XML security standard touted at show

[InfoSec News <isn () c4i org>]

http://www.nwfusion.com/news/2003/0411standorgan.html

By Paul Roberts
IDG News Service
04/11/03

A group of application security vendors affiliated with the
Organization for the Advancement of Structured Information Standards
(OASIS) will next week announce a proposal for an XML standard for
application vulnerabilities. The announcement will be made at the RSA
Conference being held in San Francisco.

The group, made up of Citadel Security Software, GuardedNet,
NetContinuum, SPI Dynamics and Teros, is promoting the development of
the Application Vulnerability Description Language (AVDL), which is
intended to standardize information about application vulnerabilities,
enabling different products to share vulnerability information in a
heterogenous network environment, according to a statement released by
the five companies.

The AVDL group submitted its idea to OASIS for study. In turn, OASIS
has created a technical committee to develop an XML definition for
exchanging information on the security vulnerabilities of applications
exposed to networks.

A draft specification from the AVDL Technical Committee is scheduled
for September, with a final specification due in December, according
to OASIS.

If widely adopted, the AVDL standards will enable customers to deploy
diverse "best of breed" security technology to protect their network
without having to sacrifice integration and interoperability,
according to Wes Wasson, chief security strategy officer at
NetContinuum.

Though initially intended to foster interoperability among the
products of the five sponsoring companies, AVDL has the potential to
be adopted by additional product platforms and to move further up the
development chain, according to Brian Cohen, CEO of SPI Dynamics.

AVDL backers hope that development platform vendors and OASIS members
such as Microsoft, BEA Systems and IBM will join the AVDL Technical
Committee and help shape the development of the AVDL standard so that
it can be easily integrated with their development environments,
according to Cohen.

Asked about the potential of resistance from those large companies, or
from companies that are wary of more standards, Wasson and Cohen said
that demand from their customers was driving them to promote the AVDL
standard.

"Customers are drowning in the complexity of the application security
problem," Wasson said. "Our customers are driving this. They see it as
a real business solution to real business problems."

Also at the conference, the Information Security Systems Association
(ISSA) is making what it calls a "historic announcement." The group,
an international non-profit organization made up of information
security professionals and practitioners, will announce its intention
to take over and complete development of the Generally Accepted
Information Security Principles (GAISP).

The announcement is quite significant, according to Mike Rasmussen,
vice president of marketing for ISSA and an analyst at Forrester
Research.

"What GAAP (Generally Accepted Accounting Principles) is for the
accounting world, (GAISP) is trying to be for the security world,"  
Rasmussen said.

Originally formulated as the Generally Accepted System Security
Principles (GASSP) in response to Recommendation No. 1 of the 1990
U.S. National Research Council report, "Computers at Risk," the
standards were managed by the International Information Security
Foundation (IISF) and are based on other existing guidelines such as
those created by the Organization for Economic Cooperation and
Development, according to information provided by ISSA.

IISF published so-called "pervasive principles" in 1992 that provided
high-level recommendations on information security standards,
accountability and ethics to business executives. Despite updating
those principles again in 2002, the GASSP effort was flagging,
according to Rasmussen.

By taking over the project and renaming the standards to the GAISP,
ISSA hopes to breathe new life into the project.

The ISSA hopes to finish specific management guidelines and tactics
for CIOs and chief information security officers that build on a set
of pervasive principles. It will follow those with detailed principles
that recommend activities for risk management and step-by-step
instructions for IT staff.

In addition, ISSA will be working to bring the GAISP standards in line
with ISO 17799 standards, which many companies are using to guide
their security architectures, according to Rasmussen.

The GAISP project will be a massive undertaking, intended to provide
security administrators with a single security framework that they can
use to measure compliance with a wide range of international security
standards and regulations, in addition to specific steps that can be
followed to achieve and maintain compliance.

If successful, the GAISP project could help stem the confusion
concerning security management, according to Rasmussen.

"Information security is becoming like OSHA," Rasmussen said,
referring to the notoriously complicated rules of the U.S.  
Occupational Safety and Health Administration. "It's a management
nightmare. These are practical standards for building and managing
information security."

RSA will be the "formal kickoff" of the project, according to
Rasmussen.

"We want to communicate a message to let people know that we are
working," he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.