WebApp Sec mailing list archives
Re: WAS-XML
From: "Mark Curphey" <mark () curphey com>
Date: Wed, 14 May 2003 17:25:01 -0400
I think I would characterize the two efforts as complimentary not competitive. The WAS-XML proposers are more focused (biased) on the source data description portion of the problem and AVDL (as I understand it) is more focused in the communications part of the problem. WAS-XML is essentially extending and formalizing the OWASP VulnXML work that started over a year ago. AVDL and WAS-XML will work together to ensure there is a synergy and we are already starting those discussions. I would imagine (and hope) that at some point in the future the two become very tightly coupled. ----- Original Message ----- From: "Ken Kousky" <kkousky () ip3inc com> To: "'Kevin Heineman'" <kheineman () spidynamics com>; <webappsec () securityfocus com> Sent: Wednesday, May 14, 2003 1:17 PM Subject: RE: WAS-XML
Kevin - thanks for your posting. I was quite confused between AVDL and WAS-XML and I guess I still am unclear as to who's on first. Is there a clear distinction between the objectives of the two committees? KWK -----Original Message----- From: Kevin Heineman [mailto:kheineman () spidynamics com] Sent: Wednesday, May 14, 2003 11:03 AM To: webappsec () securityfocus com Subject: Re: WAS-XML In-Reply-To: <200305141245.IAA28700 () bellerophon cnchost com> A month or so ago there was a thread about a new standards committee within OASIS called Application Vulnerability Description Language (AVDL). This committee was created to create a uniform way of describing web application security vulnerabilities. The AVDL technical committee is working to create a standard XML definition (AVDL) to facilitate the exchange of information relating to web application security vulnerabilities between security related products. Examples of some products that may take advantage of AVDL are vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools. The WAS-XML committee has been chartered with a similar purpose. I think it is great that so much attention is being focused on our industry. I envision that the two committees must work together to develop a uniform standard for the industry. I encourage those of you who are members of OASIS to join both committees. This will help ensure there is open communication between the committees and that they complement each other. Kevin Heineman Co-Chair AVDL Technical Committee Vice President of Engineering SPI DynamicsReceived: (qmail 19935 invoked from network); 14 May 2003 12:33:06-0000Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 14 May 2003 12:33:06 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com[205.206.231.19])by outgoing3.securityfocus.com (Postfix) with QMQP id 2FD8EA3123; Wed, 14 May 2003 06:40:11 -0600 (MDT) Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <webappsec.list-id.securityfocus.com> List-Post: <mailto:webappsec () securityfocus com> List-Help: <mailto:webappsec-help () securityfocus com> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com> Delivered-To: mailing list webappsec () securityfocus com Delivered-To: moderator for webappsec () securityfocus com Received: (qmail 22778 invoked from network); 14 May 2003 12:21:50-0000Message-ID: <200305141245.IAA28700 () bellerophon cnchost com> Errors-To: <mark () curphey com> From: Mark Curphey <mark () curphey com> To: <webappsec () securityfocus com> Reply-To: mark () curphey com Subject: WAS-XML Date: Wed, 14 May 2003 08:45:48 -0400 (EST) In-Reply-To: MIME-Version: 1.0 ReplyTo: mark () curphey com Content-Type: text/plain Content-Transfer-Encoding: 7bit Content-Disposition: inline I just wanted to let you all know about a new Technical Commitee that Iam chairing that has been formed at OASIS (http://www.oasis-open.org).Web Application Security XML (WAS-XML) The original Call For Participation for this TC may be found athttp://lists.oasis-open.org/archives/tc-announce/200305/msg00002.htmlThe charter for this TC is as follows. Name OASIS Web Application Security XML (WAS-XML) Technical Committee Statement of Purpose Like many other parts of the IT industry, the information securityindustry has grown extremely fast with few standards bodies and often little co-operation and co-ordination between vendors and the user community.When security researchers and software vendors publish securityadvisories, they usually do so in an ambiguous textual form or embed the data into a proprietary data file that only works with their own proprietary security tools. The same vulnerability can be (and often is) described in several different ways, using different language and context, quantifying the impact and threat and therefore the risk in different ways and with different ratings assessments. This textual data can also not be used to provide automated immediate protection by web security assessment and intrusion protection tools.The WAS-XML technical committee will produce; a classification scheme for web security vulnerabilities a model to provide guidance for initial threat, impact and thereforerisk ratingsan XML schema to describe web security conditions that can be used byboth assessment and protection toolsThe technical committee will unite industry consensus and providestandards from which vendors and users will benefit. It will leverage and extend the work of the OWASP VulnXML project that has been established for over a year. The existing VulnXML work is being given to OASIS as part of this proposal.We will liaise with the OASIS AVDL TC whose mission is to developcommunication protocols for application security tools to integrate. There is a clear distinction between the description of the data and the subsequent inter-technology communication of it and given the substantial work and thought already undertaken, the WAS-XML TC will leverage that and focus on the data portion of this problem. The proposers of this TC anticipate that the AVDL specification will consume WAS-XML data.List of Deliverables Web Security Classification Scheme - within 12 weeks of TC formation Web Security Risk Ranking Model - within 16 weeks of TC formation WAS-XML Schema (fully documented) - within 24weeks of TC formation WAS-XML Developers Guide - within 24 weeks of TC formation WAS-XML Overview for Security Researchers and Software Vendors - within24 weeks of TC formationThere is a public comments list for non-OASIS members at was-comment () lists oasis-open org
Current thread:
- WAS-XML Mark Curphey (May 14)
- <Possible follow-ups>
- Re: WAS-XML Kevin Heineman (May 14)
- RE: WAS-XML Ken Kousky (May 14)
- Re: WAS-XML Mark Curphey (May 14)
- RE: WAS-XML Ken Kousky (May 14)