OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

csaf message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [OASIS Issue Tracker] (CSAF-4) Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products

    [ https://issues.oasis-open.org/browse/CSAF-4?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=65301#comment-65301 ] 

Stefan Hagen commented on CSAF-4:

All take note please of the CTI committees ballot, that documents the OASIS CTI TC's decision, to integrate CybOX into STIX:

Public accessible ballot URL:

> Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products
> -------------------------------------------------------------------------------------------------------------------
>                 Key: CSAF-4
>                 URL: https://issues.oasis-open.org/browse/CSAF-4
>             Project: OASIS Common Security Advisory Framework (CSAF) TC
>          Issue Type: Task
>         Environment: [New]
>            Reporter: Stefan Hagen
>            Priority: Critical
>              Labels: similar_work
> This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
> It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ),
> which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work" 
> of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
> This issue allows us to track and document progress and findings of the CSAF TC of the following:
> 1. understand and summarize AVDL
> 2. ensure synergy potentials are identified
> 3. discussion of the relation to and reaction on AVDL
> 4. documentation of result
> When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was:
> URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf
> Authors/Editors == 
> Jan Bialkowski, NetContinuum, jan@netcontinuum.com
> Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com
> AuthorInstitution = OASIS
> DocumentDate = May 2004
> DocumentTitle = Application Vulnerability Description Language v1.0
> DocumentStatus = OASIS Standard
> Abstract == 
> """
> This specification describes a standard XML format that allows entities (such as 
> applications, organizations, or institutes) to communicate information regarding 
> web application vulnerabilities. 
>   Simply said, Application Vulnerability Description Language (AVDL) is a security 
>   interoperability standard for creating a uniform method of describing application 
>   security vulnerabilities using XML.
>   With the growing adoption of web-based technologies, applications have become 
>   far more dynamic, with changes taking place daily or even hourly. 
>   Consequently, enterprises must deal with a constant flood of new security patches 
>   from their application and infrastructure vendors. 
>   To make matters worse, network-level security products do little to protect against 
>   vulnerabilities at the application level. To address this problem, enterprises today 
>   have deployed a host of best-of-breed security products to discover application 
>   vulnerabilities, block application-layer attacks, repair vulnerable web sites, 
>   distribute patches, and manage security events. 
>   Enterprises have come to view application security as a continuous lifecycle. 
>   Unfortunately, there is currently no standard way for the products these enterprises 
>   have implemented to communicate with each other, making the overall security 
>   management process far too manual, time-consuming, and error prone.
> Enterprise customers are asking companies to provide products that interoperate. 
> A consistent definition of application security vulnerabilities is a significant step towards 
> that goal. 
> AVDL fulfils this goal by providing an XML-based vulnerability assessment output 
> that will be used to improve the effectiveness of attack prevention, event correlation, 
> and remediation technologies.
> """
> The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above).
> To ease processing of this issue, some content is copied here (as of 2016-11-24):
> ContentCopy == 
> """
> Overview
> The goal of AVDL is to create a uniform way of describing application security vulnerabilities. 
> The OASIS AVDL TC creates an XML definition for exchange of information relating to security 
> vulnerabilities of applications exposed to networks. 
> For example, the owners of an application may use a scanning tool to test their application 
> for exposed vulnerabilities to various types of malicious attacks. 
> That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. 
> That AVDL information may be utilized by application security gateways to recommend the 
> optimal attack prevention policy for that specific application. 
> Remediation products could use AVDL files to suggest the best course of action for 
> correcting problems, while reporting tools could use AVDL to correlate event logs with 
> areas of known vulnerability.
> """

This message was sent by Atlassian JIRA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]