OASIS Approved CD: Application Vulnerability Description Language
AVDL Specification Submitted for Approval as an OASIS Standard
Date: Thu, 29 Apr 2004 08:16:42 -0400 From: Karl F. Best <firstname.lastname@example.org> To: email@example.com, firstname.lastname@example.org Subject: AVDL specification submitted for OASIS Standard
The OASIS Application Vulnerability Description Language (AVDL) TC has submitted the Application Vulnerability Description Language (AVDL) v1.0 specification, which is an approved Committee Draft, for review and consideration for approval by OASIS members to become an OASIS Standard. The TC's submission is attached below.
In accordance with the OASIS Technical Process, the specification has already gone through a 30 day public review period. OASIS members now have until the 15th of the month to familiarize themselves with the submission. OASIS members should give their input on this question to the voting representative of their organization.
By the 16th of the month I will send out a Call For Vote to the voting representative of each OASIS member organization, who will have until the end of the month to cast their ballots on whether this Committee Draft should be approved as an OASIS Standard.
The normative TC Process for approval of Committee Drafts as OASIS Standards is found at:
Any statements related to the IPR of this specification are posted at:
Karl F. Best Vice President, OASIS office +1 978.667.5115 x206 mobile +1 978.761.1648 email@example.com WWW: http://www.oasis-open.org
Declarations presented by the AVDL TC Chairs
1. A formal specification that is a valid member of its type, together with appropriate documentation for the specification, both of which must be written using approved OASIS templates.
AVDL Committee Draft Specification Version 1.0
AVDL XML Schema
2. A clear English-language summary of the specification.
The Application Vulnerability Description Language (AVDL) specification describes a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. Simply said, AVDL is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML.
With the growing adoption of web-based technologies, applications have become far more dynamic, with changes taking place daily or even hourly. Consequently, enterprises must deal with a constant flood of new security patches from their application and infrastructure vendors. To make matters worse, network-level security products do little to protect against vulnerabilities at the application level. To address this problem, enterprises today have deployed a host of best-of-breed security products to discover application vulnerabilities, block application-layer attacks, repair vulnerable web sites, distribute patches, and manage security events. Enterprises have come to view application security as a continuous lifecycle. Unfortunately, there is currently no standard way for the products these enterprises have implemented to communicate with each other, making the overall security management process far too manual, time-consuming, and error prone.
Enterprise customers are asking companies to provide products that interoperate. A consistent definition of application security vulnerabilities is a significant step towards that goal. AVDL fulfills this goal by providing an XML-based vulnerability assessment output that will be used to improve the effectiveness of attack prevention, event correlation, and remediation technologies.
3. A statement regarding the relationship of this specification to similar work of other OASIS TCs or other standards developing organizations.
The AVDL Technical Committee would like to acknowledge earlier efforts in promotion of application vulnerabilities and standardization of their representation and interchange. Their work inspired many ideas incorporated into the AVDL standard.
The following works are related to AVDL:
The Open Vulnerability Assessment Language developed at the Mitre Corporation "is the common language for security experts to discuss and agree upon technical details about how to check for the presence of a vulnerability on a computer system". Using SQL, OVAL queries are based on broadly recognized Common Vulnerabilities and Exposures (CVE) database and by "specifying logical conditions on the values of system characteristics and configuration attributes, OVAL queries characterize exactly which systems are susceptible to a given vulnerability."
VulnXML developed by the Open Web Application Security Project (OWASP) "could be used by automated assessment tools to test for known security issues". Closely related and also developed at OWASP was Application Security Attack Components or ASAC which "is a basic classification scheme of web application security issues. The aim of this project was to create a common language and a consensus understanding among the industry to describe the same issue in the same way." Their work continues at OASIS Web Application Security TC.
4. Certification by at least three OASIS member organizations that they are successfully using the specification consistently with the OASIS IPR Policy.
5. An account of each of the comments/issues raised during the public review period, along with its resolution.
The document is located at:
It lists the comments received during the public review conducted from 6 February to 8 March 2004, and their resolution. Note: only one comment was received during this period.
6. An account of and results of the voting to approve the approve the specification as a Committee Draft.
Approval of the specification as a Committee Draft was 26 March 2004. The ballot results can be found at the following link:
Approval to submit the Committee Draft to OASIS membership for consideration as an OASIS standard. The ballot can be found at the following link:
7. An account of or pointer to votes and comments received in any earlier attempts to standardize substantially the same specification, together with the originating TC's response to each comment.
There have been no other attempts to standardize this specification to OASIS.
8. A pointer to the publicly visible comments archive for the originating TC.
AVDL TC List:
AVDL TC Comment List:
9. A statement from the chair of the TC certifying that all members of the TC have been provided with a copy of the OASIS IPR Policy.
"All members of the Technical Committee have been provided with access to the OASIS IPR policy. An email was sent on March 4, 2004 to the members of the Technical Committee with a link to the policy. In addition, this submission complies with the requirements of the IPR policy."
10. Optionally, a pointer to any minority reports submitted by one or more TC members who did not vote in favor of approving the Committee Draft, or certification by the chair that no minority reports exist.
There are no minority reports to list with this specification.
Submitted by the TC Chairs
Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news story: "OASIS TC Approves Application Vulnerability Description Language (AVDL) Draft."