Leading Application Security Vendors Support AVDL OASIS Committee Draft
Application Security Leaders Announce Support for AVDL OASIS Committee Draft
Cenzic, Citadel, Department of Energy CIAC, GuardedNet, NetContinuum, Qualys, SPI Dynamics, Teros and WhiteHat Among Growing Number of Organizations to Support AVDL
San Francisco, CA, USA. February 23, 2004. RSA Conference.
Leading application security vendors and organizations Cenzic, Citadel, Department of Energy Computer Incident Advisory Capability (CIAC), GuardedNet, NetContinuum, Qualys, SPI Dynamics, Teros and WhiteHat Security, today announced support for the new Application Vulnerability Description Language (AVDL) developed by the OASIS international standards consortium. Growing vendor adoption of AVDL gives security professionals far more freedom and flexibility in managing application security risk and securing critical resources.
AVDL enables application security products from different vendors to easily and rapidly share data about security vulnerabilities. As originally promised, less than one year after its initial proposal, the OASIS AVDL Technical Committee (TC) has completed the 1.0 specification.
"Application vulnerabilities propagate so rapidly today that the old methods of dealing with them no longer suffice," said John Pescatore, vice president at Gartner. "New standards like AVDL offer one of the best hopes of breaking this cycle by dramatically reducing the time between the discovery of a new vulnerability and the effective response at enterprise sites."
AVDL addresses the business problem of how companies manage ongoing application security risk on a day-to-day basis. With application vulnerabilities now accounting for 75 percent of all attacks, companies have begun deploying a host of next-generation security tools to find application vulnerabilities, block application-layer attacks, patch systems and manage application security events. AVDL enables end users to take this protection one step further by enabling seamless communication between application security products at all stages of the application lifecycle.
Several vendors will be demonstrating AVDL interoperability of their products at the 2004 RSA Conference to highlight the growing maturity and commercial viability of AVDL automation. Members of the OASIS AVDL Technical Committee — Citadel, NetContinuum and SPI Dynamics — have already implemented the draft AVDL specification into their product lines and will offer live demonstrations at each vendor's booth: Citadel #1610, NetContinuum #510, and SPI Dynamics #1535.
AVDL Technical Details
AVDL provides a rich XML schema that fully describes web application security properties and vulnerabilities. The basic concept embodied in the schema is an application-level transaction, called a probe, which describes a multi-step exchange between a client and a web application server. Such probes may specify valid and expected request-response exchanges between browsers and servers, or may specify application vulnerability exploits.
The probe format allows various security devices to precisely and unambiguously communicate with each other, creating a seamlessly integrated secure web application environment at every stage of the application lifecycle — including development, testing, implementation, production and audit.
For example, a security scanner maps out the application and detects its flaws and vulnerabilities. The scanner then sends its assessment in the form of a set of AVDL probes to other security devices. The recipients, such as patch management systems or security gateways, use the AVDL input to automatically generate configuration recommendations, preventing accidental omissions and mistakes inherent in manual interventions and eliminating a significant source of security holes and operators' worries. Ultimately, the security administrators manage the process by rejecting, modifying, or approving the recommended operations.
How to Get Involved
Participants in the application security field — end users, vendors, and researchers alike — are invited to bring their experience and expertise to help shape the future of AVDL and the security community. Organizations and professionals are encouraged to contact the vendors they rely on for application development, deployment and security and ask them when their products will support AVDL. Security and application vendors interested in implementing AVDL in their products can obtain additional information on how to work with the specification at http://www.avdl.org. The OASIS AVDL Technical Committee, http://www.oasis-open.org/committees/avdl is open to all interested parties.
The OASIS AVDL Technical Committee has approved version 1.0 of the AVDL Specification and related XML Schema as a Committee Draft. The prescribed 30- day public review period is underway. AVDL has already begun to gather significant industry momentum with organizations from the private, government and public sectors announcing support for the specification. Early support for AVDL has been announced by a variety of vendors and organizations, including:
Cenzic, Inc. (http://www.cenzic.com), a provider of application vulnerability management solutions for custom and off-the-shelf enterprise applications, plans to support AVDL. "AVDL is a good step toward standardization and could make it easier for application security experts, network operators and QA professionals to work together," said John Weinschenk, CEO at Cenzic. "We believe standards are required in the application security space and we'll plan on supporting any standards that help customers get more efficient in their implementations."
Citadel Security Software (http://www.citadel.com), a leader in automated vulnerability remediation and policy compliance solutions, has implemented the AVDL standard in its Hercules product line. "As a provider of vulnerability remediation and policy enforcement solutions, Citadel's goal is to offer enterprise customers a full life cycle vulnerability management solution," said Citadel CTO Carl Banzhof. "With the introduction of AVDL 1.0, we extend our capability to provide interoperability between industry-leading network and application security technologies and our vulnerability management solutions. Private enterprise and public sector customers will benefit enormously from the greater flexibility and consistency for implementing security policies with a standard approach to managing vulnerability data."
Department of Energy — CIAC (http://www.ciac.org), the central security incident response organization for the Department of Energy (DOE) and National Nuclear Security Administration (NNSA), plans to AVDL-enable its new Security Incident Response Portal. "CIAC plays a vital role in monitoring daily security alerts, disseminating relevant information to our users and helping them respond quickly to new threats," said John Dias, Senior Security Analyst at the DOE- CIAC. Unfortunately, this process is far too labor-intensive today. "To help address this growing problem, CIAC will debut a new Security Incident Response Portal this spring based on a Web Services architecture that is AVDL-aware. This will allow the CIAC Portal to automatically interpret new application security alerts published in AVDL format and disseminate this information to security managers far more quickly than is currently possible."
GuardedNet, Inc. (http://www.guarded.net), a provider of security event management software solutions, believes that implementing AVDL will further enhance the company's ability to provide a common interface and taxonomy with which to analyze and respond to security event data. "As providers of a security event management platform, GuardedNet is a strong proponent of standards for communicating security event data," said Rich Telljohann, vice president of business development for GuardedNet. "We are a big supporter of the AVDL initiative and are excited to see significant progress and industry adoption of this standard."
NetContinuum, Inc. (http://www.netcontinuum.com), a leading provider of application security gateways and co-chair of the OASIS AVDL TC, has already integrated AVDL into its product line. The company's new "AVDL Recommendation Wizard" reads AVDL input and generates recommended security policies based on the AVDL input the gateway received. Users then have the option to first run the policy setting in passive mode, if preferred, before setting it to active blocking mode. "AVDL is not a difficult standard to implement," said Jan Bialkowski, CTO of NetContinuum and co-chair of the AVDL TC. "Since most products already 'speak' XML, implementing AVDL is simply a matter of rearranging the XML structure to fit the AVDL schema. The TC spent nearly a year working through all the tough issues and various implementation scenarios to ensure the AVDL schema would be easy to implement. The hard work is done and AVDL is ready for broad adoption by security and application vendors, alike."
Qualys, Inc. (http://www.qualys.com), the market leader of on-demand Network Security Audits and Vulnerability Management, plans to add AVDL output capabilities to its QualysGuard service. "As an early participant in the AVDL process, Qualys is excited to see this important standard near completion," said Gerhard Eschelbeck, CTO and VP of engineering of Qualys. "AVDL provides end users with a standardized way to view and share vulnerability information that will ultimately simplify the security management processes."
SPI Dynamics, Inc. (http://www.spidynamics.com), the expert in web application security testing and enterprise security risk management, and co-chair of the OASIS AVDL TC, has integrated AVDL 1.0 into its WebInspect product line, enabling customers to export comprehensive application vulnerability information in AVDL format. "We are pleased to see this broad-based support for the AVDL initiative from additional leading application security vendors and the larger software community," said Caleb Sima, co-founder and CTO of SPI Dynamics. "With their assistance, our hope is to see AVDL's adoption grow so that every application platform, development tool, and custom or packaged application within the enterprise can generate a simple AVDL file indicating the legitimate security parameters of that application. By reading these files, any AVDL-compliant security product could automatically ensure protection for each unique application, from the development phase to full production."
Teros, Inc. (http://www.teros.com), the company that secures web infrastructures from application-level attacks, will be supporting AVDL in their web application firewall appliance. "A standardized approach to application vulnerability management and closer cooperation between layered security technologies gives customers flexibility in their application security choices," said Abhishek Chauhan, co-founder and CTO of Teros. "We support AVDL and the ability for vulnerability information to be shared between multiple application and network layer security systems."
WhiteHat Security (http://www.whitehatsec.com), a leading provider of Web application security software services, supports open standards like AVDL and advocate benefits of vendor interoperability. "Every time a code change is made to a web application, there is a potential for new security vulnerabilities," said Jeremiah Grossman, CEO of WhiteHat Security. "Whether the web site is an online bank or eCommerce store, the security of the web application is paramount to the security of confidential data. Web application security is an incredibly complicated issue to manage and vendor cooperation will help customers close the window of exposure."
The Application Vulnerability Description Language (AVDL), developed by the OASIS international standards consortium, enables application security products to easily communicate and share data regarding security vulnerabilities. Supported by leading application security vendors and users, the AVDL specification creates a uniform way of describing application security vulnerabilities using XML. With a sharp focus on solving the practical security problems security professionals face on a daily basis, AVDL will help organizations reduce the time, effort, and cost of managing application security products and vulnerabilities. Additional information on AVDL is available at http://www.avdl.org and http://www.oasis-open.org/committees/avdl.
- "Gartner Analyst to Lead Panel Discussion on Application Security Interoperability at RSA Conference. Leading Application Security Vendors to Demonstrate New AVDL Standard in Action."
- Application Vulnerability Description Language. Approved as an OASIS Committee Draft.
- "OASIS Committee Draft for the Application Vulnerability Description Language (AVDL)."
- "OASIS Forms TC for Application Vulnerability Description Language (AVDL)."
- "Application Security Standards" - General References.
Prepared by Robin Cover for The XML Cover Pages archive.