Cover Pages Logo SEARCH
Advanced Search
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors

Cover Stories
Articles & Papers
Press Releases

XML Query

XML Applications
General Apps
Government Apps
Academic Apps

Technology and Society
Tech Topics
Related Standards

Application Vulnerability Description Language (AVDL) Technical Committee

OASIS TC Call for Participation: AVDL TC

Date:      Wed, 02 Apr 2003 09:04:37 -0500
From:      Karl Best <>
Cc:        James Bryce Clark <>
Subject:   OASIS TC Call for Participation: AVDL TC

A new OASIS technical committee is being formed. The OASIS Application Vulnerability Description Language (AVDL) Technical Committee has been proposed by the following members of OASIS: Carl Banzhof, Citadel Security Software; Jan Bialkowski, NetContinuum; and Kevin Heineman, SPI Dynamics.

The proposal for a new TC meets the requirements of the OASIS TC Process (see, and is appended to this message. The proposal, which includes a statement of purpose, list of deliverables, and proposed schedule, will constitute the TC's charter. The TC Process allows these items to be clarified by the TC members; such clarifications, as well as submissions of technology for consideration by the TC and the beginning of technical discussions, may occur no sooner than the TC's first meeting.

As specified by the OASIS TC Process, the requirements for becoming a member of the TC are that you must 1) be an employee of an OASIS member organization or an Individual member of OASIS; 2) notify the TC chair of your intent to participate at least 15 days prior to the first meeting; and 3) attend the first meeting of the TC.

For OASIS members, to sign up for the TC using the new OASIS collaborative tools, go to the TC's public page at and click on the button for "Join This TC" at the top of the page. You may add yourself to the roster of the TC either as a Prospective Member (if you intend to become a member of the TC) or an Observer. A notice will automatically be sent to the TC chair, which fulfills requirement #2 above. You must sign up for membership at least 15 days before the first meeting and must attend the first meeting of the TC in order to become a member.

Note that membership in OASIS TCs is by individual, and not by organization.

For non-OASIS members, a public comment list is available for the public to make comments on the work of this TC; the public may subscribe to this list by going to the mail list web page at

The archives of the TC's private and comment mail lists are visible to the public at

Further information about this topic may be found on the Cover Pages under the topic of Application Security at:


Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206  mobile +1 978.761.1648

AVDL TC Proposal

Application Vulnerability Description Language (AVDL) Technical Committee


The name of the TC, such name not to have been previously used for an OASIS TC and not to include any trademarks or service marks not owned by OASIS:

OASIS Application Vulnerability Description Language (AVDL) Technical Committee


Statement of purpose, which must be germane to the mission of OASIS:

The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The AVDL TC is formed to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.

The AVDL TC will focus on defining a schema that enables easy communication concerning security vulnerabilities between any of the various security entities that address Hypertext Transfer Protocol (HTTP 1.0 and HTTP 1.1) application-level protocol security. AVDL will describe attacks and vulnerabilities that use HTTP as a generic protocol for communication between clients and proxies/gateways to other Internet systems and hosts. Security entities that might utilize AVDL include but are not limited to: vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, etc.

AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, these issues are covered by SAML and XACML.

List of deliverables, with projected dates

  • First candidate AVDL specification posted for comment September, 2003
  • First candidate specification closed for comment 30 days after initial posting
  • AVDL 1.0 final specification posted December, 2003

Language in which the TC will conduct business


First Meeting

Date and time of the first meeting, and whether it will be held in person or by phone:

May 15th, 2003, 13:00 Pacific Time, by phone conference call


The meeting schedule for the year following the formation of the TC, or until the projected date of the final deliverable, whichever comes first

After the first meeting on May 15, 2003, subsequent meetings will be held on the third Thursday of every month at 13:00 Pacific time, by conference call.


Names, electronic mail addresses, and membership affiliations of at least three Eligible Persons committed to the stated meeting schedule:

Name of the TC chair

The TC will be co-chaired by (in alphabetical order):

  • Jan Bialkowski, CTO, NetContinuum, Inc.
  • Kevin Heineman, VP of Engineering, SPI Dynamics, Inc.

Phone Meeting Sponsors

Names of phone meeting sponsors, if any:

Co-chairs from NetContinuum and SPI Dynamics. Call in numbers to be posted.

Face-To-Face Meeting Sponsors

Names of face-to-face meeting sponsors, if any:

None scheduled

Prepared by Robin Cover for The XML Cover Pages archive. See other details in "OASIS Forms TC for Application Vulnerability Description Language (AVDL)."

Globe Image

Document URL: