Re: [was] RE: [members] OASIS TC Call for Participation: Web Application Security TC

["Mark Curphey" <mark@curphey.com>]

Hi Andrea,

Thanks for the mail. I will set up a conference call to discuss. I will
contact you about proposed times shortly.

Thanks

Mark
----- Original Message ----- 
From: "Andrea Westerinen" <andreaw@cisco.com>
To: <karl.best@oasis-open.org>; <was@lists.oasis-open.org>
Cc: <wg-secpam@dmtf.org>
Sent: Wednesday, May 14, 2003 3:50 PM
Subject: [was] RE: [members] OASIS TC Call for Participation: Web
Application Security TC


> Resending - had an email failure on the was list.
> Andrea
>
> -----Original Message-----
> From: Andrea Westerinen [mailto:andreaw@cisco.com]
> Sent: Wednesday, May 14, 2003 12:38 PM
> To: 'karl.best@oasis-open.org'; 'was@lists.oasis-open.org'
> Cc: 'wg-secpam@dmtf.org'
> Subject: RE: [members] OASIS TC Call for Participation: Web Application
> Security TC
>
>
> Karl and WAS-XML team members,
> I have joined the WAS TC and am very interested in its work. I would
> like to suggest synergy and a liaison between this group and the DMTF's
> (Distributed Management Task Force's) Security Protection and Management
> working group (aka SPAM).  The SPAM WG is pursuing similar goals.  Its
> charter is attached.
>
> Andrea
>
> -----Original Message-----
> From: Karl F. Best [mailto:karl.best@oasis-open.org]
> Sent: Tuesday, May 13, 2003 5:49 AM
> To: members@lists.oasis-open.org; tc-announce@lists.oasis-open.org;
> xml-dev@lists.xml.org; was@lists.oasis-open.org
> Subject: [members] OASIS TC Call for Participation: Web Application
> Security TC
>
>
> A new OASIS technical committee is being formed. The OASIS Web
> Application Security Technical Committee (WAS TC) has been proposed by
> the following members of OASIS: Steven Taylor, Bank of America; Martin
> Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the
> following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole,
> Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins,
> Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel
> Lawrence, and Andrew Jacquith.
>
> The proposal for a new TC meets the requirements of the OASIS TC Process
>
> (see http://oasis-open.org/committees/process.shtml), and is appended to
>
> this message. The proposal, which includes a statement of purpose, list
> of deliverables, and proposed schedule, will constitute the TC's
> charter. The TC Process allows these items to be clarified (revised) by
> the TC members; such clarifications (revisions), as well as submissions
> of technology for consideration by the TC and the beginning of technical
>
> discussions, may occur no sooner than the TC's first meeting.
>
> As specified by the OASIS TC Process, the requirements for becoming a
> member of the TC are that you must 1) be an employee of an OASIS member
> organization or an Individual member of OASIS; 2) notify the TC chair of
>
> your intent to participate at least 15 days prior to the first meeting;
> and 3) attend the first meeting of the TC.
>
> For OASIS members, to sign up for the TC using the new OASIS
> collaborative tools, go to the TC's public page at
> http://www.oasis-open.org/committees/was and click on the button for
> "Join This TC" at the top of the page. You may add yourself to the
> roster of the TC either as a Prospective Member (if you intend to become
>
> a member of the TC) or an Observer. A notice will automatically be sent
> to the TC chair, which fulfills requirement #2 above. You must sign up
> for membership at least 15 days before the first meeting and must attend
>
>   the first meeting of the TC in order to become a member.
>
> Note that membership in OASIS TCs is by individual, and not by
> organization.
>
> For non-OASIS members, a public comment list
> was-comment@lists.oasis-open.org is available for the public to make
> comments on the work of this TC; the public may subscribe to this list
> by going to the mail list web page at
> http://lists.oasis-open.org/ob/adm.pl.
>
> The archives of the TC's private and comment mail lists are visible to
> the public at http://lists.oasis-open.org/archives/
>
> Further information about this topic may be found on the Cover Pages
> under the topic of "Application Security" at
> http://xml.coverpages.org/appSecurity.html
>
>
> -Karl
>
> =================================================================
> Karl F. Best
> Vice President, OASIS
> office  +1 978.667.5115 x206     mobile +1 978.761.1648
> karl.best@oasis-open.org      http://www.oasis-open.org
>
>
> OASIS Proposal for WAS-XML
>
> Name of the TC
>
> The name of the technical committee will be WAS-XML (Web Application
> Security XML).
>
> Statement of Purpose
>
> Like many other parts of the IT industry, the information security
> industry has grown extremely fast with few standards bodies and often
> little co-operation and co-ordination between vendors and the user
> community.
>
> When security researchers and software vendors publish security
> advisories, they usually do so in an ambiguous textual form or embed the
>
> data into a proprietary data file that only works with their own
> proprietary security tools.  The same vulnerability can be (and often
> is) described in several different ways, using different language and
> context, quantifying the impact and threat and therefore the risk in
> different ways and with different ratings assessments. This textual data
>
> can also not be used to provide automated immediate protection by web
> security assessment and intrusion protection tools.
>
> The WAS-XML technical committee will produce;
>
> - a classification scheme for web security vulnerabilities
> - a model to provide guidance for initial threat, impact and therefore
> risk ratings
> - an XML schema to describe web security conditions that can be used by
> both assessment and protection tools
>
> The technical committee will unite industry consensus and provide
> standards from which vendors and users will benefit. It will leverage
> and extend the work of the OWASP VulnXML project that has been
> established for over a year.  The existing VulnXML work is being given
> to OASIS as part of this proposal.
>
> We will liaise with the OASIS AVDL TC whose mission is to develop
> communication protocols for application security tools to integrate.
> There is a clear distinction between the  description of the data and
> the subsequent inter-technology communication of it and given the
> substantial work and thought already undertaken, the WAS-XML TC will
> leverage that and focus on the data portion of this problem.  The
> proposers of this TC anticipate that the AVDL specification will consume
>
> WAS-XML data.
>
> List of Deliverables
>
> - Web Security Classification Scheme - within 12 weeks of TC formation
> - Web Security Risk Ranking Model - within 16 weeks of TC formation
> - WAS-XML Schema (fully documented) - within 24weeks of TC formation
> - WAS-XML Developers Guide - within 24 weeks of TC formation
> - WAS-XML Overview for Security Researchers and Software Vendors -
> within 24 weeks of TC formation
>
> Language
>
> This TC will conduct its business in English.
>
> Date and time of first meeting
>
> The first meeting will be help on July 3rd, 2003 at 12pm ET via
> teleconference in English.
>
> Meeting Schedule
>
> This technical committee will hold teleconference calls every two weeks
> on Fridays at 10am EST.  It is proposed to hold a face to face meeting
> in September in Washington DC.
>
> Proposers
>
> Steven Taylor - Bank of America (steven.g.taylor@bankofamerica.com)
> Martin Nystrom - Cisco - (mnystrom@cisco.com)
> William Hau - IBM (whau@uk.ibm.com)
> Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com)
> Yuval Ben-Itzak - Individual - (yuval@kavado.com)
> Phil Brass - Individual - (pbrass@iss.net)
> Dave Cole - Individual - (dave.cole@foundstone.com)
> Mark Curphey - Individual (mark.curphey@watchfire.com)
> Rogan Dawes - Individual (rdawes@deloitte.co.za)
> David Endler - Individual - (dendler@idefense.com)
> Jeremy Poteet - Individual (jpoteet@tech-partners.com)
> Kerry Rollins - Individual - (kerry.Rollins@ey.com)
> Tim Smith - Individual (tim.smith@alphawest.com.au)
> Jeff Williams - Individual (jeff.williams@aspectsecurity.com)
> David Raphael - Individual - (david.raphael@ericsson.com)
> Jason Childers - Individual (childers_j@yahoo.com)
> Gabriel Lawrence - Individual (gabe@ucsd.edu)
> Andrew Jacquith - Individual (ajaquith@atstake.com)
>
> Chair
>
> The Chair will be Mark Curphey (mark.curphey@watchfire.com).
>
> Telephone meeting sponsors
>
> The telephone meeting sponsor will be OWASP.
>
> Face to Face meeting sponsors
>
> The face to face meeting sponsor will be OWASP.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: members-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: members-help@lists.oasis-open.org
>