Cover Pages Logo SEARCH
Advanced Search
ABOUT
Site Map
CP RSS Channel
Contact Us
Sponsoring CP
About Our Sponsors
NEWS
Cover Stories
Articles & Papers
Press Releases
CORE STANDARDS
XML
SGML
Schemas
XSL/XSLT/XPath
XLink
XML Query
CSS
SVG
TECHNOLOGY REPORTS
XML Applications
General Apps
Government Apps
Academic Apps
EVENTS
LIBRARY
Introductions
FAQs
Bibliography
Technology and Society
Semantics
Tech Topics
Software
Related Standards
Historic

David Burton on ADVL and VulnXML

Web Application Security: ADVL vs VulnXML

To:         Web Application Security 
Subject:    RE: ADVL vs VulnXML 
Date:       Apr 2 2003 11:08PM 
Author:     David Burton <dburton@netcontinuum.com>

AVDL is not intended to duplicate or replace any existing industry standard and should be entirely complimentary to efforts like VulnXML. VulnXML focuses on creating more uniform ways for security researchers to describe and classify specific new vulnerabilities when they are initially discovered in much the same way anti-virus researchers have been attempting to do for years. VulnXML attempts to add some of the detail needed to adequately describe application-layer vulnerabilities. The vendors proposing AVDL support VulnXML.

We are proposing AVDL to address the broader business-oriented problem of how companies actually manage ongoing application security risk on a day-to-day basis. Managing application security risk in a highly dynamic environment can be an extraordinary challenge for security administrators. Fortunately, there are now a wide variety of best-of-breed products on the market to help companies with the task of discovering application vulnerabilities, blocking application-layer attacks, repairing vulnerable web sites, distributing patches and managing security events. Unfortunately, these products have no universal way to communicate with each other, making pragmatic management of this risk a highly manual, and often complex, process.

The goal of AVDL is to help companies begin managing the full application security lifecycle by providing a more uniform way of communicating application security vulnerabilities, policies and events via XML. It is the full intent of the vendors proposing AVDL to repurpose any positive progress that has already been made by the security community to date.

Dave Burton
NetContinuum, Inc.
WWW: www.netcontinuum.com

[Reply to:]

Sent:      Wednesday, April 02, 2003 1:47 PM
To:        webappsec@securityfocus.com
Cc: cbanzof@citadel.com; jan@netcontinuum.com; kheineman@spidynamics.com; advl-comment@lists.oasis-open.org
Subject:   ADVL vs VulnXML

I just noticed on OASIS the newly proposed Application Vulnerbility Description Language.

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl

How does this differ from OWASP VulnXML (http://www.owasp.org/vulnxml/) ?

I don't see anyone from OWASP on the committee which is kinda interesting given they invented the concept over a year ago and have a database running coming along so I hear. I hope this won't be a case of a few vendors trying to take thought leadership for something the open source community has already done!

Source: http://www.securityfocus.com/archive/107/317254/2003-03-30/2003-04-05/0

Prepared by Robin Cover for The XML Cover Pages archive. See: "OASIS Forms TC for Application Vulnerability Description Language (AVDL)."
Globe Image

Document URL: http://xml.coverpages.org/Burton-ADVL.html