Update: On June 08, 2004 OASIS announced that the Application Vulnerability Description Language v1.0 was approved as an OASIS Standard.

[April 29, 2004] The OASIS Application Vulnerability Description Language TC has approved a Committee Draft of its version 1.0 specification and has submitted it for consideration as an OASIS Standard.

The AVDL specification defines "a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. The OASIS AVDL Technical Committee was formed to create an XML definition for exchanging information about the security vulnerabilities of applications exposed to networks. For example, the owners of an application use an assessment tool to determine if their application is vulnerable to various types of malicious attacks. The assessment tool records and catalogues detected vulnerabilities in an XML file in AVDL format. An application security gateway then uses the AVDL information to recommend the optimal attack prevention policy for the protected application. In addition, a remediation product uses the same AVDL file to suggest the best course of action for correcting the security issues. Finally a reporting tool uses the AVDL file to correlate event logs with areas of known vulnerability."

According to a declaration presented by the AVDL TC Chairs, some features of the AVDL specification design were inspired by Mitre's Open Vulnerability Assessment Language (OVAL), which uses the Common Vulnerabilities and Exposures (CVE) database. Related technical work is being done within the OASIS Web Application Security TC based upon Application Security Attack Components (ASAC) and VulnXML, developed by the Open Web Application Security Project (OWASP).

Application Vulnerability Description Language version 1.0 Committee Draft will be balloted to the OASIS membership during the period May 16-31, 2004.

Bibliographic Information

• Application Vulnerability Description Language. Committee Draft Version 1.0. 15-March-2004. Document identifier: 'AVDL Specification - 01'. 18 pages. Edited by Jan Bialkowski (NetContinuum) and Kevin Heineman (SPI Dynamics). Contributors: Carl Banzhof (Citadel), John Diaz (Lawrence Livermore National Laboratory), Johan Strandberg (NetContinuum), Srinivas Mantripragada (NetContinuum), Caleb Sima (SPI Dynamics). With XML Schema.

• Technical Overview of the Application Vulnerability Description Language (AVDL) V1.0. Version 1.0. 22-March-2004. Document identifier: 'AVDL Technical Overview - 01'. 22 pages. Edited by Jan Bialkowski (NetContinuum), Kevin Heineman (SPI Dynamics), and Srinivas Mantripragada (NetContinuum).

  This non-normative document provides a technical description of AVDL 1.0; it has been produced by the OASIS AVDL Technical Committee. The specification describes a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. Simply said, Application Vulnerability Description Language (AVDL) is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML..."

From the AVDL Version 1.0 Technical Overview

"Security managers have grown accustomed to relying on traditional tools, such as network firewalls, IDS, and VPNs to protect corporate networks. The exploding number of application-level security incidents, however certifies that these tools provide few tangible benefits in the area of application security. While next generation application security products now solve many of these problems, these best-of-breed stand-alone systems still require individual and separate user interactions, leaving the overall security management process too manual, time-consuming, and error prone.

Proposed by leading application security vendors and users, the AVDL specification creates a rich and effective set of consistent XML schema definitions to describe application security properties and vulnerabilities. Using AVDL, security tools and products from different vendors will be able to precisely and unambiguously communicate with each other to coordinate their security operations and automate security management.

AVDL integration creates a seamless ecosystem that secures the web application environment in which mundane security operations such as patching and reconfigurations that implement evolving application requirements and security policies become automated freeing security administrators to focus on higher-level security policy analysis. Because all new vulnerability alters can be described consistently in AVDL, automation of security management also vastly reduces the incident response time thus closing critical vulnerability windows and enhancing security posture. AVDL-based security altered bulletins will give users highly efficient access to the collective security expertise of all participants in this dynamic field where even the largest organizations are challenged to keep up with rapid industry revolution.

The AVDL technology is rooted in XML. The information passed around between the producers and consumers is mostly in the form of XML, and the format of these XML messages is defined in the AVDL schema.

AVDL has the following key concepts:

• Probe: The basic concept embodied in the AVDL schema is an application-level transaction, called a 'probe', which describes HTTP exchanges between browsers and web application servers. The probe defines the basic unit of request-response exchange and its relation to the expected result.
• Transaction: AVDL defines markups which allow specifications of the transaction between the browser and server as a series of probes. Such probes may specify valid and expected request-response exchanges between browsers and servers, or may specify application vulnerability exploits. AVDL 1.0 allows specification of the HTTP transaction in full detail at various levels of abstraction (raw byte stream, or parsed to HTTP header constructs).
• Traversal: The 'traversal' step is a derived extension of a 'probe' where the request-response exchange between browser and server is expected (and valid). The traversal step probes supply host of information including target URLs, links, cookies and other headers as well as query for form parameters, their attributes, ranges of legitimate values etc. The traversal probes can be used to automate enforcement of safe usage policies.
• Vulnerability-probe: The 'vulnerability-probe' is a derived extension of a 'probe' where the request-response exchange between browser and server is of illegitimate kind. The probe contains undesirable (or malicious) elements with a primary intent to cause damage to the application.
• Vulnerability-description: The 'vulnerability-description' highlights specific questionable constructs and supply detailed specifications of vulnerabilities, including human readable description and machine-readable assessment information such as vulnerability severity, applicability, and its historical records. The vulnerability-description supplies enough information necessary to configure protective 'deny' rules as well as information about possible hot fixes if any is available, workarounds etc. that can be used to automate management of remediation process. [excerpted from the Technical Overview version 1.0]