OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

tc-announce message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: OASIS TC Call for Participation: AVDL TC

A new OASIS technical committee is being formed. The OASIS Application
Vulnerability Description Language (AVDL) Technical Committee has been
proposed by the following members of OASIS: Carl Banzhof, Citadel
Security Software; Jan Bialkowski, NetContinuum; and Kevin Heineman, SPI

The proposal for a new TC meets the requirements of the OASIS TC
Process (see http://oasis-open.org/committees/process.shtml), and is
appended to this message. The proposal, which includes a statement of
purpose, list of deliverables, and proposed schedule, will constitute
the TC's charter. The TC Process allows these items to be clarified
by the TC members; such clarifications, as well as submissions of 
technology for consideration by the TC and the beginning of technical 
discussions, may occur no sooner than the TC's first meeting.

As specified by the OASIS TC Process, the requirements for becoming a
member of the TC are that you must 1) be an employee of an OASIS member
organization or an Individual member of OASIS; 2) notify the TC chair of
your intent to participate at least 15 days prior to the first meeting;
and 3) attend the first meeting of the TC.

For OASIS members, to sign up for the TC using the new OASIS
collaborative tools, go to the TC's public page at
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl and 
click on the button for "Join This TC" at the top of the page. You may 
add yourself to the roster of the TC either as a Prospective Member (if 
you intend to become a member of the TC) or an Observer. A notice will 
automatically be sent to the TC chair, which fulfills requirement #2 
above. You must sign up for membership at least 15 days before the first 
meeting and must attend the first meeting of the TC in order to become a 

Note that membership in OASIS TCs is by individual, and not by

For non-OASIS members, a public comment list
avdl-comment@lists.oasis-open.org is available for the public to make
comments on the work of this TC; the public may subscribe to this list
by going to the mail list web page at http://lists.oasis-open.org/ob/adm.pl.

The archives of the TC's private and comment mail lists are visible to
the public at http://lists.oasis-open.org/archives/

Further information about this topic may be found on the Cover Pages 
under the topic of Application Security at


Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206     mobile +1 978.761.1648
karl.best@oasis-open.org      http://www.oasis-open.org

Proposal to form the Application Vulnerability Description Language
(AVDL) Technical Committee

1. The name of the TC, such name not to have been previously used for an
OASIS TC and not to include any trademarks or service marks not owned by

OASIS Application Vulnerability Description Language (AVDL) Technical

2. Statement of purpose, which must be germane to the mission of OASIS;

The goal of AVDL is to create a uniform way of describing application
security vulnerabilities. The AVDL TC is formed to create an XML
definition for exchange of information relating to security
vulnerabilities of applications exposed to networks. For example, the
owners of an application may use a scanning tool to test their
application for exposed vulnerabilities to various types of malicious
attacks. That tool may catalogue and record vulnerabilities detected
into an XML file in AVDL format. That AVDL information may be utilized
by application security gateways to recommend the optimal attack
prevention policy for that specific application. Remediation products
could use AVDL files to suggest the best course of action for correcting
problems, while reporting tools could use AVDL to correlate event logs
with areas of known vulnerability.

The AVDL TC will focus on defining a schema that enables easy
communication concerning security vulnerabilities between any of the
various security entities that address Hypertext Transfer Protocol (HTTP
1.0 and HTTP 1.1) application-level protocol security. AVDL will
describe attacks and vulnerabilities that use HTTP as a generic protocol
for communication between clients and proxies/gateways to other Internet
systems and hosts. Security entities that might utilize AVDL include but
are not limited to: vulnerability assessment tools, application security
gateways, reporting tools, correlation systems, remediation tools, etc.

AVDL is not intended to communicate network layer vulnerability
information such as network topology, TCP related attacks or other
network layer issues. Nor is AVDL intended to carry any information
about authentication or access control, these issues are covered by SAML
and XACML.

3. List of deliverables, with projected dates;

- First candidate AVDL specification posted for comment September, 2003
- First candidate specification closed for comment 30 days after initial
- AVDL 1.0 final specification posted December, 2003

4. Language in which the TC will conduct business;


5. Date and time of the first meeting, and whether it will be held in
person or by phone;

May 15th, 2003,  13:00 Pacific Time, by phone conference call

6. The meeting schedule for the year following the formation of the TC,
or until the projected date of the final deliverable, whichever comes first

After the first meeting on May 15, 2003, subsequent meetings will be
held on the third Thursday of every month at 13:00 Pacific time, by
conference call.

7. Names, electronic mail addresses, and membership affiliations of at
least three Eligible Persons committed to the stated meeting schedule;

- Carl Banzhof, cbanzhof@citadel.com, Citadel Security Software, Inc	
- Jan Bialkowski, jan@netcontinuum.com, NetContinuum, Inc.
- Kevin Heineman, kheineman@spidynamics.com, SPI Dynamics

8. Name of the TC chair;

The TC will be co-chaired by (in alphabetical order):
- Jan Bialkowski, CTO, NetContinuum, Inc.
- Kevin Heineman, VP of Engineering, SPI Dynamics, Inc.

9. Names of phone meeting sponsors, if any;

Co-chairs from NetContinuum and SPI Dynamics. Call in numbers to be posted.

10. Names of face-to-face meeting sponsors, if any.

None scheduled

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]