Web Application Security Technical Committee
OASIS TC Call for Participation: Web Application Security TC
Date: Tue, 13 May 2003 08:48:40 -0400 From: Karl F. Best <email@example.com> To: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com Subject: OASIS TC Call for Participation: Web Application Security TC
A new OASIS technical committee is being formed. The OASIS Web Application Security Technical Committee (WAS TC) has been proposed by the following members of OASIS: Steven Taylor, Bank of America; Martin Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole, Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins, Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel Lawrence, and Andrew Jacquith.
The proposal for a new TC meets the requirements of the OASIS TC Process (see http://oasis-open.org/committees/process.shtml), and is appended to this message. The proposal, which includes a statement of purpose, list of deliverables, and proposed schedule, will constitute the TC's charter. The TC Process allows these items to be clarified (revised) by the TC members; such clarifications (revisions), as well as submissions of technology for consideration by the TC and the beginning of technical discussions, may occur no sooner than the TC's first meeting.
As specified by the OASIS TC Process, the requirements for becoming a member of the TC are that you must 1) be an employee of an OASIS member organization or an Individual member of OASIS; 2) notify the TC chair of your intent to participate at least 15 days prior to the first meeting; and 3) attend the first meeting of the TC.
For OASIS members, to sign up for the TC using the new OASIS collaborative tools, go to the TC's public page at http://www.oasis-open.org/committees/was and click on the button for "Join This TC" at the top of the page. You may add yourself to the roster of the TC either as a Prospective Member (if you intend to become a member of the TC) or an Observer. A notice will automatically be sent to the TC chair, which fulfills requirement #2 above. You must sign up for membership at least 15 days before the first meeting and must attend the first meeting of the TC in order to become a member.
Note that membership in OASIS TCs is by individual, and not by organization.
For non-OASIS members, a public comment list firstname.lastname@example.org is available for the public to make comments on the work of this TC; the public may subscribe to this list by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl.
The archives of the TC's private and comment mail lists are visible to the public at http://lists.oasis-open.org/archives/.
Further information about this topic may be found on the Cover Pages under the topic of "Application Security" at:
Karl F. Best Vice President, OASIS office +1 978.667.5115 x206 mobile +1 978.761.1648 email@example.com http://www.oasis-open.org
Name of the TC
The name of the technical committee will be WAS-XML (Web Application Security XML).
Statement of Purpose
Like many other parts of the IT industry, the information security industry has grown extremely fast with few standards bodies and often little co-operation and co-ordination between vendors and the user community.
When security researchers and software vendors publish security advisories, they usually do so in an ambiguous textual form or embed the data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is) described in several different ways, using different language and context, quantifying the impact and threat and therefore the risk in different ways and with different ratings assessments. This textual data can also not be used to provide automated immediate protection by web security assessment and intrusion protection tools.
The WAS-XML technical committee will produce:
- a classification scheme for web security vulnerabilities
- a model to provide guidance for initial threat, impact and therefore risk ratings
- an XML schema to describe web security conditions that can be used by both assessment and protection tools
The technical committee will unite industry consensus and provide standards from which vendors and users will benefit. It will leverage and extend the work of the OWASP VulnXML project that has been established for over a year. The existing VulnXML work is being given to OASIS as part of this proposal.
We will liaise with the OASIS AVDL TC whose mission is to develop communication protocols for application security tools to integrate. There is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial work and thought already undertaken, the WAS-XML TC will leverage that and focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data.
List of Deliverables
- Web Security Classification Scheme - within 12 weeks of TC formation
- Web Security Risk Ranking Model - within 16 weeks of TC formation
- WAS-XML Schema (fully documented) - within 24weeks of TC formation
- WAS-XML Developers Guide - within 24 weeks of TC formation
- WAS-XML Overview for Security Researchers and Software Vendors - within 24 weeks of TC formation
This TC will conduct its business in English.
Date and Time of First Meeting
The first meeting will be help on July 3rd, 2003 at 12pm ET via teleconference, in English.
This technical committee will hold teleconference calls every two weeks on Fridays at 10am EST. It is proposed to hold a face to face meeting in September in Washington DC.
- Steven Taylor - Bank of America (firstname.lastname@example.org)
- Martin Nystrom - Cisco (email@example.com)
- William Hau - IBM (firstname.lastname@example.org)
- Steve Orrin - Sanctum Inc. (email@example.com)
- Yuval Ben-Itzak, Individual (firstname.lastname@example.org)
- Phil Brass, Individual (email@example.com)
- Dave Cole, Individual (firstname.lastname@example.org)
- Mark Curphey, Individual (email@example.com)
- Rogan Dawes, Individual (firstname.lastname@example.org)
- David Endler, Individual (email@example.com)
- Jeremy Poteet, Individual (firstname.lastname@example.org)
- Kerry Rollins, Individual (kerry.Rollins@ey.com)
- Tim Smith, Individual (email@example.com)
- Jeff Williams, Individual (firstname.lastname@example.org)
- David Raphael, Individual (email@example.com)
- Jason Childers, Individual (firstname.lastname@example.org)
- Gabriel Lawrence, Individual (email@example.com)
- Andrew Jacquith, Individual (firstname.lastname@example.org)
The Chair will be Mark Curphey (email@example.com).
Telephone Meeting Sponsors
The telephone meeting sponsor will be OWASP [Open Web Application Security Project].
Face to Face Meeting Sponsors
The face to face meeting sponsor will be OWASP [Open Web Application Security Project].
Prepared by Robin Cover for The XML Cover Pages archive. See other details in the news item of 2003-05-13: "OASIS Members Form Web Application Security Technical Committee." General references in "Application Security."