RE: WAS-XML

Kevin - thanks for your posting. I was quite confused between AVDL and WAS-XML and I guess I still am unclear as to who's on first. Is there a clear distinction between the objectives of the two committees?

KWK -----Original Message-----
From: Kevin Heineman [mailto:kheineman@spidynamics.com] Sent: Wednesday, May 14, 2003 11:03 AM
To: webappsec@securityfocus.com
Subject: Re: WAS-XML

In-Reply-To: <200305141245.IAA28700@bellerophon.cnchost.com>

A month or so ago there was a thread about a new standards committee within OASIS called Application Vulnerability Description Language (AVDL). This committee was created to create a uniform way of describing
web application security vulnerabilities. The AVDL technical committee is
working to create a standard XML definition (AVDL) to facilitate the exchange of information relating to web application security vulnerabilities between security related products. Examples of some products that may take advantage of AVDL are vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools.

The WAS-XML committee has been chartered with a similar purpose. I think
it is great that so much attention is being focused on our industry. I envision that the two committees must work together to develop a uniform

standard for the industry. I encourage those of you who are members of OASIS to join both committees. This will help ensure there is open communication between the committees and that they complement each other.

Kevin Heineman
Co-Chair AVDL Technical Committee
Vice President of Engineering
SPI Dynamics

>Received: (qmail 19935 invoked from network); 14 May 2003 12:33:06
-0000
>Received: from outgoing3.securityfocus.com (205.206.231.27)
[205.206.231.19])
> by outgoing3.securityfocus.com (Postfix) with QMQP
> id 2FD8EA3123; Wed, 14 May 2003 06:40:11 -0600 (MDT)
>Mailing-List: contact webappsec-help@securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <webappsec.list-id.securityfocus.com>
>List-Post: <mailto:webappsec@securityfocus.com>
>List-Help: <mailto:webappsec-help@securityfocus.com>
>List-Unsubscribe: <mailto:webappsec-unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:webappsec-subscribe@securityfocus.com>
>Delivered-To: mailing list webappsec@securityfocus.com
>Delivered-To: moderator for webappsec@securityfocus.com
>Received: (qmail 22778 invoked from network); 14 May 2003 12:21:50
-0000
>Message-ID: <200305141245.IAA28700@bellerophon.cnchost.com>
>Errors-To: <mark@curphey.com>

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

am chairing that has been formed at OASIS (http://www.oasis-open.org).
>
>Web Application Security XML (WAS-XML)
>The original Call For Participation for this TC may be found at
http://lists.oasis-open.org/archives/tc-announce/200305/msg00002.html
>
>The charter for this TC is as follows.
industry has grown extremely fast with few standards bodies and often little co-operation and co-ordination between vendors and the user community.
>
>When security researchers and software vendors publish security
advisories, they usually do so in an ambiguous textual form or embed the

data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is)

described in several different ways, using different language and context,
quantifying the impact and threat and therefore the risk in different ways
and with different ratings assessments. This textual data can also not be
used to provide automated immediate protection by web security assessment
and intrusion protection tools.
>
>The WAS-XML technical committee will produce;
risk
ratings
>an XML schema to describe web security conditions that can be used by
both assessment and protection tools
>The technical committee will unite industry consensus and provide
standards from which vendors and users will benefit. It will leverage and
extend the work of the OWASP VulnXML project that has been established for
over a year. The existing VulnXML work is being given to OASIS as part of
this proposal.
>
>We will liaise with the OASIS AVDL TC whose mission is to develop
communication protocols for application security tools to integrate. There
is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial
work and thought already undertaken, the WAS-XML TC will leverage that and
focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data.
>
>List of Deliverables

24 weeks of TC formation
>
>There is a public comments list for non-OASIS members at was-
comment@lists.oasis-open.org
>
Received on Wed May 14 16:26:28 2003