OASIS to Establish Classification Standards for Web Security Vulnerabilities

["Carol Geyer" <carol.geyer@oasis-open.org>]

OASIS Works to Establish Classification Standards for Web Security
Vulnerabilities

Boston, MA, USA; 28 May 2003--Members of the OASIS standards consortium
are uniting to create an open data format to describe Web application
security vulnerabilities. The new OASIS Web Application Security (WAS)
Technical Committee will produce a classification scheme for Web
security vulnerabilities, a model to provide guidance for initial
threat, impact and risk ratings, and an XML schema to describe Web
security conditions that can be used by both assessment and protection
tools.

"Gartner believes the OASIS WAS standard effort will play a key role in
supporting innovation in security assessment tools and application-level
intrusion prevention products," said John Pescatore, Vice President for
Internet Security at Gartner Inc. "Having a standard vulnerability
description language will allow enterprises to choose and integrate
best-of-breed products to best address changing threat scenarios."

"Currently, security advisories are published in ambiguous textual forms
or proprietary data files. The same vulnerability is often described in
several different ways, using different languages and contexts that
quantify risks in different ways," explained Mark Curphey, chair of the
OASIS WAS Technical Committee. "WAS will allow vulnerabilities to be
published and received in a consistent manner. Risks will be universally
understood by law enforcement agencies, government representatives,
companies, and organizations, regardless of which tools or technologies
are used."

OASIS WAS Technical Committee members include NetContinuum, Qualys,
Sanctum, SPI Dynamics, and others. Participation remains open to all
organizations and individuals, and OASIS will host an open mail list for
public comment. The committee will hold its first meeting on 3 July
2003.

"WAS is complementary to the work of the OASIS Application Vulnerability
Description Language (AVDL) Technical Committee, which was formed
earlier this year to standardize the format for the way security
products communicate. AVDL, using WAS vulnerability classification, will
deliver a standard method for vulnerabilities to be described and
communicated across
multi-vendor products," noted Kevin Heineman of SPI Dynamics and Jan
Bialkowski of NetContinuum, co-chairs of the OASIS AVDL Technical
Committee.

In the interest of convergence, the OASIS WAS Technical Committee will
consider contributions of related work from other groups and companies.
The Open Web Application Security Project (OWASP), an Open Source
community group dedicated to helping government and industry understand
and improve the security of Web applications and services, plans to
submit its Vulnerability Description Language (VulnXML) to the new OASIS
technical committee.


Industry Support for OASIS WAS Technical Committee

"NetContinuum is a strong proponent of cross-vendor efforts like the
OASIS WAS Technical Committee that create a more consistent
classification and risk rating system for known application
vulnerabilities," said Jan Bialkowski, CTO of NetContinuum. "This
information will serve as an ideal input to existing standards efforts
like AVDL and provide customers with a more standardized approach to
application security."

"OASIS has helped significantly drive the adoption and direction of
electronic business through its development of global standards,
particularly those focused on security," said Gerhard Eschelbeck, Qualys
CTO & VP of Engineering and member of the OASIS WAS Technical Committee.
"The growing sophistication of security threats requires standards for
classifying risk and determining the impact of new web security
vulnerabilities. Qualys is committed to developing and incorporating
such standards into its Web-based service for vulnerability management,
providing solutions that truly meet the needs of customers."

"SPI Dynamics fully supports the efforts of the OASIS WAS Technical
Committee to establish standards in the classification of application
vulnerabilities. In conjunction with the efforts of the OASIS AVDL
Technical Committee, these initiatives
provide significant benefits to the customer in securing their Web
applications by facilitating interoperability of best-of-breed,
multi-vendor products. We look forward to implementing the standards
from both of these groups into our Web application assessment product,
WebInspect," said Kevin Heineman, VP of Engineering, SPI Dynamics.


About OASIS (http://www.oasis-open.org)

OASIS (Organization for the Advancement of Structured Information
Standards) is a not-for-profit, global consortium that drives the
development, convergence, and adoption of e-business standards. Members
themselves set the OASIS technical agenda, using a lightweight, open
process expressly designed to promote industry consensus and unite
disparate efforts. OASIS produces worldwide standards for security, Web
services, conformance, business transactions, electronic publishing,
topic maps and interoperability within and between marketplaces. Founded
in 1993, OASIS has more than 2,000 participants representing over 600
organizations and individual members in 100 countries.


Additional information:

OASIS WAS-XML Technical Committee
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

Cover Pages Technology Report: Application Security
http://xml.coverpages.org/appSecurity.html


Press contact:
Carol Geyer
Director of Communications
OASIS (www.oasis-open.org)
carol.geyer@oasis-open.org
+1.978.667.5115 x209