A newly formed OASIS Web Application Security Technical Committee will attempt to unite industry consensus and provide standards for classifying and responding to web security vulnerabilities. The specifications are designed to benefit both vendors and users. The TC will leverage and extend the work of the Open Web Application Security (OWASP) VulnXML project that has been established for over a year. The existing VulnXML work is being contributed to OASIS as part of the new TC proposal. According to the proposed charter, the WAS-XML technical committee will produce: (1) a classification scheme for web security vulnerabilities; (2) a model to provide guidance for initial threat, impact and therefore risk ratings; (3) an XML schema to describe web security conditions that can be used by both assessment and protection tools. The TC Chair is Mark Curphey. The first meeting of the technical committee will be held as a conference call on July 03, 2003.

From the Announcement

When security researchers and software vendors publish security advisories, they usually do so in an ambiguous textual form or embed the data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is) described in several different ways, using different language and context, quantifying the impact and threat and therefore the risk in different ways and with different ratings assessments. This textual data can also not be used to provide automated immediate protection by web security assessment and intrusion protection tools.

[The Web Application Security Technical Committee] will liaise with the OASIS AVDL TC whose mission is to develop communication protocols for application security tools to integrate. There is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial work and thought already undertaken, the WAS-XML TC will leverage that and focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data.

List of Deliverables:

• Web Security Classification Scheme - within 12 weeks of TC formation
• Web Security Risk Ranking Model - within 16 weeks of TC formation
• WAS-XML Schema (fully documented) - within 24weeks of TC formation
• WAS-XML Developers Guide - within 24 weeks of TC formation
• WAS-XML Overview for Security Researchers and Software Vendors - within 24 weeks of TC formation

Proposers:

• Steven Taylor - Bank of America (steven.g.taylor@bankofamerica.com)
• Martin Nystrom - Cisco (mnystrom@cisco.com)
• William Hau - IBM (whau@uk.ibm.com)
• Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com)
• Yuval Ben-Itzak, Individual (yuval@kavado.com)
• Phil Brass, Individual (pbrass@iss.net)
• Dave Cole, Individual (dave.cole@foundstone.com)
• Mark Curphey, Individual (mark.curphey@watchfire.com)
• Rogan Dawes, Individual (rdawes@deloitte.co.za)
• David Endler, Individual (dendler@idefense.com)
• Jeremy Poteet, Individual (jpoteet@tech-partners.com)
• Kerry Rollins, Individual (kerry.Rollins@ey.com)
• Tim Smith, Individual (tim.smith@alphawest.com.au)
• Jeff Williams, Individual (jeff.williams@aspectsecurity.com)
• David Raphael, Individual (david.raphael@ericsson.com)
• Jason Childers, Individual (childers_j@yahoo.com)
• Gabriel Lawrence, Individual (gabe@ucsd.edu)
• Andrew Jacquith, Individual (ajaquith@atstake.com)

VulnXML Project

"When security researchers publish security advisories or vulnerabilities, they either do so in an ambiguous textual form or using a proprietary data format for use in their tools. This net effect is that security data has become tightly coupled to specific tools and cannot easily be shared across different tools... The VulnXML will create an open standard format for web application security vulnerabilities only. Whilst we believe it could be extended to other classes of security problems, they are beyond the scope of this project... VulnXML aims to make free web application security knowledge available to everyone and anyone at the same time... The VulnXML format will be an open source and openly published standard XML document data type definition from which users can describe a particular security vulnerability in a web application in an unambiguous manner. The DTD will allow the security check developer or security researcher to describe enough meta-data about the vulnerability that an automated program could build an http request or series of requests to determine if the vulnerability exists on the system being tested... [As for] CVE and the Bugtraq databases: The common Vulnerabilities and Exposures (CVE) database and the Bugtraq database do an excellent job of capturing, recording and classifying security vulnerabilities. They are not, however, designed to capture sufficient information about a web application security vulnerability that would enable it to be automatically built into a check that a tool could use. We will be making every effort to reference CVE meta-data of any vulnerability we convert to the VulnXML format and have made provision in the initial data type definition..." [from the VulnXML Project Vision document]