[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-4) Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products
[ https://issues.oasis-open.org/browse/CSAF-4?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65252#comment-65252 ]
Jerome Athias commented on CSAF-4:
----------------------------------
Test & Remediation are interesting (more granular than over Standards/Formats focusing more on the "Risk" aspect) while providing some level of technical aspects needed for the Test/Evaluation/Assessment (scan/detection) of a Vulnerability (Weakness+Exposure).
e.g.: URI/Parameters, Protocol, Port... (what was encisioned as requests)
This should be defined now using more structured and standardized objects. Suggest to use OASIS CTI CybOX Objects for this purpose
Ref. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=cti-cybox
Remediation part should be redefined using OASIS CTI CybOX Objects and OVAl Language
Ref. https://oval.cisecurity.org/
> Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products
> -------------------------------------------------------------------------------------------------------------------
>
> Key: CSAF-4
> URL: https://issues.oasis-open.org/browse/CSAF-4
> Project: OASIS Common Security Advisory Framework (CSAF) TC
> Issue Type: Task
> Environment: [New]
> Reporter: Stefan Hagen
> Priority: Critical
> Labels: similar_work
>
> This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
> It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ),
> which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
> of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
> This issue allows us to track and document progress and findings of the CSAF TC of the following:
> 1. understand and summarize AVDL
> 2. ensure synergy potentials are identified
> 3. discussion of the relation to and reaction on AVDL
> 4. documentation of result
> When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was:
> URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf
> Authors/Editors ==
> Jan Bialkowski, NetContinuum, jan@netcontinuum.com
> Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com
> AuthorInstitution = OASIS
> DocumentDate = May 2004
> DocumentTitle = Application Vulnerability Description Language v1.0
> DocumentStatus = OASIS Standard
> Abstract ==
> """
> This specification describes a standard XML format that allows entities (such as
> applications, organizations, or institutes) to communicate information regarding
> web application vulnerabilities.
> Simply said, Application Vulnerability Description Language (AVDL) is a security
> interoperability standard for creating a uniform method of describing application
> security vulnerabilities using XML.
>
> With the growing adoption of web-based technologies, applications have become
> far more dynamic, with changes taking place daily or even hourly.
> Consequently, enterprises must deal with a constant flood of new security patches
> from their application and infrastructure vendors.
> To make matters worse, network-level security products do little to protect against
> vulnerabilities at the application level. To address this problem, enterprises today
> have deployed a host of best-of-breed security products to discover application
> vulnerabilities, block application-layer attacks, repair vulnerable web sites,
> distribute patches, and manage security events.
> Enterprises have come to view application security as a continuous lifecycle.
> Unfortunately, there is currently no standard way for the products these enterprises
> have implemented to communicate with each other, making the overall security
> management process far too manual, time-consuming, and error prone.
> Enterprise customers are asking companies to provide products that interoperate.
> A consistent definition of application security vulnerabilities is a significant step towards
> that goal.
> AVDL fulfils this goal by providing an XML-based vulnerability assessment output
> that will be used to improve the effectiveness of attack prevention, event correlation,
> and remediation technologies.
> """
> The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above).
> To ease processing of this issue, some content is copied here (as of 2016-11-24):
> ContentCopy ==
> """
> Overview
> The goal of AVDL is to create a uniform way of describing application security vulnerabilities.
> The OASIS AVDL TC creates an XML definition for exchange of information relating to security
> vulnerabilities of applications exposed to networks.
> For example, the owners of an application may use a scanning tool to test their application
> for exposed vulnerabilities to various types of malicious attacks.
> That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format.
> That AVDL information may be utilized by application security gateways to recommend the
> optimal attack prevention policy for that specific application.
> Remediation products could use AVDL files to suggest the best course of action for
> correcting problems, while reporting tools could use AVDL to correlate event logs with
> areas of known vulnerability.
> """
--
This message was sent by Atlassian JIRA
(v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]