OASIS Approved CD: Application Vulnerability Description Language

AVDL Specification Submitted for Approval as an OASIS Standard

Date:      Thu, 29 Apr 2004 08:16:42 -0400
From:      Karl F. Best <karl.best@oasis-open.org>
To:        members@lists.oasis-open.org, tc-announce@lists.oasis-open.org
Subject:   AVDL specification submitted for OASIS Standard

OASIS members:

The OASIS Application Vulnerability Description Language (AVDL) TC has submitted the Application Vulnerability Description Language (AVDL) v1.0 specification, which is an approved Committee Draft, for review and consideration for approval by OASIS members to become an OASIS Standard. The TC's submission is attached below.

In accordance with the OASIS Technical Process, the specification has already gone through a 30 day public review period. OASIS members now have until the 15th of the month to familiarize themselves with the submission. OASIS members should give their input on this question to the voting representative of their organization.

By the 16th of the month I will send out a Call For Vote to the voting representative of each OASIS member organization, who will have until the end of the month to cast their ballots on whether this Committee Draft should be approved as an OASIS Standard.

The normative TC Process for approval of Committee Drafts as OASIS Standards is found at:

http://www.oasis-open.org/committees/process.php#standard

Any statements related to the IPR of this specification are posted at:

http://www.oasis-open.org/committees/avdl/ipr.php

-Karl

Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206
mobile +1 978.761.1648
karl.best@oasis-open.org
WWW: http://www.oasis-open.org

Declarations presented by the AVDL TC Chairs

1. A formal specification that is a valid member of its type, together with appropriate documentation for the specification, both of which must be written using approved OASIS templates.

AVDL Committee Draft Specification Version 1.0
http://www.oasis-open.org/committees/download.php/6163/AVDL%20Specification_V1.pdf

AVDL XML Schema
http://www.oasis-open.org/committees/download.php/5065/avdl.xsd

2. A clear English-language summary of the specification.

The Application Vulnerability Description Language (AVDL) specification describes a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. Simply said, AVDL is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML.

With the growing adoption of web-based technologies, applications have become far more dynamic, with changes taking place daily or even hourly. Consequently, enterprises must deal with a constant flood of new security patches from their application and infrastructure vendors. To make matters worse, network-level security products do little to protect against vulnerabilities at the application level. To address this problem, enterprises today have deployed a host of best-of-breed security products to discover application vulnerabilities, block application-layer attacks, repair vulnerable web sites, distribute patches, and manage security events. Enterprises have come to view application security as a continuous lifecycle. Unfortunately, there is currently no standard way for the products these enterprises have implemented to communicate with each other, making the overall security management process far too manual, time-consuming, and error prone.

Enterprise customers are asking companies to provide products that interoperate. A consistent definition of application security vulnerabilities is a significant step towards that goal. AVDL fulfills this goal by providing an XML-based vulnerability assessment output that will be used to improve the effectiveness of attack prevention, event correlation, and remediation technologies.

3. A statement regarding the relationship of this specification to similar work of other OASIS TCs or other standards developing organizations.

The AVDL Technical Committee would like to acknowledge earlier efforts in promotion of application vulnerabilities and standardization of their representation and interchange. Their work inspired many ideas incorporated into the AVDL standard.

The following works are related to AVDL:

The Open Vulnerability Assessment Language developed at the Mitre Corporation "is the common language for security experts to discuss and agree upon technical details about how to check for the presence of a vulnerability on a computer system". Using SQL, OVAL queries are based on broadly recognized Common Vulnerabilities and Exposures (CVE) database and by "specifying logical conditions on the values of system characteristics and configuration attributes, OVAL queries characterize exactly which systems are susceptible to a given vulnerability."
VulnXML developed by the Open Web Application Security Project (OWASP) "could be used by automated assessment tools to test for known security issues". Closely related and also developed at OWASP was Application Security Attack Components or ASAC which "is a basic classification scheme of web application security issues. The aim of this project was to create a common language and a consensus understanding among the industry to describe the same issue in the same way." Their work continues at OASIS Web Application Security TC.

4. Certification by at least three OASIS member organizations that they are successfully using the specification consistently with the OASIS IPR Policy.

Citadel
http://lists.oasis-open.org/archives/avdl/200403/msg00012.html

NetContinuum
http://lists.oasis-open.org/archives/avdl/200403/msg00021.html

SPI Dynamics
http://lists.oasis-open.org/archives/avdl/200403/msg00011.html

5. An account of each of the comments/issues raised during the public review period, along with its resolution.

The document is located at:

http://www.oasis-open.org/committees/download.php/5774/AVDL%20Public%20Review%20Comments.doc

It lists the comments received during the public review conducted from 6 February to 8 March 2004, and their resolution. Note: only one comment was received during this period.

6. An account of and results of the voting to approve the approve the specification as a Committee Draft.

Approval of the specification as a Committee Draft was 26 March 2004. The ballot results can be found at the following link:

http://www.oasis-open.org/committees/ballot.php?id=409&vr=1&ew=

Approval to submit the Committee Draft to OASIS membership for consideration as an OASIS standard. The ballot can be found at the following link:

http://www.oasis-open.org/committees/ballot.php?id=410&vr=1&ew=

7. An account of or pointer to votes and comments received in any earlier attempts to standardize substantially the same specification, together with the originating TC's response to each comment.

There have been no other attempts to standardize this specification to OASIS.

8. A pointer to the publicly visible comments archive for the originating TC.

AVDL TC List:
http://lists.oasis-open.org/archives/avdl/

AVDL TC Comment List:
http://lists.oasis-open.org/archives/avdl-comment/

9. A statement from the chair of the TC certifying that all members of the TC have been provided with a copy of the OASIS IPR Policy.

"All members of the Technical Committee have been provided with access to the OASIS IPR policy. An email was sent on March 4, 2004 to the members of the Technical Committee with a link to the policy. In addition, this submission complies with the requirements of the IPR policy."

10. Optionally, a pointer to any minority reports submitted by one or more TC members who did not vote in favor of approving the Committee Draft, or certification by the chair that no minority reports exist.

There are no minority reports to list with this specification.

Submitted by the TC Chairs

Kevin Heineman, kheineman@spidynamics.com
Jan Bialkowski, jan@netcontinuum.com

[Source: http://lists.oasis-open.org/archives/tc-announce/200404/msg00007.html]

Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news story: "OASIS TC Approves Application Vulnerability Description Language (AVDL) Draft."

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	OASIS Approved CD: Application Vulnerability Description Language AVDL Specification Submitted for Approval as an OASIS Standard Date: Thu, 29 Apr 2004 08:16:42 -0400 From: Karl F. Best <karl.best@oasis-open.org> To: members@lists.oasis-open.org, tc-announce@lists.oasis-open.org Subject: AVDL specification submitted for OASIS Standard OASIS members: The OASIS Application Vulnerability Description Language (AVDL) TC has submitted the Application Vulnerability Description Language (AVDL) v1.0 specification, which is an approved Committee Draft, for review and consideration for approval by OASIS members to become an OASIS Standard. The TC's submission is attached below. In accordance with the OASIS Technical Process, the specification has already gone through a 30 day public review period. OASIS members now have until the 15th of the month to familiarize themselves with the submission. OASIS members should give their input on this question to the voting representative of their organization. By the 16th of the month I will send out a Call For Vote to the voting representative of each OASIS member organization, who will have until the end of the month to cast their ballots on whether this Committee Draft should be approved as an OASIS Standard. The normative TC Process for approval of Committee Drafts as OASIS Standards is found at: http://www.oasis-open.org/committees/process.php#standard Any statements related to the IPR of this specification are posted at: http://www.oasis-open.org/committees/avdl/ipr.php -Karl Karl F. Best Vice President, OASIS office +1 978.667.5115 x206 mobile +1 978.761.1648 karl.best@oasis-open.org WWW: http://www.oasis-open.org Declarations presented by the AVDL TC Chairs 1. A formal specification that is a valid member of its type, together with appropriate documentation for the specification, both of which must be written using approved OASIS templates. AVDL Committee Draft Specification Version 1.0 http://www.oasis-open.org/committees/download.php/6163/AVDL%20Specification_V1.pdf AVDL XML Schema http://www.oasis-open.org/committees/download.php/5065/avdl.xsd 2. A clear English-language summary of the specification. The Application Vulnerability Description Language (AVDL) specification describes a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. Simply said, AVDL is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML. With the growing adoption of web-based technologies, applications have become far more dynamic, with changes taking place daily or even hourly. Consequently, enterprises must deal with a constant flood of new security patches from their application and infrastructure vendors. To make matters worse, network-level security products do little to protect against vulnerabilities at the application level. To address this problem, enterprises today have deployed a host of best-of-breed security products to discover application vulnerabilities, block application-layer attacks, repair vulnerable web sites, distribute patches, and manage security events. Enterprises have come to view application security as a continuous lifecycle. Unfortunately, there is currently no standard way for the products these enterprises have implemented to communicate with each other, making the overall security management process far too manual, time-consuming, and error prone. Enterprise customers are asking companies to provide products that interoperate. A consistent definition of application security vulnerabilities is a significant step towards that goal. AVDL fulfills this goal by providing an XML-based vulnerability assessment output that will be used to improve the effectiveness of attack prevention, event correlation, and remediation technologies. 3. A statement regarding the relationship of this specification to similar work of other OASIS TCs or other standards developing organizations. The AVDL Technical Committee would like to acknowledge earlier efforts in promotion of application vulnerabilities and standardization of their representation and interchange. Their work inspired many ideas incorporated into the AVDL standard. The following works are related to AVDL: The Open Vulnerability Assessment Language developed at the Mitre Corporation "is the common language for security experts to discuss and agree upon technical details about how to check for the presence of a vulnerability on a computer system". Using SQL, OVAL queries are based on broadly recognized Common Vulnerabilities and Exposures (CVE) database and by "specifying logical conditions on the values of system characteristics and configuration attributes, OVAL queries characterize exactly which systems are susceptible to a given vulnerability." VulnXML developed by the Open Web Application Security Project (OWASP) "could be used by automated assessment tools to test for known security issues". Closely related and also developed at OWASP was Application Security Attack Components or ASAC which "is a basic classification scheme of web application security issues. The aim of this project was to create a common language and a consensus understanding among the industry to describe the same issue in the same way." Their work continues at OASIS Web Application Security TC. 4. Certification by at least three OASIS member organizations that they are successfully using the specification consistently with the OASIS IPR Policy. Citadel http://lists.oasis-open.org/archives/avdl/200403/msg00012.html NetContinuum http://lists.oasis-open.org/archives/avdl/200403/msg00021.html SPI Dynamics http://lists.oasis-open.org/archives/avdl/200403/msg00011.html 5. An account of each of the comments/issues raised during the public review period, along with its resolution. The document is located at: http://www.oasis-open.org/committees/download.php/5774/AVDL%20Public%20Review%20Comments.doc It lists the comments received during the public review conducted from 6 February to 8 March 2004, and their resolution. Note: only one comment was received during this period. 6. An account of and results of the voting to approve the approve the specification as a Committee Draft. Approval of the specification as a Committee Draft was 26 March 2004. The ballot results can be found at the following link: http://www.oasis-open.org/committees/ballot.php?id=409&vr=1&ew= Approval to submit the Committee Draft to OASIS membership for consideration as an OASIS standard. The ballot can be found at the following link: http://www.oasis-open.org/committees/ballot.php?id=410&vr=1&ew= 7. An account of or pointer to votes and comments received in any earlier attempts to standardize substantially the same specification, together with the originating TC's response to each comment. There have been no other attempts to standardize this specification to OASIS. 8. A pointer to the publicly visible comments archive for the originating TC. AVDL TC List: http://lists.oasis-open.org/archives/avdl/ AVDL TC Comment List: http://lists.oasis-open.org/archives/avdl-comment/ 9. A statement from the chair of the TC certifying that all members of the TC have been provided with a copy of the OASIS IPR Policy. "All members of the Technical Committee have been provided with access to the OASIS IPR policy. An email was sent on March 4, 2004 to the members of the Technical Committee with a link to the policy. In addition, this submission complies with the requirements of the IPR policy." 10. Optionally, a pointer to any minority reports submitted by one or more TC members who did not vote in favor of approving the Committee Draft, or certification by the chair that no minority reports exist. There are no minority reports to list with this specification. Submitted by the TC Chairs Kevin Heineman, kheineman@spidynamics.com Jan Bialkowski, jan@netcontinuum.com [Source: http://lists.oasis-open.org/archives/tc-announce/200404/msg00007.html] Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news story: "OASIS TC Approves Application Vulnerability Description Language (AVDL) Draft."