Members of the OASIS Application Vulnerability Description Language (AVDL) TC have approved a Committee Draft specification and invite public review through 7-March-2004. AVDL is a proposed security "interoperability standard for creating a uniform method of describing application security vulnerabilities using XML. The prose specification and accompanying XML Schema describe a standard XML format that allows entities such as applications, organizations, or institutes to communicate information regarding web application vulnerabilities."

In this context, vulnerability information may include "discrete, previously known vulnerabilities against the application's software stack or any of its components such as operating system type/version, application server type, web server type, database type, etc. It may also include iformation on an application's known legitimate usage schemes such as directory structures, HTML structures, legal entry points, and legal interaction parameters. Security entities that might use AVDL include vulnerability assessment tools, application security gateways, reporting tools, correlation systems, and remediation tools. AVDL is not intended to communicate network-layer vulnerability information such as network topology, TCP related attacks, or other network-layer issues, nor is it intended to carry any information about authentication or access control, as these issues are covered by SAML and XACML."

Subject to consideration of input from the 30-day public review period, the OASIS TC intends to submit the AVDL specification to OASIS for consideration as an OASIS Standard.

Bibliographic Information

Application Vulnerability Description Language. Working Draft 01. 15-January-2004. Document identifier: 'AVDL Specification - 01'. Edited by Jan Bialkowski (NetContinuum) and Kevin Heineman (SPI Dynamics). Contributors: Carl Banzhof (Citadel), John Diaz (Lawrence Livermore National Laboratory), Johan Strandberg (NetContinuum), Srinivas Mantripragada (NetContinuum), Caleb Sima (SPI Dynamics). With AVDL XML Schema.

About the OASIS Application Vulnerability Description Language Technical Committee

"The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The AVDL TC is formed to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.

The AVDL TC will focus on defining a schema that enables easy communication concerning security vulnerabilities between any of the various security entities that address Hypertext Transfer Protocol (HTTP 1.0 and HTTP 1.1) application-level protocol security. AVDL will describe attacks and vulnerabilities that use HTTP as a generic protocol for communication between clients and proxies/gateways to other Internet systems and hosts. Security entities that might utilize AVDL include but are not limited to: vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, etc. AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, these issues are covered by SAML and XACML.

Applications which utilize HTTP and HTML, including but not limited to "web services," as their foundation access and communication scheme are vulnerable to various types of malicious attacks. The goal of the AVDL TC is to define a language for describing information which can be used to protect such an application. This information may include but is not limited to, vulnerability information as well as known legitimate usage information..." [from the revised TC Charter]