RE: ADVL vs VulnXML

Interested parties who are OASIS members, including those who are also OWASP members, are encouraged to review the charter and join if they are interested in shaping the direction of AVDL.

The TC charter contains all the relevant info to-date. The charter and the call for participation in this TC can be viewed at:

http://www.oasis-open.org/committees/avdl/charter.php

Dave Burton
NetContinuum, Inc.
www.netcontinuum.com

-----Original Message-----
From: Mark Curphey [mailto:mark@curphey.com] Sent: Wednesday, April 02, 2003 5:46 PM
To: David Burton
Cc: securitydigest@hush.com; webappsec@securityfocus.com; cbanzof@citadel.com; jan@netcontinuum.com; kheineman@spidynamics.com; advl-comment@lists.oasis-open.org
Subject: RE: ADVL vs VulnXML

I am sure this will be an interesting format. All web application security initiatives are good for the industry in some way or another.

I am a little disappointed no one from OWASP was asked to join given the vision document for VulnXML is very similar in spirit to what seems to be being proposed and it was always an aim to take VulnXNL to OASIS. I have mailed David directly to talk though that.

It will be very interesting to see the vendors that join as that is surely key to it being successful and of course if any copyrights are placed on the format.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Good luck, something else cool to watch ;-)

On Wed, 2003-04-02 at 15:08, David Burton wrote:
> AVDL is not intended to duplicate or replace any existing industry
standard
> and should be entirely complimentary to efforts like VulnXML. VulnXML
discovered
> in much the same way anti-virus researchers have been attempting to do for
> years. VulnXML attempts to add some of the detail needed to adequately
> describe application-layer vulnerabilities. The vendors proposing AVDL
> support VulnXML.
>
> We are proposing AVDL to address the broader business-oriented problem of
> how companies actually manage ongoing application security risk on a
> day-to-day basis. Managing application security risk in a highly dynamic
> environment can be an extraordinary challenge for security administrators.
> Fortunately, there are now a wide variety of best-of-breed products on the
> market to help companies with the task of discovering application
> vulnerabilities, blocking application-layer attacks, repairing vulnerable
> web sites, distributing patches and managing security events.
Unfortunately,
> these products have no universal way to communicate with each other,
making
> pragmatic management of this risk a highly manual, and often complex,
the
> full intent of the vendors proposing AVDL to repurpose any positive
progress
> that has already been made by the security community to date.
running
> coming along so I hear. I hope this won't be a case of a few vendors
Received on Wed Apr 2 23:03:44 2003