OASIS Press Release: AVDL

["Carol Geyer" <carol.geyer@oasis-open.org>]

Sharon,
As soon as possible, please post the following press release to the
OASIS site. Link the headline, "OASIS Members Collaborate to Address
Security Vulnerabilities for Web Services and Web Applications" to:

http://www.oasis-open.org/ under OASIS NEWS (then delete the oldest
headline)

http://www.oasis-open.org/news/ under OASIS 2003 Press Releases

http://www.oasis-open.org/committees/avdl/press.php

Thanks,
Carol





OASIS Members Collaborate to Address Security Vulnerabilities for Web
Services and Web Applications

San Francisco, Calif. (RSA Security Conference); 14 April 2003 --
Members of the OASIS interoperability consortium announced plans to
define a standard method of exchanging information concerning security
vulnerabilities within Web services and Web applications. The new OASIS
Application Vulnerability Description Language (AVDL) Technical
Committee will address the challenge of how businesses manage ongoing
application security risk on a day-to-day basis.

"Although there are several products available that help companies
discover application vulnerabilities, block application-layer attacks,
repair vulnerable web sites, distribute patches and manage security
events, there is currently no universal way for these products to
communicate with one another, making pragmatic risk management a highly
manual, often complex process," explained Kevin Heineman of SPI
Dynamics, co-chair of the OASIS AVDL Technical Committee. "The goal of
AVDL is to enable companies to manage and simplify the full application
security lifecycle by providing a uniform way to communicate application
security vulnerabilities, policies and events using XML."

"With the growing adoption of Web-based technologies, applications have
become far more dynamic, often changing daily, or even hourly," said Jan
Bialkowski of NetContinuum, co-chair of the OASIS AVDL Technical
Committee. "Keeping pace with these rapidly changing threats will
increasingly require close cooperation between various security
components. The formation of this technical committee will give vendors
an optimal forum to synchronize their products across the entire
application security lifecycle."

Initial members of the OASIS AVDL Technical Committee include Booz Allen
Hamilton, NetContinuum, Reed Elsevier, Sanctum, SPI Dynamics, and
others. Participation remains open to all organizations and individuals,
and OASIS will host an open mail list for public comment. The committee
will hold its first meeting on 15 May 2003.

Industry Support for AVDL

"Sanctum fully supports OASIS and the AVDL TC as a cross vendor effort
to unify the terminology, and standardize the way application level
vulnerabilities are communicated and represented to users in the
industry. Sanctum's  AppScan, an automated security testing tool, will
take full advantage of this standard to allow for interoperability with
third party reporting and assessment tools," said Steve Orrin, CTO of
Sanctum, Inc.




About OASIS (http://www.oasis-open.org)

OASIS (Organization for the Advancement of Structured Information
Standards) is a not-for-profit, global consortium that drives the
development, convergence, and adoption of e-business standards. Members
themselves set the OASIS technical agenda, using a lightweight, open
process expressly designed to promote industry consensus and unite
disparate efforts. OASIS produces worldwide standards for security, Web
services, XML conformance, business transactions, electronic publishing,
topic maps and interoperability within and between marketplaces. Founded
in 1993, OASIS has more than 2,000 participants representing over 600
organizations and individual members in 100 countries.

Additional information:

OASIS AVDL Technical Committee
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl

Cover Pages: Application Security
http://xml.coverpages.org/appSecurity.html


Press contact:

Carol Geyer
OASIS Director of Communications
carol.geyer@oasis-open.org
+1.941.284.0403