[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-5) Analysis of "VULDEF" and any possible relation to CSAF work products
[ https://issues.oasis-open.org/browse/CSAF-5?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Hagen updated CSAF-5:
----------------------------
Description:
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of "VULDEF: The VULnerability Data publication and Exchange Format data model" (cf. http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html ),
which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
This issue allows us to track and document progress and findings of the CSAF TC of the following:
1. understand and summarize VULDEF
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on VULDEF
4. documentation of result
When checked at 2016-11-24 the (PDF format) document tree root referenced existed at the URL http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html and some bibliographic data identified was:
URL = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html
Authors/Editors ==
The members of the JVNRSS Feasibility Study Team:
Masato Terada (IPA, JPCERT/CC)
JVN Working Group (JPCERT/CC, IPA)
AuthorInstitution = JVNRSS
DocumentDate = 2008-04-28
DocumentTitle = VULDEF: The VULnerability Data publication and Exchange Format data model
DocumentStatus = JVNRSS V1.2-R1
DocumentCopyright = "Copyright © 2006-2008 by the Authors." (!)
Abstract ==
""" (content taken from Overview section)
VULDEF(The VULnerability Data publication and Exchange Format data model)" is
intended to be a format for the security information published by the vendors
or the Computer Security Incident Response Teams (CSIRTs).
Assuming widespread adoption of the VULDEF by the community, an organization
can potentially benefit from the increased automation in the processing of
security advisory data, since the commitment of vulnerability handling to
parse free-form textual document will be reduced.
"""
LinkedData = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/vuldef.cgi?lang=en
LinkedDataDetails = Linked from entry document, contains main schema documentation bears slightly different copyright
LinkedDataCopyright = "Copyright © 2007 by the Authors."
was:
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ),
which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
This issue allows us to track and document progress and findings of the CSAF TC of the following:
1. understand and summarize AVDL
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on AVDL
4. documentation of result
When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was:
URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf
Authors/Editors ==
Jan Bialkowski, NetContinuum, jan@netcontinuum.com
Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com
AuthorInstitution = OASIS
DocumentDate = May 2004
DocumentTitle = Application Vulnerability Description Language v1.0
DocumentStatus = OASIS Standard
Abstract ==
"""
This specification describes a standard XML format that allows entities (such as
applications, organizations, or institutes) to communicate information regarding
web application vulnerabilities.
Simply said, Application Vulnerability Description Language (AVDL) is a security
interoperability standard for creating a uniform method of describing application
security vulnerabilities using XML.
With the growing adoption of web-based technologies, applications have become
far more dynamic, with changes taking place daily or even hourly.
Consequently, enterprises must deal with a constant flood of new security patches
from their application and infrastructure vendors.
To make matters worse, network-level security products do little to protect against
vulnerabilities at the application level. To address this problem, enterprises today
have deployed a host of best-of-breed security products to discover application
vulnerabilities, block application-layer attacks, repair vulnerable web sites,
distribute patches, and manage security events.
Enterprises have come to view application security as a continuous lifecycle.
Unfortunately, there is currently no standard way for the products these enterprises
have implemented to communicate with each other, making the overall security
management process far too manual, time-consuming, and error prone.
Enterprise customers are asking companies to provide products that interoperate.
A consistent definition of application security vulnerabilities is a significant step towards
that goal.
AVDL fulfils this goal by providing an XML-based vulnerability assessment output
that will be used to improve the effectiveness of attack prevention, event correlation,
and remediation technologies.
"""
The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above).
To ease processing of this issue, some content is copied here (as of 2016-11-24):
ContentCopy ==
"""
Overview
The goal of AVDL is to create a uniform way of describing application security vulnerabilities.
The OASIS AVDL TC creates an XML definition for exchange of information relating to security
vulnerabilities of applications exposed to networks.
For example, the owners of an application may use a scanning tool to test their application
for exposed vulnerabilities to various types of malicious attacks.
That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format.
That AVDL information may be utilized by application security gateways to recommend the
optimal attack prevention policy for that specific application.
Remediation products could use AVDL files to suggest the best course of action for
correcting problems, while reporting tools could use AVDL to correlate event logs with
areas of known vulnerability.
"""
> Analysis of "VULDEF" and any possible relation to CSAF work products
> --------------------------------------------------------------------
>
> Key: CSAF-5
> URL: https://issues.oasis-open.org/browse/CSAF-5
> Project: OASIS Common Security Advisory Framework (CSAF) TC
> Issue Type: Task
> Environment: [New]
> Reporter: Stefan Hagen
> Priority: Critical
> Labels: similar_work
>
> This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
> It deals with the analysis of "VULDEF: The VULnerability Data publication and Exchange Format data model" (cf. http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html ),
> which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
> of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
> This issue allows us to track and document progress and findings of the CSAF TC of the following:
> 1. understand and summarize VULDEF
> 2. ensure synergy potentials are identified
> 3. discussion of the relation to and reaction on VULDEF
> 4. documentation of result
> When checked at 2016-11-24 the (PDF format) document tree root referenced existed at the URL http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html and some bibliographic data identified was:
> URL = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/index.en.html
> Authors/Editors ==
> The members of the JVNRSS Feasibility Study Team:
> Masato Terada (IPA, JPCERT/CC)
> JVN Working Group (JPCERT/CC, IPA)
> AuthorInstitution = JVNRSS
> DocumentDate = 2008-04-28
> DocumentTitle = VULDEF: The VULnerability Data publication and Exchange Format data model
> DocumentStatus = JVNRSS V1.2-R1
> DocumentCopyright = "Copyright © 2006-2008 by the Authors." (!)
> Abstract ==
> """ (content taken from Overview section)
> VULDEF(The VULnerability Data publication and Exchange Format data model)" is
> intended to be a format for the security information published by the vendors
> or the Computer Security Incident Response Teams (CSIRTs).
> Assuming widespread adoption of the VULDEF by the community, an organization
> can potentially benefit from the increased automation in the processing of
> security advisory data, since the commitment of vulnerability handling to
> parse free-form textual document will be reduced.
> """
> LinkedData = http://jvnrss.ise.chuo-u.ac.jp/jtg/vuldef/vuldef.cgi?lang=en
> LinkedDataDetails = Linked from entry document, contains main schema documentation bears slightly different copyright
> LinkedDataCopyright = "Copyright © 2007 by the Authors."
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]