OASIS TC to Standardize Classification of Application Vulnerabilities
Leading Application Security Vendors Propose New XML-Based Interoperability Standard Through OASIS
Application Vulnerability Description Language Will Enable Easy Communication Between Products That Find, Block, Fix, and Report Application Security Vulnerabilities
San Francisco, CA, USA. April 14, 2003.
Application security vendors Citadel Security Software, Inc., GuardedNet, NetContinuum, SPI Dynamics and Teros today announced the proposal of a new XML standard to define, categorize and classify application vulnerabilities in a standardized fashion that can be understood and used by a variety of security products throughout the application security lifecycle. The new Application Vulnerability Description Language (AVDL), to be managed through the OASIS consortium, will enable customers to more easily manage and reduce security risk in constantly changing web application environments.
"The majority of new attacks today target vulnerabilities at the application layer, a problem we believe will only increase as web services become more widely adopted," said Richard Stiennon, Research Director at Gartner. "Because web applications are constantly changing, creating a more standardized way for individual security products to share information makes a great deal of sense and could significantly benefit enterprise customers."
AVDL will address the business problem of how companies manage ongoing application security risk on a day-to-day basis. With the wide adoption of web-based technologies, applications have become far more dynamic, often changing daily, or even hourly. Keeping up with these changes can be an extraordinary challenge for security administrators. To address this problem, companies have begun deploying best-of-breed security products to identify application vulnerabilities, block application-layer attacks, repair identified vulnerabilities, distribute patches and manage security events. Unfortunately, there is currently no standard way for these products to communicate with each other, making the overall security management process far too manual and time-consuming.
"As new security technologies are developed, enterprises in the early adopter phase rely on best-of-breed solutions or a number of interoperable combinations to address rising security concerns," said Ken Kousky, CEO, IP3, Inc., a leading research and education organization. "In our latest research report, 'IT Security Economics, the Rationality Debate,' we found that more than 85 percent of large organizations view interoperability between security components as one of their top two issues for 2003. Client organizations are simply being overwhelmed."
By establishing a standard XML format for describing application vulnerabilities, AVDL would give security administrators far more freedom in managing application security risk. Application vulnerability assessment tools, for example, could create an AVDL file for a particular application that could be read by an attack prevention product to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to determine the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.
OASIS has established a Technical Committee to develop the standard. The AVDL Technical Committee will focus on defining a schema that enables easier communication and coordination between any of the various security entities that address application security, including, but not limited to: application vulnerability assessment tools, application security gateways, reporting tools, correlation systems, and remediation tools. All OASIS members interested in solving application security problems are welcome to join.
The first meeting of the full OASIS Technical Committee for AVDL has been scheduled for May 15, 2003. The first candidate AVDL specification will be posted for comment by Q3, 2003 with a final AVDL 1.0 specification posted by Q4, 2003. Additional information on AVDL is available at http://www.avdl.org and additional information on OASIS is available at http://www.oasis-open.org.
Citadel Security Software, Inc., a leader in automated vulnerability remediation and policy enforcement solutions, helps enterprises effectively neutralize security vulnerabilities. Citadel's patent-pending Hercules technology provides users with full control over the automated remediation process, enabling efficient aggregation, prioritization and resolution of vulnerabilities detected by industry-standard vulnerability assessment tools. Winshield SecurePC and NetOFF products enable companies to enforce security policies from a single point of control. Citadel's solutions enable organizations to ensure the confidentiality of information, reduce the time and costs associated with the inefficient manual remediation process, and facilitate compliance with organizational security policies and government mandates such as HIPAA and Gramm-Leach-Bliley legislation. For more information visit http://www.citadel.com or contact Citadel at (214) 520-9292.
GuardedNet Inc. delivers advanced security event management software solutions. Its flagship product, neuSECURE, centrally monitors, correlates and performs threat analysis in multi-vendor enterprise security environments. Its ability to correlate and analyze log data files from disparate machines in real-time enables security administrators to overcome log data overload and detect and respond to security breaches as they are occurring, rather than after the damage is done. neuSECURE has improved the security and the operational efficiency of numerous Security Operations Centers (SOCs), including those at leading financial and data communications institutions. GuardedNet is a private company, headquartered in Atlanta, Georgia. For more information about GuardedNet, please visit http://www.guarded.net or contact us at firstname.lastname@example.org or (404) 591.8200.
NetContinuum is the leading provider of enterprise-class web security gateways -- next-generation web security appliances designed to secure applications and protect against web attacks. Privately held, NetContinuum is funded by blue-chip venture capital firms and investors, including Palomar Ventures, Menlo Ventures, NIF Ventures/Daiwa Securities, Adams Street Partners, Invus Group, MKS Ventures, and Siemens Venture Capital. For more information, please visit http://www.netcontinuum.com or call 408-961-5600.
About SPI Dynamics
SPI Dynamics, a pioneer in web application security, manufactures WebInspect, software that assesses the security of web application and web services and helps enterprises protect against the loss of confidential data through the organization's most vulnerable yet least secure infrastructure component -- the web application layer. Software developers, quality assurance professionals, corporate security auditors and security practitioners use SPI Dynamics' technology to discover application security vulnerabilities that would otherwise go undetected by traditional automated application testing tools, network firewalls or intrusion detection systems. SPI Dynamics' customers include the largest global consulting companies, telecommunications companies, manufacturing companies, financial services organizations, healthcare facilities and major United States government agencies. SPI Dynamics is privately held with headquarters in Atlanta. For more information call 678-781-4800, visit the website at http://www.spidynamics.com or e-mail email@example.com.
Teros, formerly Stratum8 Networks, was founded in 2000 and develops quick-to-deploy, self-configuring security products that protect web servers, web applications and databases from known and undocumented vulnerabilities. Teros customers are Fortune 1000 companies, leading Internet and e-commerce players, and government agencies that need to protect sensitive web-based applications and data from unauthorized access or malicious use. Teros is privately held and headquartered in Santa Clara, California. To contact Teros call 408-850-0800, visit us on the web at http://www.teros.com, or write to firstname.lastname@example.org.
"As part of our automated vulnerability remediation best practices, Citadel recommends that enterprises rely on a variety of network and application scanners in order to compile and take action on the most comprehensive, up-to-date vulnerability data available," said Citadel CTO Carl Banzhof. "The AVDL standard will make it easier for organizations to share data more effectively and integrate vulnerability identification and remediation across the entire enterprise more quickly in order to keep up with the constant issue of cyberthreats."
"As a provider of heterogeneous security management solutions, our vision is to enable a Connected Security Enterprise Model(TM) that incorporates the capabilities of best-of-breed security products with the ease of use and stability expected from a single vendor suite of products," said GuardedNet's CTO, Iven Connary. "AVDL supports this vision by providing a strong framework for products to communicate and interoperate. Customers will benefit greatly from a successful, standardized approach to defining application vulnerabilities."
"NetContinuum has already begun working with other leading application security vendors to enable better real-world integration using XML," said Jan Bialkowski, CTO of NetContinuum. "AVDL will allow us to further extend these capabilities by enabling our web security gateway to directly read the output of periodic vulnerability assessments, remediation actions or attack activity reported by event management systems, regardless of which vendor's products are being used."
"Today, SPI Dynamics is working closely with top application security vendors to enable them to process standardized XML output from WebInspect 3.0, our market leading web application security assessment product," said Caleb Sima, CTO of SPI Dynamics. "AVDL will enable our enterprise customers to use the best products available to find application and web services vulnerabilities, protect their production systems against application attacks, report on the state of their application security, and remediate vulnerabilities automatically whenever possible. With AVDL, enterprise customers will be able to select best-of-breed products in each of these categories and receive the full benefits of multi-vendor product interoperability."
"A standardized and product agnostic approach to application vulnerability reporting provides maximum flexibility for customers and closer cooperation between layered security technologies," said Abhishek Chauhan, co-founder and Chief Technology Officer of Teros. "We support the development of standards like AVDL whose goal is to enable tighter security defenses by allowing vulnerability management data to be shared between multiple application and network layer security systems."
Prepared by Robin Cover for The XML Cover Pages archive. See details in: (1) the news story "OASIS Forms TC for Application Vulnerability Description Language (AVDL)"; (2) AVDL TC Proposal; (3) "Application Security" (general reference document).