OASIS TC Call for Participation: Web Application Security TC

["Karl F. Best" <karl.best@oasis-open.org>]

A new OASIS technical committee is being formed. The OASIS Web
Application Security Technical Committee (WAS TC) has been proposed by
the following members of OASIS: Steven Taylor, Bank of America; Martin 
Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the 
following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole, 
Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins, 
Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel 
Lawrence, and Andrew Jacquith.

The proposal for a new TC meets the requirements of the OASIS TC Process 
(see http://oasis-open.org/committees/process.shtml), and is appended to 
this message. The proposal, which includes a statement of purpose, list 
of deliverables, and proposed schedule, will constitute the TC's 
charter. The TC Process allows these items to be clarified (revised) by 
the TC members; such clarifications (revisions), as well as submissions 
of technology for consideration by the TC and the beginning of technical 
discussions, may occur no sooner than the TC's first meeting.

As specified by the OASIS TC Process, the requirements for becoming a 
member of the TC are that you must 1) be an employee of an OASIS member 
organization or an Individual member of OASIS; 2) notify the TC chair of 
your intent to participate at least 15 days prior to the first meeting; 
and 3) attend the first meeting of the TC.

For OASIS members, to sign up for the TC using the new OASIS 
collaborative tools, go to the TC's public page at 
http://www.oasis-open.org/committees/was and click on the button for 
"Join This TC" at the top of the page. You may add yourself to the 
roster of the TC either as a Prospective Member (if you intend to become 
a member of the TC) or an Observer. A notice will automatically be sent 
to the TC chair, which fulfills requirement #2 above. You must sign up 
for membership at least 15 days before the first meeting and must attend 
  the first meeting of the TC in order to become a member.

Note that membership in OASIS TCs is by individual, and not by organization.

For non-OASIS members, a public comment list 
was-comment@lists.oasis-open.org is available for the public to make 
comments on the work of this TC; the public may subscribe to this list 
by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl.

The archives of the TC's private and comment mail lists are visible to 
the public at http://lists.oasis-open.org/archives/

Further information about this topic may be found on the Cover Pages 
under the topic of "Application Security" at 
http://xml.coverpages.org/appSecurity.html


-Karl

=================================================================
Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206     mobile +1 978.761.1648
karl.best@oasis-open.org      http://www.oasis-open.org


OASIS Proposal for WAS-XML

Name of the TC

The name of the technical committee will be WAS-XML (Web Application 
Security XML).

Statement of Purpose

Like many other parts of the IT industry, the information security 
industry has grown extremely fast with few standards bodies and often 
little co-operation and co-ordination between vendors and the user 
community.

When security researchers and software vendors publish security 
advisories, they usually do so in an ambiguous textual form or embed the 
data into a proprietary data file that only works with their own 
proprietary security tools.  The same vulnerability can be (and often 
is) described in several different ways, using different language and 
context, quantifying the impact and threat and therefore the risk in 
different ways and with different ratings assessments. This textual data 
can also not be used to provide automated immediate protection by web 
security assessment and intrusion protection tools.

The WAS-XML technical committee will produce;

- a classification scheme for web security vulnerabilities
- a model to provide guidance for initial threat, impact and therefore 
risk ratings
- an XML schema to describe web security conditions that can be used by 
both assessment and protection tools

The technical committee will unite industry consensus and provide 
standards from which vendors and users will benefit. It will leverage 
and extend the work of the OWASP VulnXML project that has been 
established for over a year.  The existing VulnXML work is being given 
to OASIS as part of this proposal.

We will liaise with the OASIS AVDL TC whose mission is to develop 
communication protocols for application security tools to integrate. 
There is a clear distinction between the  description of the data and 
the subsequent inter-technology communication of it and given the 
substantial work and thought already undertaken, the WAS-XML TC will 
leverage that and focus on the data portion of this problem.  The 
proposers of this TC anticipate that the AVDL specification will consume 
WAS-XML data.

List of Deliverables

- Web Security Classification Scheme – within 12 weeks of TC formation
- Web Security Risk Ranking Model – within 16 weeks of TC formation
- WAS-XML Schema (fully documented) – within 24weeks of TC formation
- WAS-XML Developers Guide – within 24 weeks of TC formation
- WAS-XML Overview for Security Researchers and Software Vendors – 
within 24 weeks of TC formation

Language

This TC will conduct its business in English.

Date and time of first meeting

The first meeting will be help on July 3rd, 2003 at 12pm ET via 
teleconference in English.

Meeting Schedule

This technical committee will hold teleconference calls every two weeks 
on Fridays at 10am EST.  It is proposed to hold a face to face meeting 
in September in Washington DC.

Proposers

Steven Taylor – Bank of America (steven.g.taylor@bankofamerica.com)
Martin Nystrom – Cisco – (mnystrom@cisco.com)
William Hau – IBM (whau@uk.ibm.com)
Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com)
Yuval Ben-Itzak – Individual – (yuval@kavado.com)
Phil Brass – Individual – (pbrass@iss.net)
Dave Cole – Individual – (dave.cole@foundstone.com)
Mark Curphey – Individual (mark.curphey@watchfire.com)
Rogan Dawes – Individual (rdawes@deloitte.co.za)
David Endler - Individual – (dendler@idefense.com)
Jeremy Poteet – Individual (jpoteet@tech-partners.com)
Kerry Rollins - Individual - (kerry.Rollins@ey.com)
Tim Smith – Individual (tim.smith@alphawest.com.au)
Jeff Williams - Individual (jeff.williams@aspectsecurity.com)
David Raphael - Individual – (david.raphael@ericsson.com)
Jason Childers – Individual (childers_j@yahoo.com)
Gabriel Lawrence – Individual (gabe@ucsd.edu)
Andrew Jacquith - Individual (ajaquith@atstake.com)

Chair

The Chair will be Mark Curphey (mark.curphey@watchfire.com).

Telephone meeting sponsors

The telephone meeting sponsor will be OWASP.

Face to Face meeting sponsors

The face to face meeting sponsor will be OWASP.