[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-5) Analysis of "VULDEF" and any possible relation to CSAF work products
[ https://issues.oasis-open.org/browse/CSAF-5?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Hagen updated CSAF-5: ---------------------------- Description: This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work. It deals with the analysis of "VULDEF: The VULnerability Data publication and Exchange Format data model" (cf. http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html ), which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work" of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ). This issue allows us to track and document progress and findings of the CSAF TC of the following: 1. understand and summarize VULDEF 2. ensure synergy potentials are identified 3. discussion of the relation to and reaction on VULDEF 4. documentation of result When checked at 2016-11-24 the (PDF format) document tree root referenced existed at the URL http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html and some bibliographic data identified was: URL = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html Authors/Editors == The members of the JVNRSS Feasibility Study Team: Masato Terada (IPA, JPCERT/CC) JVN Working Group (JPCERT/CC, IPA) AuthorInstitution = JVNRSS DocumentDate = 2008-04-28 DocumentTitle = VULDEF: The VULnerability Data publication and Exchange Format data model DocumentStatus = JVNRSS V1.2-R1 DocumentCopyright = "Copyright © 2006-2008 by the Authors." (!) Abstract == """ (content taken from Overview section) VULDEF(The VULnerability Data publication and Exchange Format data model)" is intended to be a format for the security information published by the vendors or the Computer Security Incident Response Teams (CSIRTs). Assuming widespread adoption of the VULDEF by the community, an organization can potentially benefit from the increased automation in the processing of security advisory data, since the commitment of vulnerability handling to parse free-form textual document will be reduced. """ LinkedData = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/vuldef.cgi?lang=en LinkedDataDetails = Linked from entry document, contains main schema documentation bears slightly different copyright LinkedDataCopyright = "Copyright © 2007 by the Authors." was: This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work. It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ), which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work" of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ). This issue allows us to track and document progress and findings of the CSAF TC of the following: 1. understand and summarize AVDL 2. ensure synergy potentials are identified 3. discussion of the relation to and reaction on AVDL 4. documentation of result When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was: URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf Authors/Editors == Jan Bialkowski, NetContinuum, jan@netcontinuum.com Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com AuthorInstitution = OASIS DocumentDate = May 2004 DocumentTitle = Application Vulnerability Description Language v1.0 DocumentStatus = OASIS Standard Abstract == """ This specification describes a standard XML format that allows entities (such as applications, organizations, or institutes) to communicate information regarding web application vulnerabilities. Simply said, Application Vulnerability Description Language (AVDL) is a security interoperability standard for creating a uniform method of describing application security vulnerabilities using XML. With the growing adoption of web-based technologies, applications have become far more dynamic, with changes taking place daily or even hourly. Consequently, enterprises must deal with a constant flood of new security patches from their application and infrastructure vendors. To make matters worse, network-level security products do little to protect against vulnerabilities at the application level. To address this problem, enterprises today have deployed a host of best-of-breed security products to discover application vulnerabilities, block application-layer attacks, repair vulnerable web sites, distribute patches, and manage security events. Enterprises have come to view application security as a continuous lifecycle. Unfortunately, there is currently no standard way for the products these enterprises have implemented to communicate with each other, making the overall security management process far too manual, time-consuming, and error prone. Enterprise customers are asking companies to provide products that interoperate. A consistent definition of application security vulnerabilities is a significant step towards that goal. AVDL fulfils this goal by providing an XML-based vulnerability assessment output that will be used to improve the effectiveness of attack prevention, event correlation, and remediation technologies. """ The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above). To ease processing of this issue, some content is copied here (as of 2016-11-24): ContentCopy == """ Overview The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The OASIS AVDL TC creates an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability. """ > Analysis of "VULDEF" and any possible relation to CSAF work products > -------------------------------------------------------------------- > > Key: CSAF-5 > URL: https://issues.oasis-open.org/browse/CSAF-5 > Project: OASIS Common Security Advisory Framework (CSAF) TC > Issue Type: Task > Environment: [New] > Reporter: Stefan Hagen > Priority: Critical > Labels: similar_work > > This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work. > It deals with the analysis of "VULDEF: The VULnerability Data publication and Exchange Format data model" (cf. http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html ), > which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work" > of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ). > This issue allows us to track and document progress and findings of the CSAF TC of the following: > 1. understand and summarize VULDEF > 2. ensure synergy potentials are identified > 3. discussion of the relation to and reaction on VULDEF > 4. documentation of result > When checked at 2016-11-24 the (PDF format) document tree root referenced existed at the URL http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html and some bibliographic data identified was: > URL = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html > Authors/Editors == > The members of the JVNRSS Feasibility Study Team: > Masato Terada (IPA, JPCERT/CC) > JVN Working Group (JPCERT/CC, IPA) > AuthorInstitution = JVNRSS > DocumentDate = 2008-04-28 > DocumentTitle = VULDEF: The VULnerability Data publication and Exchange Format data model > DocumentStatus = JVNRSS V1.2-R1 > DocumentCopyright = "Copyright © 2006-2008 by the Authors." (!) > Abstract == > """ (content taken from Overview section) > VULDEF(The VULnerability Data publication and Exchange Format data model)" is > intended to be a format for the security information published by the vendors > or the Computer Security Incident Response Teams (CSIRTs). > Assuming widespread adoption of the VULDEF by the community, an organization > can potentially benefit from the increased automation in the processing of > security advisory data, since the commitment of vulnerability handling to > parse free-form textual document will be reduced. > """ > LinkedData = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/vuldef.cgi?lang=en > LinkedDataDetails = Linked from entry document, contains main schema documentation bears slightly different copyright > LinkedDataCopyright = "Copyright © 2007 by the Authors." -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]