[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AVDL specification submitted for OASIS Standard
OASIS members:
The OASIS Application Vulnerability Description Language (AVDL) TC has
submitted the Application Vulnerability Description Language (AVDL) v1.0
specification, which is an approved Committee Draft, for review and
consideration for approval by OASIS members to become an OASIS Standard.
The TC's submission is attached below.
In accordance with the OASIS Technical Process, the specification has
already gone through a 30 day public review period. OASIS members now
have until the 15th of the month to familiarize themselves with the
submission. OASIS members should give their input on this question to
the voting representative of their organization.
By the 16th of the month I will send out a Call For Vote to the voting
representative of each OASIS member organization, who will have until
the end of the month to cast their ballots on whether this Committee
Draft should be approved as an OASIS Standard.
The normative TC Process for approval of Committee Drafts as OASIS
Standards is found at
http://www.oasis-open.org/committees/process.php#standard
Any statements related to the IPR of this specification are posted at
http://www.oasis-open.org/committees/avdl/ipr.php
-Karl
=================================================================
Karl F. Best
Vice President, OASIS
office +1 978.667.5115 x206 mobile +1 978.761.1648
karl.best@oasis-open.org http://www.oasis-open.org
1. A formal specification that is a valid member of its type, together
with appropriate documentation for the specification, both of which must
be written using approved OASIS templates.
AVDL Committee Draft Specification Version 1.0
http://www.oasis-open.org/committees/download.php/6163/AVDL%20Specification_V1.pdf
AVDL XML Schema
http://www.oasis-open.org/committees/download.php/5065/avdl.xsd
2. A clear English-language summary of the specification.
The Application Vulnerability Description Language (AVDL) specification
describes a standard XML format that allows entities (such as
applications, organizations, or institutes) to communicate information
regarding web application vulnerabilities. Simply said, AVDL is a
security interoperability standard for creating a uniform method of
describing application security vulnerabilities using XML.
With the growing adoption of web-based technologies, applications have
become far more dynamic, with changes taking place daily or even hourly.
Consequently, enterprises must deal with a constant flood of new
security patches from their application and infrastructure vendors. To
make matters worse, network-level security products do little to protect
against vulnerabilities at the application level. To address this
problem, enterprises today have deployed a host of best-of-breed
security products to discover application vulnerabilities, block
application-layer attacks, repair vulnerable web sites, distribute
patches, and manage security events. Enterprises have come to view
application security as a continuous lifecycle. Unfortunately, there is
currently no standard way for the products these enterprises have
implemented to communicate with each other, making the overall security
management process far too manual, time-consuming, and error prone.
Enterprise customers are asking companies to provide products that
interoperate. A consistent definition of application security
vulnerabilities is a significant step towards that goal. AVDL fulfills
this goal by providing an XML-based vulnerability assessment output that
will be used to improve the effectiveness of attack prevention, event
correlation, and remediation technologies.
3. A statement regarding the relationship of this specification to
similar work of other OASIS TCs or other standards developing organizations.
The AVDL Technical Committee would like to acknowledge earlier efforts
in promotion of application vulnerabilities and standardization of their
representation and interchange. Their work inspired many ideas
incorporated into the AVDL standard.
The following works are related to AVDL:
i. The Open Vulnerability Assessment Language developed at the Mitre
Corporation "is the common language for security experts to discuss and
agree upon technical details about how to check for the presence of a
vulnerability on a computer system". Using SQL, OVAL queries are based
on broadly recognized Common Vulnerabilities and Exposures (CVE)
database and by "specifying logical conditions on the values of system
characteristics and configuration attributes, OVAL queries characterize
exactly which systems are susceptible to a given vulnerability."
ii. VulnXML developed by the Open Web Application Security Project
(OWASP) "could be used by automated assessment tools to test for known
security issues". Closely related and also developed at OWASP was
Application Security Attack Components or ASAC which "is a basic
classification scheme of web application security issues. The aim of
this project was to create a common language and a consensus
understanding among the industry to describe the same issue in the same
way." Their work continues at OASIS Web Application Security TC.
4. Certification by at least three OASIS member organizations that they
are successfully using the specification consistently with the OASIS IPR
Policy.
Citadel
http://lists.oasis-open.org/archives/avdl/200403/msg00012.html
NetContinuum
http://lists.oasis-open.org/archives/avdl/200403/msg00021.html
SPI Dynamics
http://lists.oasis-open.org/archives/avdl/200403/msg00011.html
5. An account of each of the comments/issues raised during the public
review period, along with its resolution.
The document is located at
http://www.oasis-open.org/committees/download.php/5774/AVDL%20Public%20Review%20Comments.doc
It lists the comments received during the public review conducted from 6
February to 8 March 2004, and their resolution. Note: only one comment
was received during this period.
6. An account of and results of the voting to approve the approve the
specification as a Committee Draft.
Approval of the specification as a Committee Draft was 26 March 2004.
The ballot results can be found at the following link:
http://www.oasis-open.org/committees/ballot.php?id=409&vr=1&ew=
Approval to submit the Committee Draft to OASIS membership for
consideration as an OASIS standard. The ballot can be found at the
following link:
http://www.oasis-open.org/committees/ballot.php?id=410&vr=1&ew=
7. An account of or pointer to votes and comments received in any
earlier attempts to standardize substantially the same specification,
together with the originating TC's response to each comment.
There have been no other attempts to standardize this specification to
OASIS.
8. A pointer to the publicly visible comments archive for the
originating TC.
AVDL TC List:
http://lists.oasis-open.org/archives/avdl/
AVDL TC Comment List:
http://lists.oasis-open.org/archives/avdl-comment/
9. A statement from the chair of the TC certifying that all members of
the TC have been provided with a copy of the OASIS IPR Policy.
"All members of the Technical Committee have been provided with access
to the OASIS IPR policy. An email was sent on March 4, 2004 to the
members of the Technical Committee with a link to the policy. In
addition, this submission complies with the requirements of the IPR policy."
10. Optionally, a pointer to any minority reports submitted by one or
more TC members who did not vote in favor of approving the Committee
Draft, or certification by the chair that no minority reports exist.
There are no minority reports to list with this specification.
Submitted by the TC chairs:
Kevin Heineman, kheineman@spidynamics.com
Jan Bialkowski, jan@netcontinuum.com
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]