OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [was] RE: [members] OASIS TC Call for Participation: Web Application Security TC

Hi Andrea,

Thanks for the mail. I will set up a conference call to discuss. I will
contact you about proposed times shortly.


----- Original Message ----- 
From: "Andrea Westerinen" <andreaw@cisco.com>
To: <karl.best@oasis-open.org>; <was@lists.oasis-open.org>
Cc: <wg-secpam@dmtf.org>
Sent: Wednesday, May 14, 2003 3:50 PM
Subject: [was] RE: [members] OASIS TC Call for Participation: Web
Application Security TC

> Resending - had an email failure on the was list.
> Andrea
> -----Original Message-----
> From: Andrea Westerinen [mailto:andreaw@cisco.com]
> Sent: Wednesday, May 14, 2003 12:38 PM
> To: 'karl.best@oasis-open.org'; 'was@lists.oasis-open.org'
> Cc: 'wg-secpam@dmtf.org'
> Subject: RE: [members] OASIS TC Call for Participation: Web Application
> Security TC
> Karl and WAS-XML team members,
> I have joined the WAS TC and am very interested in its work. I would
> like to suggest synergy and a liaison between this group and the DMTF's
> (Distributed Management Task Force's) Security Protection and Management
> working group (aka SPAM).  The SPAM WG is pursuing similar goals.  Its
> charter is attached.
> Andrea
> -----Original Message-----
> From: Karl F. Best [mailto:karl.best@oasis-open.org]
> Sent: Tuesday, May 13, 2003 5:49 AM
> To: members@lists.oasis-open.org; tc-announce@lists.oasis-open.org;
> xml-dev@lists.xml.org; was@lists.oasis-open.org
> Subject: [members] OASIS TC Call for Participation: Web Application
> Security TC
> A new OASIS technical committee is being formed. The OASIS Web
> Application Security Technical Committee (WAS TC) has been proposed by
> the following members of OASIS: Steven Taylor, Bank of America; Martin
> Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the
> following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole,
> Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins,
> Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel
> Lawrence, and Andrew Jacquith.
> The proposal for a new TC meets the requirements of the OASIS TC Process
> (see http://oasis-open.org/committees/process.shtml), and is appended to
> this message. The proposal, which includes a statement of purpose, list
> of deliverables, and proposed schedule, will constitute the TC's
> charter. The TC Process allows these items to be clarified (revised) by
> the TC members; such clarifications (revisions), as well as submissions
> of technology for consideration by the TC and the beginning of technical
> discussions, may occur no sooner than the TC's first meeting.
> As specified by the OASIS TC Process, the requirements for becoming a
> member of the TC are that you must 1) be an employee of an OASIS member
> organization or an Individual member of OASIS; 2) notify the TC chair of
> your intent to participate at least 15 days prior to the first meeting;
> and 3) attend the first meeting of the TC.
> For OASIS members, to sign up for the TC using the new OASIS
> collaborative tools, go to the TC's public page at
> http://www.oasis-open.org/committees/was and click on the button for
> "Join This TC" at the top of the page. You may add yourself to the
> roster of the TC either as a Prospective Member (if you intend to become
> a member of the TC) or an Observer. A notice will automatically be sent
> to the TC chair, which fulfills requirement #2 above. You must sign up
> for membership at least 15 days before the first meeting and must attend
>   the first meeting of the TC in order to become a member.
> Note that membership in OASIS TCs is by individual, and not by
> organization.
> For non-OASIS members, a public comment list
> was-comment@lists.oasis-open.org is available for the public to make
> comments on the work of this TC; the public may subscribe to this list
> by going to the mail list web page at
> http://lists.oasis-open.org/ob/adm.pl.
> The archives of the TC's private and comment mail lists are visible to
> the public at http://lists.oasis-open.org/archives/
> Further information about this topic may be found on the Cover Pages
> under the topic of "Application Security" at
> http://xml.coverpages.org/appSecurity.html
> -Karl
> =================================================================
> Karl F. Best
> Vice President, OASIS
> office  +1 978.667.5115 x206     mobile +1 978.761.1648
> karl.best@oasis-open.org      http://www.oasis-open.org
> OASIS Proposal for WAS-XML
> Name of the TC
> The name of the technical committee will be WAS-XML (Web Application
> Security XML).
> Statement of Purpose
> Like many other parts of the IT industry, the information security
> industry has grown extremely fast with few standards bodies and often
> little co-operation and co-ordination between vendors and the user
> community.
> When security researchers and software vendors publish security
> advisories, they usually do so in an ambiguous textual form or embed the
> data into a proprietary data file that only works with their own
> proprietary security tools.  The same vulnerability can be (and often
> is) described in several different ways, using different language and
> context, quantifying the impact and threat and therefore the risk in
> different ways and with different ratings assessments. This textual data
> can also not be used to provide automated immediate protection by web
> security assessment and intrusion protection tools.
> The WAS-XML technical committee will produce;
> - a classification scheme for web security vulnerabilities
> - a model to provide guidance for initial threat, impact and therefore
> risk ratings
> - an XML schema to describe web security conditions that can be used by
> both assessment and protection tools
> The technical committee will unite industry consensus and provide
> standards from which vendors and users will benefit. It will leverage
> and extend the work of the OWASP VulnXML project that has been
> established for over a year.  The existing VulnXML work is being given
> to OASIS as part of this proposal.
> We will liaise with the OASIS AVDL TC whose mission is to develop
> communication protocols for application security tools to integrate.
> There is a clear distinction between the  description of the data and
> the subsequent inter-technology communication of it and given the
> substantial work and thought already undertaken, the WAS-XML TC will
> leverage that and focus on the data portion of this problem.  The
> proposers of this TC anticipate that the AVDL specification will consume
> WAS-XML data.
> List of Deliverables
> - Web Security Classification Scheme - within 12 weeks of TC formation
> - Web Security Risk Ranking Model - within 16 weeks of TC formation
> - WAS-XML Schema (fully documented) - within 24weeks of TC formation
> - WAS-XML Developers Guide - within 24 weeks of TC formation
> - WAS-XML Overview for Security Researchers and Software Vendors -
> within 24 weeks of TC formation
> Language
> This TC will conduct its business in English.
> Date and time of first meeting
> The first meeting will be help on July 3rd, 2003 at 12pm ET via
> teleconference in English.
> Meeting Schedule
> This technical committee will hold teleconference calls every two weeks
> on Fridays at 10am EST.  It is proposed to hold a face to face meeting
> in September in Washington DC.
> Proposers
> Steven Taylor - Bank of America (steven.g.taylor@bankofamerica.com)
> Martin Nystrom - Cisco - (mnystrom@cisco.com)
> William Hau - IBM (whau@uk.ibm.com)
> Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com)
> Yuval Ben-Itzak - Individual - (yuval@kavado.com)
> Phil Brass - Individual - (pbrass@iss.net)
> Dave Cole - Individual - (dave.cole@foundstone.com)
> Mark Curphey - Individual (mark.curphey@watchfire.com)
> Rogan Dawes - Individual (rdawes@deloitte.co.za)
> David Endler - Individual - (dendler@idefense.com)
> Jeremy Poteet - Individual (jpoteet@tech-partners.com)
> Kerry Rollins - Individual - (kerry.Rollins@ey.com)
> Tim Smith - Individual (tim.smith@alphawest.com.au)
> Jeff Williams - Individual (jeff.williams@aspectsecurity.com)
> David Raphael - Individual - (david.raphael@ericsson.com)
> Jason Childers - Individual (childers_j@yahoo.com)
> Gabriel Lawrence - Individual (gabe@ucsd.edu)
> Andrew Jacquith - Individual (ajaquith@atstake.com)
> Chair
> The Chair will be Mark Curphey (mark.curphey@watchfire.com).
> Telephone meeting sponsors
> The telephone meeting sponsor will be OWASP.
> Face to Face meeting sponsors
> The face to face meeting sponsor will be OWASP.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: members-unsubscribe@lists.oasis-open.org
> For additional commands, e-mail: members-help@lists.oasis-open.org

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]