Representatives from OASIS member companies Citadel Security Software, Inc., NetContinuum, Inc., and SPI Dynamics are forming a technical committee to "develop an Application Vulnerability Description Language (AVDL). The TC's goal is to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. The AVDL TC will focus on defining a schema that enables easy communication concerning security vulnerabilities between any of the various security entities that address Hypertext Transfer Protocol (HTTP 1.0 and HTTP 1.1) application-level protocol security. AVDL will describe attacks and vulnerabilities that use HTTP as a generic protocol for communication between clients and proxies/gateways to other Internet systems and hosts. Security entities that might utilize AVDL include but are not limited to: vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, etc." The TC Co-Chairs are Jan Bialkowski (NetContinuum, Inc) and Kevin Heineman (SPI Dynamics, Inc). The first meeting of the TC will be held 15-May-2003 by phone conference call.
AVDL TC Overview
The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The AVDL TC is formed to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.
AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, these issues are covered by SAML and XACML.
TC Proposers:
- Carl Banzhof, cbanzhof@citadel.com, Citadel Security Software, Inc.
- Jan Bialkowski, jan@netcontinuum.com, NetContinuum, Inc.
- Kevin Heineman, kheineman@spidynamics.com, SPI Dynamics
Principal references:
- Update 2004-02: Application Vulnerability Description Language. Working Draft approved as an OASIS Technical Committee Draft. See the news story.
- Announcement 2003-04-02: AVDL TC Call for Participation
- AVDL TC website
- Web Application Security: ADVL vs VulnXML. By David Burton.
- AVDL TC mailing list archive
- TC Comment list: send email to avdl-comment@lists.oasis-open.org.
- "OASIS Members Collaborate to Address Security Vulnerabilities for Web Services and Web Applications." Announcement 2003-04-14.
- "Leading Application Security Vendors Propose New XML-Based Interoperability Standard Through OASIS. Application Vulnerability Description Language Will Enable Easy Communication Between Products That Find, Block, Fix, and Report Application Security Vulnerabilities." Announcement 2003-04-14.
- AVDL.org website
- Application Security. General reference page.