[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (CSAF-4) Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products
[ https://issues.oasis-open.org/browse/CSAF-4?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65301#comment-65301 ] Stefan Hagen commented on CSAF-4: --------------------------------- All take note please of the CTI committees ballot, that documents the OASIS CTI TC's decision, to integrate CybOX into STIX: Public accessible ballot URL: https://www.oasis-open.org/committees/ballot.php?id=2989 > Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products > ------------------------------------------------------------------------------------------------------------------- > > Key: CSAF-4 > URL: https://issues.oasis-open.org/browse/CSAF-4 > Project: OASIS Common Security Advisory Framework (CSAF) TC > Issue Type: Task > Environment: [New] > Reporter: Stefan Hagen > Priority: Critical > Labels: similar_work > > This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work. > It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ), > which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work" > of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ). > This issue allows us to track and document progress and findings of the CSAF TC of the following: > 1. understand and summarize AVDL > 2. ensure synergy potentials are identified > 3. discussion of the relation to and reaction on AVDL > 4. documentation of result > When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was: > URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf > Authors/Editors == > Jan Bialkowski, NetContinuum, jan@netcontinuum.com > Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com > AuthorInstitution = OASIS > DocumentDate = May 2004 > DocumentTitle = Application Vulnerability Description Language v1.0 > DocumentStatus = OASIS Standard > Abstract == > """ > This specification describes a standard XML format that allows entities (such as > applications, organizations, or institutes) to communicate information regarding > web application vulnerabilities. > Simply said, Application Vulnerability Description Language (AVDL) is a security > interoperability standard for creating a uniform method of describing application > security vulnerabilities using XML. > > With the growing adoption of web-based technologies, applications have become > far more dynamic, with changes taking place daily or even hourly. > Consequently, enterprises must deal with a constant flood of new security patches > from their application and infrastructure vendors. > To make matters worse, network-level security products do little to protect against > vulnerabilities at the application level. To address this problem, enterprises today > have deployed a host of best-of-breed security products to discover application > vulnerabilities, block application-layer attacks, repair vulnerable web sites, > distribute patches, and manage security events. > Enterprises have come to view application security as a continuous lifecycle. > Unfortunately, there is currently no standard way for the products these enterprises > have implemented to communicate with each other, making the overall security > management process far too manual, time-consuming, and error prone. > Enterprise customers are asking companies to provide products that interoperate. > A consistent definition of application security vulnerabilities is a significant step towards > that goal. > AVDL fulfils this goal by providing an XML-based vulnerability assessment output > that will be used to improve the effectiveness of attack prevention, event correlation, > and remediation technologies. > """ > The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above). > To ease processing of this issue, some content is copied here (as of 2016-11-24): > ContentCopy == > """ > Overview > The goal of AVDL is to create a uniform way of describing application security vulnerabilities. > The OASIS AVDL TC creates an XML definition for exchange of information relating to security > vulnerabilities of applications exposed to networks. > For example, the owners of an application may use a scanning tool to test their application > for exposed vulnerabilities to various types of malicious attacks. > That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. > That AVDL information may be utilized by application security gateways to recommend the > optimal attack prevention policy for that specific application. > Remediation products could use AVDL files to suggest the best course of action for > correcting problems, while reporting tools could use AVDL to correlate event logs with > areas of known vulnerability. > """ -- This message was sent by Atlassian JIRA (v6.2.2#6258)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]