Application Vulnerability Description Language -- AVDL -- Ratified as OASIS Standard; Security Vulnerabilities for Web Services and Web Applications Addressed by New Standard.

BOSTON -- The OASIS international standards consortium today announced that its members have approved the Application Vulnerability Description Language (AVDL AVDL Application Vulnerability Description Language ) version 1.0 as an OASIS Standard, a status that signifies the highest level of ratification. AVDL provides a standard method for exchanging information concerning security vulnerabilities within Web services and Web applications.

"AVDL addresses the challenge of how businesses manage ongoing application security risk on a day-to-day basis," explained Gartner VP and analyst John Pescatore. "When you consider that upwards of 80 application vulnerabilities are announced each week, it's clear how significant this work is. By employing solutions based on the AVDL OASIS Standard, companies can reduce the threat they face from the moment a vulnerability is discovered to the time it takes them to first shield, then patch their systems."

AVDL is already being implemented by companies and government agencies including the central security incident response organization for the United States Department of Energy The United States Department of Energy (DOE) is a Cabinet-level department of the United States government responsible for energy policy and nuclear safety. Its purview includes the nation's nuclear weapons program, nuclear reactor production for the United States Navy, (DOE) and National Nuclear Security Administration (NNSA NNSA National Nuclear Security Administration
NNSA National Nurses Society on Addictions
NNSA Norfolk Naval Sailing Association
NNSA Native Nations Sustainable Alliance (Phoenix, Arizona) ), which plans to AVDL-enable its new Security Incident Response Portal.

"Prior to AVDL, network managers had to manually compare reports from application vulnerability assessments with their application firewall rules, patch management systems, and other information from event correlation engines. Then, they needed to take appropriate remediation steps and create firewall rules to secure their applications," said Kevin Heineman of SPI (1) (Stateful Packet Inspection) See stateful inspection.

(2) (Service Provider Interface) The programming interface for developing Windows drivers under WOSA. Dynamics, co-chair of the OASIS AVDL Technical Committee. "Now network managers can save valuable time by importing vulnerability assessment data from AVDL-compliant application scanners. Firewalls can configure appropriate rules, patch management software can provide automatic remediation, and event correlation products can include application-level vulnerability data in the organization's overall risk assessment picture. AVDL offers a welcome alternative to the labor-intensive job of eyeballing and rewriting scores of text alerts, freeing security administrators to focus on higher-level policy analysis."

Jan Bialkowski of NetContinuum, co-chair of the OASIS AVDL Technical Committee, agreed, "Organizations are drowning in the flood of security bulletins and alerts while application vulnerability exploits are wreaking havoc on networks around the globe. AVDL offers an automated way to break this cycle by dramatically reducing the time between the discovery of a new vulnerability and the response time to block attacks at the security gateway. Since AVDL is an easy schema to implement, we hope to see rapid adoption, advancing the industry to an era where all security products can share and effectively utilize vulnerability data via AVDL."

Participation in the OASIS AVDL Technical Committee remains open to all organizations and individuals, and OASIS hosts an open mail list for public comment.

"With the ratification of AVDL, we will now have the capability to provide interoperability between industry-leading network and application security technologies and our vulnerability management solutions. Large enterprise and government customers will benefit enormously from the greater flexibility and consistency for implementing security policies with a standard approach to managing vulnerability data," said Carl Banzhof, CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. , Citadel Security Software.

About OASIS

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, international consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 3,000 participants representing over 600 organizations and individual members in 100 countries. Approved OASIS Standards include CAP, DocBook, DSML (Directory Services Markup Language) A set of XML tags that defines the contents of a directory. Developed by Bowstreet, Inc., Tewksbury, MA (www.bowstreet. , ebXML, SAML (Security Assertion Markup Language) An XML-based format from OASIS for exchanging security information for single sign-on. The "assertions" are statements from a SAML authority that authenticate a user, confirm some attribute about the individual and grant or , SPML SPML - server-parsed HTML , UDDI (Universal Description, Discovery and Integration) An industry initiative for a universal business registry (catalog) of Web services turned over to the stewardship of OASIS in 2002 as the version 3 specification of UDDI was released. , WSRP WSRP Web Services for Remote Portlets
WSRP Washington State Republican Party
WSRP Web Services for Remote Portals (less common)
WSRP West Semitic Research Project
WSRP Women's Studies in Religion Program , WSS, XACML (EXtensible Access Control Markup Language) An OASIS standard for managing access control policy. Released in 2003 and based on XML, the Sun-developed XACML was designed to become a universal standard for describing who has access to which resources. , and XCBF XCBF XML Common Biometric Format . http://www.oasis-open.org

Additional information:

OASIS AVDL Technical Committee http://www.oasis-open.org/committees/avdl

Cover Pages: Application Security http://xml.coverpages.org/appSecurity.html

COPYRIGHT 2004 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Publication:	Business Wire
Date:	Jun 23, 2004
Words:	621
Previous Article:	Aethlon Medical Presentation at Homeland Security Conference to Be Web-Cast Live on June 30 at 3:40 p.m. EST.
Next Article:	Polaris Geothermal Schedules Conference Call.

Related Articles
OASIS Members Collaborate to Address Security Vulnerabilities for Web Services and Web Applications.
OASIS Works to Establish Classification Standards for Web Security Vulnerabilities.
Alliance Between Citadel and SPI Dynamics Extends First Automated Solution to Combat Web Application Security Threats.
Ask FERF (financial executives research foundation) about ... IT security.
New OASIS Committee Organizes to Provide Semantic Foundation for SOA.
Members Approve Election Markup Language (EML) as OASIS Standard.
Standards Community Prepares to Explore the Meaning of Interoperability at OASIS Symposium; Peter Quinn, Open Standards Advocate and Former CIO of...
ISO and IEC Approve OpenDocument OASIS Standard; International Standard Delivers True Data Interoperability for Office Applications.
Emergency Data Exchange Language (EDXL) Distribution Element Ratified as OASIS Standard.
REPORT REVEALS TOP 10 WEBSITE VULNERABILITIES.