Application Vulnerability Description Language (AVDL) Technical Committee

OASIS TC Call for Participation: AVDL TC

Date:      Wed, 02 Apr 2003 09:04:37 -0500
From:      Karl Best <karl.best@oasis-open.org>
To:        members@lists.oasis-open.org, tc-announce@lists.oasis-open.org,
           xml-dev@lists.xml.org, avdl@lists.oasis-open.org           
Cc:        James Bryce Clark <jamie.clark@oasis-open.org>
Subject:   OASIS TC Call for Participation: AVDL TC

A new OASIS technical committee is being formed. The OASIS Application Vulnerability Description Language (AVDL) Technical Committee has been proposed by the following members of OASIS: Carl Banzhof, Citadel Security Software; Jan Bialkowski, NetContinuum; and Kevin Heineman, SPI Dynamics.

The proposal for a new TC meets the requirements of the OASIS TC Process (see http://oasis-open.org/committees/process.shtml), and is appended to this message. The proposal, which includes a statement of purpose, list of deliverables, and proposed schedule, will constitute the TC's charter. The TC Process allows these items to be clarified by the TC members; such clarifications, as well as submissions of technology for consideration by the TC and the beginning of technical discussions, may occur no sooner than the TC's first meeting.

As specified by the OASIS TC Process, the requirements for becoming a member of the TC are that you must 1) be an employee of an OASIS member organization or an Individual member of OASIS; 2) notify the TC chair of your intent to participate at least 15 days prior to the first meeting; and 3) attend the first meeting of the TC.

For OASIS members, to sign up for the TC using the new OASIS collaborative tools, go to the TC's public page at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl and click on the button for "Join This TC" at the top of the page. You may add yourself to the roster of the TC either as a Prospective Member (if you intend to become a member of the TC) or an Observer. A notice will automatically be sent to the TC chair, which fulfills requirement #2 above. You must sign up for membership at least 15 days before the first meeting and must attend the first meeting of the TC in order to become a member.

Note that membership in OASIS TCs is by individual, and not by organization.

For non-OASIS members, a public comment list avdl-comment@lists.oasis-open.org is available for the public to make comments on the work of this TC; the public may subscribe to this list by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl.

The archives of the TC's private and comment mail lists are visible to the public at http://lists.oasis-open.org/archives/

Further information about this topic may be found on the Cover Pages under the topic of Application Security at:

http://xml.coverpages.org/appSecurity.html.

-Karl

Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206  mobile +1 978.761.1648
karl.best@oasis-open.org
http://www.oasis-open.org

AVDL TC Proposal

Application Vulnerability Description Language (AVDL) Technical Committee

Name

The name of the TC, such name not to have been previously used for an OASIS TC and not to include any trademarks or service marks not owned by OASIS:

OASIS Application Vulnerability Description Language (AVDL) Technical Committee

Purpose

Statement of purpose, which must be germane to the mission of OASIS:

The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The AVDL TC is formed to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.

The AVDL TC will focus on defining a schema that enables easy communication concerning security vulnerabilities between any of the various security entities that address Hypertext Transfer Protocol (HTTP 1.0 and HTTP 1.1) application-level protocol security. AVDL will describe attacks and vulnerabilities that use HTTP as a generic protocol for communication between clients and proxies/gateways to other Internet systems and hosts. Security entities that might utilize AVDL include but are not limited to: vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, etc.

AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, these issues are covered by SAML and XACML.

List of deliverables, with projected dates

First candidate AVDL specification posted for comment September, 2003
First candidate specification closed for comment 30 days after initial posting
AVDL 1.0 final specification posted December, 2003

Language in which the TC will conduct business

English

First Meeting

Date and time of the first meeting, and whether it will be held in person or by phone:

May 15th, 2003, 13:00 Pacific Time, by phone conference call

Schedule

The meeting schedule for the year following the formation of the TC, or until the projected date of the final deliverable, whichever comes first

After the first meeting on May 15, 2003, subsequent meetings will be held on the third Thursday of every month at 13:00 Pacific time, by conference call.

Proposers

Names, electronic mail addresses, and membership affiliations of at least three Eligible Persons committed to the stated meeting schedule:

Carl Banzhof, cbanzhof@citadel.com, Citadel Security Software, Inc.
Jan Bialkowski, jan@netcontinuum.com, NetContinuum, Inc.
Kevin Heineman, kheineman@spidynamics.com, SPI Dynamics

Name of the TC chair

The TC will be co-chaired by (in alphabetical order):

Jan Bialkowski, CTO, NetContinuum, Inc.
Kevin Heineman, VP of Engineering, SPI Dynamics, Inc.

Phone Meeting Sponsors

Names of phone meeting sponsors, if any:

Co-chairs from NetContinuum and SPI Dynamics. Call in numbers to be posted.

Face-To-Face Meeting Sponsors

Names of face-to-face meeting sponsors, if any:

None scheduled

Prepared by Robin Cover for The XML Cover Pages archive. See other details in "OASIS Forms TC for Application Vulnerability Description Language (AVDL)."

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	Application Vulnerability Description Language (AVDL) Technical Committee OASIS TC Call for Participation: AVDL TC Date: Wed, 02 Apr 2003 09:04:37 -0500 From: Karl Best <karl.best@oasis-open.org> To: members@lists.oasis-open.org, tc-announce@lists.oasis-open.org, xml-dev@lists.xml.org, avdl@lists.oasis-open.org Cc: James Bryce Clark <jamie.clark@oasis-open.org> Subject: OASIS TC Call for Participation: AVDL TC A new OASIS technical committee is being formed. The OASIS Application Vulnerability Description Language (AVDL) Technical Committee has been proposed by the following members of OASIS: Carl Banzhof, Citadel Security Software; Jan Bialkowski, NetContinuum; and Kevin Heineman, SPI Dynamics. The proposal for a new TC meets the requirements of the OASIS TC Process (see http://oasis-open.org/committees/process.shtml), and is appended to this message. The proposal, which includes a statement of purpose, list of deliverables, and proposed schedule, will constitute the TC's charter. The TC Process allows these items to be clarified by the TC members; such clarifications, as well as submissions of technology for consideration by the TC and the beginning of technical discussions, may occur no sooner than the TC's first meeting. As specified by the OASIS TC Process, the requirements for becoming a member of the TC are that you must 1) be an employee of an OASIS member organization or an Individual member of OASIS; 2) notify the TC chair of your intent to participate at least 15 days prior to the first meeting; and 3) attend the first meeting of the TC. For OASIS members, to sign up for the TC using the new OASIS collaborative tools, go to the TC's public page at http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl and click on the button for "Join This TC" at the top of the page. You may add yourself to the roster of the TC either as a Prospective Member (if you intend to become a member of the TC) or an Observer. A notice will automatically be sent to the TC chair, which fulfills requirement #2 above. You must sign up for membership at least 15 days before the first meeting and must attend the first meeting of the TC in order to become a member. Note that membership in OASIS TCs is by individual, and not by organization. For non-OASIS members, a public comment list avdl-comment@lists.oasis-open.org is available for the public to make comments on the work of this TC; the public may subscribe to this list by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl. The archives of the TC's private and comment mail lists are visible to the public at http://lists.oasis-open.org/archives/ Further information about this topic may be found on the Cover Pages under the topic of Application Security at: http://xml.coverpages.org/appSecurity.html. -Karl Karl F. Best Vice President, OASIS office +1 978.667.5115 x206 mobile +1 978.761.1648 karl.best@oasis-open.org http://www.oasis-open.org AVDL TC Proposal Application Vulnerability Description Language (AVDL) Technical Committee Name The name of the TC, such name not to have been previously used for an OASIS TC and not to include any trademarks or service marks not owned by OASIS: OASIS Application Vulnerability Description Language (AVDL) Technical Committee Purpose Statement of purpose, which must be germane to the mission of OASIS: The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The AVDL TC is formed to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability. The AVDL TC will focus on defining a schema that enables easy communication concerning security vulnerabilities between any of the various security entities that address Hypertext Transfer Protocol (HTTP 1.0 and HTTP 1.1) application-level protocol security. AVDL will describe attacks and vulnerabilities that use HTTP as a generic protocol for communication between clients and proxies/gateways to other Internet systems and hosts. Security entities that might utilize AVDL include but are not limited to: vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, etc. AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, these issues are covered by SAML and XACML. List of deliverables, with projected dates First candidate AVDL specification posted for comment September, 2003 First candidate specification closed for comment 30 days after initial posting AVDL 1.0 final specification posted December, 2003 Language in which the TC will conduct business English First Meeting Date and time of the first meeting, and whether it will be held in person or by phone: May 15th, 2003, 13:00 Pacific Time, by phone conference call Schedule The meeting schedule for the year following the formation of the TC, or until the projected date of the final deliverable, whichever comes first After the first meeting on May 15, 2003, subsequent meetings will be held on the third Thursday of every month at 13:00 Pacific time, by conference call. Proposers Names, electronic mail addresses, and membership affiliations of at least three Eligible Persons committed to the stated meeting schedule: Carl Banzhof, cbanzhof@citadel.com, Citadel Security Software, Inc. Jan Bialkowski, jan@netcontinuum.com, NetContinuum, Inc. Kevin Heineman, kheineman@spidynamics.com, SPI Dynamics Name of the TC chair The TC will be co-chaired by (in alphabetical order): Jan Bialkowski, CTO, NetContinuum, Inc. Kevin Heineman, VP of Engineering, SPI Dynamics, Inc. Phone Meeting Sponsors Names of phone meeting sponsors, if any: Co-chairs from NetContinuum and SPI Dynamics. Call in numbers to be posted. Face-To-Face Meeting Sponsors Names of face-to-face meeting sponsors, if any: None scheduled Prepared by Robin Cover for The XML Cover Pages archive. See other details in "OASIS Forms TC for Application Vulnerability Description Language (AVDL)."