WAS-XML

I just wanted to let you all know about a new Technical Commitee that I am chairing that has been formed at OASIS (http://www.oasis-open.org).

Web Application Security XML (WAS-XML)
The original Call For Participation for this TC may be found at http://lists.oasis-open.org/archives/tc-announce/200305/msg00002.html

The charter for this TC is as follows.

Name

OASIS Web Application Security XML (WAS-XML) Technical Committee

Statement of Purpose

Like many other parts of the IT industry, the information security industry has grown extremely fast with few standards bodies and often little co-operation and co-ordination between vendors and the user community.

When security researchers and software vendors publish security advisories, they usually do so in an ambiguous textual form or embed the data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is) described in several different ways, using different language and context, quantifying the impact and threat and therefore the risk in different ways and with different ratings assessments. This textual data can also not be used to provide automated immediate protection by web security assessment and intrusion protection tools.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The WAS-XML technical committee will produce;

a classification scheme for web security vulnerabilities a model to provide guidance for initial threat, impact and therefore risk ratings an XML schema to describe web security conditions that can be used by both assessment and protection tools The technical committee will unite industry consensus and provide standards from which vendors and users will benefit. It will leverage and extend the work of the OWASP VulnXML project that has been established for over a year. The existing VulnXML work is being given to OASIS as part of this proposal.

We will liaise with the OASIS AVDL TC whose mission is to develop communication protocols for application security tools to integrate. There is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial work and thought already undertaken, the WAS-XML TC will leverage that and focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data.

List of Deliverables

Web Security Classification Scheme - within 12 weeks of TC formation Web Security Risk Ranking Model - within 16 weeks of TC formation

WAS-XML Schema (fully documented) - within 24weeks of TC formation 
WAS-XML Developers Guide - within 24 weeks of TC formation 
WAS-XML Overview for Security Researchers and Software Vendors - within 24 weeks of TC formation

There is a public comments list for non-OASIS members at was-comment@lists.oasis-open.org Received on Wed May 14 08:47:16 2003