as obstacles, but shoring up security is a solid
accomplishment.
Kevin Heineman, co-chair of the OASIS AVDL Technical Committee, said that
before AVDL, managers had to pore over bug reports, then take the
appropriate remediation steps and create firewall rules to secure their
applications. This can be a time-consuming process.
Now, network managers can save time by importing vulnerability assessment
data from application scanners that support AVDL, Heineman said, noting that
AVDL frees administrators to focus on other tasks. Firewalls can configure
appropriate rules, patch-management software can provide automatic
remediation and event correlation products can include vulnerability data.
Gartner analyst John Pescatore said AVDL should help harness the mess of
security incident announcements issued each week by developers and vendors
who spot them.
“By employing solutions based on the AVDL OASIS standard, companies can
reduce the threat they face from the moment a vulnerability is discovered to
the time it takes them to first shield, then patch, their systems,” Pescatore
said in a statement.
The analyst added that as many as 80 applications vulnerabilities are
announced per week, making AVDL a vital protocol for companies who use
heavily commercial software from Microsoft, Oracle and other vendors in
their networks and data centers.
AVDL is complementary to Web Application Security, a spec forged
by OASIS last May to create a language that would help intrusion detection
products and firewalls communicate during security attacks.