Web Application Security Technical Committee

OASIS TC Call for Participation: Web Application Security TC

Date:      Tue, 13 May 2003 08:48:40 -0400
From:      Karl F. Best <karl.best@oasis-open.org>
To:        members@lists.oasis-open.org, tc-announce@lists.oasis-open.org,
           xml-dev@lists.xml.org, was@lists.oasis-open.org
Subject:   OASIS TC Call for Participation: Web Application Security TC

A new OASIS technical committee is being formed. The OASIS Web Application Security Technical Committee (WAS TC) has been proposed by the following members of OASIS: Steven Taylor, Bank of America; Martin Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole, Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins, Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel Lawrence, and Andrew Jacquith.

The proposal for a new TC meets the requirements of the OASIS TC Process (see http://oasis-open.org/committees/process.shtml), and is appended to this message. The proposal, which includes a statement of purpose, list of deliverables, and proposed schedule, will constitute the TC's charter. The TC Process allows these items to be clarified (revised) by the TC members; such clarifications (revisions), as well as submissions of technology for consideration by the TC and the beginning of technical discussions, may occur no sooner than the TC's first meeting.

As specified by the OASIS TC Process, the requirements for becoming a member of the TC are that you must 1) be an employee of an OASIS member organization or an Individual member of OASIS; 2) notify the TC chair of your intent to participate at least 15 days prior to the first meeting; and 3) attend the first meeting of the TC.

For OASIS members, to sign up for the TC using the new OASIS collaborative tools, go to the TC's public page at http://www.oasis-open.org/committees/was and click on the button for "Join This TC" at the top of the page. You may add yourself to the roster of the TC either as a Prospective Member (if you intend to become a member of the TC) or an Observer. A notice will automatically be sent to the TC chair, which fulfills requirement #2 above. You must sign up for membership at least 15 days before the first meeting and must attend the first meeting of the TC in order to become a member.

Note that membership in OASIS TCs is by individual, and not by organization.

For non-OASIS members, a public comment list was-comment@lists.oasis-open.org is available for the public to make comments on the work of this TC; the public may subscribe to this list by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl.

The archives of the TC's private and comment mail lists are visible to the public at http://lists.oasis-open.org/archives/.

Further information about this topic may be found on the Cover Pages under the topic of "Application Security" at:
http://xml.coverpages.org/appSecurity.html.

-Karl

Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206
mobile +1 978.761.1648
karl.best@oasis-open.org
http://www.oasis-open.org

OASIS Proposal for Web Application Security XML (WAS-XML)

Name of the TC

The name of the technical committee will be WAS-XML (Web Application Security XML).

Statement of Purpose

Like many other parts of the IT industry, the information security industry has grown extremely fast with few standards bodies and often little co-operation and co-ordination between vendors and the user community.

When security researchers and software vendors publish security advisories, they usually do so in an ambiguous textual form or embed the data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is) described in several different ways, using different language and context, quantifying the impact and threat and therefore the risk in different ways and with different ratings assessments. This textual data can also not be used to provide automated immediate protection by web security assessment and intrusion protection tools.

The WAS-XML technical committee will produce:

a classification scheme for web security vulnerabilities
a model to provide guidance for initial threat, impact and therefore risk ratings
an XML schema to describe web security conditions that can be used by both assessment and protection tools

The technical committee will unite industry consensus and provide standards from which vendors and users will benefit. It will leverage and extend the work of the OWASP VulnXML project that has been established for over a year. The existing VulnXML work is being given to OASIS as part of this proposal.

We will liaise with the OASIS AVDL TC whose mission is to develop communication protocols for application security tools to integrate. There is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial work and thought already undertaken, the WAS-XML TC will leverage that and focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data.

List of Deliverables

Web Security Classification Scheme - within 12 weeks of TC formation
Web Security Risk Ranking Model - within 16 weeks of TC formation
WAS-XML Schema (fully documented) - within 24weeks of TC formation
WAS-XML Developers Guide - within 24 weeks of TC formation
WAS-XML Overview for Security Researchers and Software Vendors - within 24 weeks of TC formation

Language

This TC will conduct its business in English.

Date and Time of First Meeting

The first meeting will be help on July 3rd, 2003 at 12pm ET via teleconference, in English.

Meeting Schedule

This technical committee will hold teleconference calls every two weeks on Fridays at 10am EST. It is proposed to hold a face to face meeting in September in Washington DC.

Proposers

Steven Taylor - Bank of America (steven.g.taylor@bankofamerica.com)
Martin Nystrom - Cisco (mnystrom@cisco.com)
William Hau - IBM (whau@uk.ibm.com)
Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com)
Yuval Ben-Itzak, Individual (yuval@kavado.com)
Phil Brass, Individual (pbrass@iss.net)
Dave Cole, Individual (dave.cole@foundstone.com)
Mark Curphey, Individual (mark.curphey@watchfire.com)
Rogan Dawes, Individual (rdawes@deloitte.co.za)
David Endler, Individual (dendler@idefense.com)
Jeremy Poteet, Individual (jpoteet@tech-partners.com)
Kerry Rollins, Individual (kerry.Rollins@ey.com)
Tim Smith, Individual (tim.smith@alphawest.com.au)
Jeff Williams, Individual (jeff.williams@aspectsecurity.com)
David Raphael, Individual (david.raphael@ericsson.com)
Jason Childers, Individual (childers_j@yahoo.com)
Gabriel Lawrence, Individual (gabe@ucsd.edu)
Andrew Jacquith, Individual (ajaquith@atstake.com)

Chair

The Chair will be Mark Curphey (mark.curphey@watchfire.com).

Telephone Meeting Sponsors

The telephone meeting sponsor will be OWASP [Open Web Application Security Project].

Face to Face Meeting Sponsors

The face to face meeting sponsor will be OWASP [Open Web Application Security Project].

Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news item of 2003-05-13: "OASIS Members Form Web Application Security Technical Committee." General references in "Application Security."

SEARCH Advanced Search ABOUT Site Map CP RSS Channel Contact Us Sponsoring CP About Our Sponsors NEWS Cover Stories Articles & Papers Press Releases CORE STANDARDS XML SGML Schemas XSL/XSLT/XPath XLink XML Query CSS SVG TECHNOLOGY REPORTS XML Applications General Apps Government Apps Academic Apps EVENTS LIBRARY Introductions FAQs Bibliography Technology and Society Semantics Tech Topics Software Related Standards Historic	Web Application Security Technical Committee OASIS TC Call for Participation: Web Application Security TC Date: Tue, 13 May 2003 08:48:40 -0400 From: Karl F. Best <karl.best@oasis-open.org> To: members@lists.oasis-open.org, tc-announce@lists.oasis-open.org, xml-dev@lists.xml.org, was@lists.oasis-open.org Subject: OASIS TC Call for Participation: Web Application Security TC A new OASIS technical committee is being formed. The OASIS Web Application Security Technical Committee (WAS TC) has been proposed by the following members of OASIS: Steven Taylor, Bank of America; Martin Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole, Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins, Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel Lawrence, and Andrew Jacquith. The proposal for a new TC meets the requirements of the OASIS TC Process (see http://oasis-open.org/committees/process.shtml), and is appended to this message. The proposal, which includes a statement of purpose, list of deliverables, and proposed schedule, will constitute the TC's charter. The TC Process allows these items to be clarified (revised) by the TC members; such clarifications (revisions), as well as submissions of technology for consideration by the TC and the beginning of technical discussions, may occur no sooner than the TC's first meeting. As specified by the OASIS TC Process, the requirements for becoming a member of the TC are that you must 1) be an employee of an OASIS member organization or an Individual member of OASIS; 2) notify the TC chair of your intent to participate at least 15 days prior to the first meeting; and 3) attend the first meeting of the TC. For OASIS members, to sign up for the TC using the new OASIS collaborative tools, go to the TC's public page at http://www.oasis-open.org/committees/was and click on the button for "Join This TC" at the top of the page. You may add yourself to the roster of the TC either as a Prospective Member (if you intend to become a member of the TC) or an Observer. A notice will automatically be sent to the TC chair, which fulfills requirement #2 above. You must sign up for membership at least 15 days before the first meeting and must attend the first meeting of the TC in order to become a member. Note that membership in OASIS TCs is by individual, and not by organization. For non-OASIS members, a public comment list was-comment@lists.oasis-open.org is available for the public to make comments on the work of this TC; the public may subscribe to this list by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl. The archives of the TC's private and comment mail lists are visible to the public at http://lists.oasis-open.org/archives/. Further information about this topic may be found on the Cover Pages under the topic of "Application Security" at: http://xml.coverpages.org/appSecurity.html. -Karl Karl F. Best Vice President, OASIS office +1 978.667.5115 x206 mobile +1 978.761.1648 karl.best@oasis-open.org http://www.oasis-open.org OASIS Proposal for Web Application Security XML (WAS-XML) Name of the TC The name of the technical committee will be WAS-XML (Web Application Security XML). Statement of Purpose Like many other parts of the IT industry, the information security industry has grown extremely fast with few standards bodies and often little co-operation and co-ordination between vendors and the user community. When security researchers and software vendors publish security advisories, they usually do so in an ambiguous textual form or embed the data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is) described in several different ways, using different language and context, quantifying the impact and threat and therefore the risk in different ways and with different ratings assessments. This textual data can also not be used to provide automated immediate protection by web security assessment and intrusion protection tools. The WAS-XML technical committee will produce: a classification scheme for web security vulnerabilities a model to provide guidance for initial threat, impact and therefore risk ratings an XML schema to describe web security conditions that can be used by both assessment and protection tools The technical committee will unite industry consensus and provide standards from which vendors and users will benefit. It will leverage and extend the work of the OWASP VulnXML project that has been established for over a year. The existing VulnXML work is being given to OASIS as part of this proposal. We will liaise with the OASIS AVDL TC whose mission is to develop communication protocols for application security tools to integrate. There is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial work and thought already undertaken, the WAS-XML TC will leverage that and focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data. List of Deliverables Web Security Classification Scheme - within 12 weeks of TC formation Web Security Risk Ranking Model - within 16 weeks of TC formation WAS-XML Schema (fully documented) - within 24weeks of TC formation WAS-XML Developers Guide - within 24 weeks of TC formation WAS-XML Overview for Security Researchers and Software Vendors - within 24 weeks of TC formation Language This TC will conduct its business in English. Date and Time of First Meeting The first meeting will be help on July 3rd, 2003 at 12pm ET via teleconference, in English. Meeting Schedule This technical committee will hold teleconference calls every two weeks on Fridays at 10am EST. It is proposed to hold a face to face meeting in September in Washington DC. Proposers Steven Taylor - Bank of America (steven.g.taylor@bankofamerica.com) Martin Nystrom - Cisco (mnystrom@cisco.com) William Hau - IBM (whau@uk.ibm.com) Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com) Yuval Ben-Itzak, Individual (yuval@kavado.com) Phil Brass, Individual (pbrass@iss.net) Dave Cole, Individual (dave.cole@foundstone.com) Mark Curphey, Individual (mark.curphey@watchfire.com) Rogan Dawes, Individual (rdawes@deloitte.co.za) David Endler, Individual (dendler@idefense.com) Jeremy Poteet, Individual (jpoteet@tech-partners.com) Kerry Rollins, Individual (kerry.Rollins@ey.com) Tim Smith, Individual (tim.smith@alphawest.com.au) Jeff Williams, Individual (jeff.williams@aspectsecurity.com) David Raphael, Individual (david.raphael@ericsson.com) Jason Childers, Individual (childers_j@yahoo.com) Gabriel Lawrence, Individual (gabe@ucsd.edu) Andrew Jacquith, Individual (ajaquith@atstake.com) Chair The Chair will be Mark Curphey (mark.curphey@watchfire.com). Telephone Meeting Sponsors The telephone meeting sponsor will be OWASP [Open Web Application Security Project]. Face to Face Meeting Sponsors The face to face meeting sponsor will be OWASP [Open Web Application Security Project]. Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news item of 2003-05-13: "OASIS Members Form Web Application Security Technical Committee." General references in "Application Security."