OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (CSAF-5) Analysis of "VULDEF" and any possible relation to CSAF work products

Stefan Hagen created CSAF-5:
-------------------------------

             Summary: Analysis of "VULDEF" and any possible relation to CSAF work products
                 Key: CSAF-5
                 URL: https://issues.oasis-open.org/browse/CSAF-5
             Project: OASIS Common Security Advisory Framework (CSAF) TC
          Issue Type: Task
         Environment: [New]
            Reporter: Stefan Hagen
            Priority: Critical


This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ),
which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work" 
of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).

This issue allows us to track and document progress and findings of the CSAF TC of the following:

1. understand and summarize AVDL
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on AVDL
4. documentation of result

When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was:

URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf
Authors/Editors == 
Jan Bialkowski, NetContinuum, jan@netcontinuum.com
Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com

AuthorInstitution = OASIS
DocumentDate = May 2004

DocumentTitle = Application Vulnerability Description Language v1.0
DocumentStatus = OASIS Standard

Abstract == 
"""
This specification describes a standard XML format that allows entities (such as 
applications, organizations, or institutes) to communicate information regarding 
web application vulnerabilities. 

  Simply said, Application Vulnerability Description Language (AVDL) is a security 
  interoperability standard for creating a uniform method of describing application 
  security vulnerabilities using XML.
 
  With the growing adoption of web-based technologies, applications have become 
  far more dynamic, with changes taking place daily or even hourly. 
  Consequently, enterprises must deal with a constant flood of new security patches 
  from their application and infrastructure vendors. 
  To make matters worse, network-level security products do little to protect against 
  vulnerabilities at the application level. To address this problem, enterprises today 
  have deployed a host of best-of-breed security products to discover application 
  vulnerabilities, block application-layer attacks, repair vulnerable web sites, 
  distribute patches, and manage security events. 
  Enterprises have come to view application security as a continuous lifecycle. 
  Unfortunately, there is currently no standard way for the products these enterprises 
  have implemented to communicate with each other, making the overall security 
  management process far too manual, time-consuming, and error prone.

Enterprise customers are asking companies to provide products that interoperate. 
A consistent definition of application security vulnerabilities is a significant step towards 
that goal. 
AVDL fulfils this goal by providing an XML-based vulnerability assessment output 
that will be used to improve the effectiveness of attack prevention, event correlation, 
and remediation technologies.
"""

The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above).

To ease processing of this issue, some content is copied here (as of 2016-11-24):

ContentCopy == 
"""
Overview

The goal of AVDL is to create a uniform way of describing application security vulnerabilities. 
The OASIS AVDL TC creates an XML definition for exchange of information relating to security 
vulnerabilities of applications exposed to networks. 
For example, the owners of an application may use a scanning tool to test their application 
for exposed vulnerabilities to various types of malicious attacks. 
That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. 
That AVDL information may be utilized by application security gateways to recommend the 
optimal attack prevention policy for that specific application. 
Remediation products could use AVDL files to suggest the best course of action for 
correcting problems, while reporting tools could use AVDL to correlate event logs with 
areas of known vulnerability.
"""




--
This message was sent by Atlassian JIRA
(v6.2.2#6258)

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]