OASIS has announced the approval of Application Vulnerability Description Language Version 1.0 as an OASIS Standard.
AVDL is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML. The version 1.0 specification "describes a standard XML format that allows entities such as applications, organizations, or institutes to communicate security information regarding web. AVDL provides an open XML-based vulnerability assessment output that will be used to improve the effectiveness of attack prevention, event correlation, and remediation technologies."
Based upon the AVDL information exchange model, application administrators use an assessment tool to determine if their networked applications are "vulnerable to various types of malicious attacks. An assessment tool records and catalogues detected vulnerabilities in an XML file in AVDL format. An application security gateway then uses the AVDL information to recommend the optimal attack prevention policy for the protected application. In addition, a remediation product uses the same AVDL file to suggest the best course of action for correcting the security issues. Finally a reporting tool uses the AVDL file to correlate event logs with areas of known vulnerability."
With AVDL, "network managers can save valuable time by importing vulnerability assessment data from AVDL-compliant application scanners. Firewalls can configure appropriate rules, patch management software can provide automatic remediation, and event correlation products can include application-level vulnerability data in the organization's overall risk assessment picture."
The OASIS announcement reports that AVDL is "already being implemented by companies and government agencies including the central security incident response organization for the United States Department of Energy (DOE) and National Nuclear Security Administration (NNSA), which plans to AVDL-enable its new Security Incident Response Portal."
According to Jan Bialkowski of NetContinuum, Co-chair of the OASIS AVDL Technical Committee, "organizations are drowning in the flood of security bulletins and alerts while application vulnerability exploits are wreaking havoc on networks around the globe; AVDL offers an automated way to break this cycle by dramatically reducing the time between the discovery of a new vulnerability and the response time to block attacks at the security gateway."
The AVDL TC Chairs indicate that some features of the AVDL specification design were inspired by Mitre's Open Vulnerability Assessment Language (OVAL), which uses the Common Vulnerabilities and Exposures (CVE) database. Related technical work is being done within the OASIS Web Application Security TC based upon Application Security Attack Components (ASAC) and VulnXML, developed by the Open Web Application Security Project (OWASP).
Bibliographic Information
Application Vulnerability Description Language v1.0. OASIS Standard. May 2004. 18 pages. Edited by Jan Bialkowski (NetContinuum) and Kevin Heineman (SPI Dynamics). Contributors: Carl Banzhof (Citadel), John Diaz (Lawrence Livermore National Laboratory), Johan Strandberg (NetContinuum), Srinivas Mantripragada (NetContinuum), Caleb Sima (SPI Dynamics). With XML Schema.
TC Participants: Jeremy Poteet (Individual), Lauren Davis (Johns Hopkins University Applied Physics Laboratory), Andrew Buttner (Mitre Corporation), Gerhard Eschelbeck (Qualys), Jared Karro (Bank of America), Montgomery-Recht Evan (Booz Allen Hamilton), Ajay Gummadi (Individual), Yen-Ming Chen (Individual), Brian Cohen (SPI Dynamics, Inc.), John Milciunas (SPI Dynamics, Inc.), Matthew Snyder (Bank of America), Chung-Ming Ou (Chunghwa Telecom Laboratories), Anton Chuvakin (Individual), Nasseam Elkarra (Individual), Roger Alexander (Individual), J. Wittbold (Mitre Corporation), Lluis Mora (Sentryware).
Technical Overview of the Application Vulnerability Description Language (AVDL) V1.0. Version 1.0. 22-March-2004. Document identifier: 'AVDL Technical Overview - 01'. 22 pages. Edited by Jan Bialkowski (NetContinuum), Kevin Heineman (SPI Dynamics), and Srinivas Mantripragada (NetContinuum).
This non-normative document provides a technical description of AVDL 1.0; it has been produced by the OASIS AVDL Technical Committee. The specification describes a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. Simply said, Application Vulnerability Description Language (AVDL) is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML..."
From the AVDL Version 1.0 Technical Overview
"Security managers have grown accustomed to relying on traditional tools, such as network firewalls, IDS, and VPNs to protect corporate networks. The exploding number of application-level security incidents, however certifies that these tools provide few tangible benefits in the area of application security. While next generation application security products now solve many of these problems, these best-of-breed stand-alone systems still require individual and separate user interactions, leaving the overall security management process too manual, time-consuming, and error prone.
Proposed by leading application security vendors and users, the AVDL specification creates a rich and effective set of consistent XML schema definitions to describe application security properties and vulnerabilities. Using AVDL, security tools and products from different vendors will be able to precisely and unambiguously communicate with each other to coordinate their security operations and automate security management.
AVDL integration creates a seamless ecosystem that secures the web application environment in which mundane security operations such as patching and reconfigurations that implement evolving application requirements and security policies become automated freeing security administrators to focus on higher-level security policy analysis. Because all new vulnerability alters can be described consistently in AVDL, automation of security management also vastly reduces the incident response time thus closing critical vulnerability windows and enhancing security posture. AVDL-based security altered bulletins will give users highly efficient access to the collective security expertise of all participants in this dynamic field where even the largest organizations are challenged to keep up with rapid industry revolution.
The AVDL technology is rooted in XML. The information passed around between the producers and consumers is mostly in the form of XML, and the format of these XML messages is defined in the AVDL schema.
AVDL has the following key concepts:
- Probe: The basic concept embodied in the AVDL schema is an application-level transaction, called a 'probe', which describes HTTP exchanges between browsers and web application servers. The probe defines the basic unit of request-response exchange and its relation to the expected result.
- Transaction: AVDL defines markups which allow specifications of the transaction between the browser and server as a series of probes. Such probes may specify valid and expected request-response exchanges between browsers and servers, or may specify application vulnerability exploits. AVDL 1.0 allows specification of the HTTP transaction in full detail at various levels of abstraction (raw byte stream, or parsed to HTTP header constructs).
- Traversal: The 'traversal' step is a derived extension of a 'probe' where the request-response exchange between browser and server is expected (and valid). The traversal step probes supply host of information including target URLs, links, cookies and other headers as well as query for form parameters, their attributes, ranges of legitimate values etc. The traversal probes can be used to automate enforcement of safe usage policies.
- Vulnerability-probe: The 'vulnerability-probe' is a derived extension of a 'probe' where the request-response exchange between browser and server is of illegitimate kind. The probe contains undesirable (or malicious) elements with a primary intent to cause damage to the application.
- Vulnerability-description: The 'vulnerability-description' highlights specific questionable constructs and supply detailed specifications of vulnerabilities, including human readable description and machine-readable assessment information such as vulnerability severity, applicability, and its historical records. The vulnerability-description supplies enough information necessary to configure protective 'deny' rules as well as information about possible hot fixes if any is available, workarounds etc. that can be used to automate management of remediation process. [excerpted from the Technical Overview version 1.0]
From the OASIS Announcement
The OASIS 2004-06-23 announcement:
The OASIS international standards consortium today announced that its members have approved the Application Vulnerability Description Language (AVDL) version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. AVDL provides a standard method for exchanging information concerning security vulnerabilities within Web services and Web applications.
"AVDL addresses the challenge of how businesses manage ongoing application security risk on a day-to-day basis," explained Gartner VP and analyst John Pescatore. "When you consider that upwards of 80 application vulnerabilities are announced each week, it's clear how significant this work is. By employing solutions based on the AVDL OASIS Standard, companies can reduce the threat they face from the moment a vulnerability is discovered to the time it takes them to first shield, then patch their systems."
AVDL is already being implemented by companies and government agencies including the central security incident response organization for the United States Department of Energy (DOE) and National Nuclear Security Administration (NNSA), which plans to AVDL-enable its new Security Incident Response Portal.
"Prior to AVDL, network managers had to manually compare reports from application vulnerability assessments with their application firewall rules, patch management systems, and other information from event correlation engines. Then, they needed to take appropriate remediation steps and create firewall rules to secure their applications," said Kevin Heineman of SPI Dynamics, co-chair of the OASIS AVDL Technical Committee. "Now network managers can save valuable time by importing vulnerability assessment data from AVDL-compliant application scanners. Firewalls can configure appropriate rules, patch management software can provide automatic remediation, and event correlation products can include application-level vulnerability data in the organization's overall risk assessment picture. AVDL offers a welcome alternative to the labor-intensive job of eyeballing and rewriting scores of text alerts, freeing security administrators to focus on higher-level policy analysis."
Jan Bialkowski of NetContinuum, co-chair of the OASIS AVDL Technical Committee, agreed, "Organizations are drowning in the flood of security bulletins and alerts while application vulnerability exploits are wreaking havoc on networks around the globe. AVDL offers an automated way to break this cycle by dramatically reducing the time between the discovery of a new vulnerability and the response time to block attacks at the security gateway. Since AVDL is an easy schema to implement, we hope to see rapid adoption, advancing the industry to an era where all security products can share and effectively utilize vulnerability data via AVDL."
Participation in the OASIS AVDL Technical Committee remains open to all organizations and individuals, and OASIS hosts an open mail list for public comment.
"With the ratification of AVDL, we will now have the capability to provide interoperability between industry-leading network and application security technologies and our vulnerability management solutions. Large enterprise and government customers will benefit enormously from the greater flexibility and consistency for implementing security policies with a standard approach to managing vulnerability data," said Carl Banzhof, CTO, Citadel Security Software.
OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,000 participants representing over 600 organizations and individual members in 100 countries.
Principal references:
- Announcement 2004-06-23: "Application Vulnerability Description Language (AVDL) Ratified as OASIS Standard. Security Vulnerabilities for Web Services and Web Applications Addressed by New Standard."
- Application Vulnerability Description Language. OASIS Standard. [source PDF]
- AVDL XML Schema [source]
- Technical Overview of the Application Vulnerability Description Language (AVDL) V1.0. 22-March-2004. [source .DOC, cache]
- Sample AVDL File. March 2004. [source]
- AVDL TC:
- From AVDL.org and SPI Dynamics:
- AVDL.org website
- AVDL FAQ document, from AVDL.org [cache]
- AVDL Benefits
- AVDL Fact Sheet, from AVDL.org
- AVDL: Selected working examples. SPI Dynamics WebInspect is an assessment tool that discovers vulnerabilities in applications; The NetContinuum Application Security Gateway protects applications by blocking attacks at the perimeter.
- AVDL News, from SPI Dynamics.
- SPI Dynamics [as of 2004-06-24] made available for download "a trial version of WebInspect that generates AVDL output; the trial version contained a sample scan of a test site that you can generate AVDL output through its 'Export' function."
- Earlier news:
- "OASIS TC Approves Application Vulnerability Description Language (AVDL) Draft." News story 2004-04-29.
- "Application Security Leaders Announce Support for AVDL OASIS Committee Draft. Cenzic, Citadel, Department of Energy CIAC, GuardedNet, NetContinuum, Qualys, SPI Dynamics, Teros and WhiteHat Among Growing Number of Organizations to Support AVDL."
- "OASIS Committee Draft for the Application Vulnerability Description Language (AVDL)." News story 2004-02-09.
- "OASIS Forms TC for Application Vulnerability Description Language (AVDL)." News story 2003-04-02.
- General:
- Application Security Standards
- CERT Coordination Center
- Common Vulnerabilities and Exposures (CVE)
- DMTF Alert Standard Format Specification (ASF)
- IETF Incident Object Description and Exchange Format (IODEF)
- IETF Intrusion Detection Exchange Format (IDMEF)
- OASIS Application Vulnerability Description Language TC (AVDL)
- OASIS Web Application Security TC (WAS)
- OpenSec Advisory and Notification Markup Language (ANML)
- Open Vulnerability Assessment Language (OVAL)
- Open Web Application Security Project (OWASP)
- VulnXML Project: A Web Application Security Vulnerability Description Language
- App Security: Articles, Papers, News
- Application Security Standards