RE: ADVL vs VulnXML

["David Burton" <dburton () netcontinuum com>]

AVDL is not intended to duplicate or replace any existing industry standard
and should be entirely complimentary to efforts like VulnXML. VulnXML
focuses on creating more uniform ways for security researchers to describe
and classify specific new vulnerabilities when they are initially discovered
in much the same way anti-virus researchers have been attempting to do for
years. VulnXML attempts to add some of the detail needed to adequately
describe application-layer vulnerabilities. The vendors proposing AVDL
support VulnXML.

We are proposing AVDL to address the broader business-oriented problem of
how companies actually manage ongoing application security risk on a
day-to-day basis. Managing application security risk in a highly dynamic
environment can be an extraordinary challenge for security administrators.
Fortunately, there are now a wide variety of best-of-breed products on the
market to help companies with the task of discovering application
vulnerabilities, blocking application-layer attacks, repairing vulnerable
web sites, distributing patches and managing security events. Unfortunately,
these products have no universal way to communicate with each other, making
pragmatic management of this risk a highly manual, and often complex,
process. 

The goal of AVDL is to help companies begin managing the full application
security lifecycle by providing a more uniform way of communicating
application security vulnerabilities, policies and events via XML. It is the
full intent of the vendors proposing AVDL to repurpose any positive progress
that has already been made by the security community to date.

Dave Burton
NetContinuum, Inc.
www.netcontinuum.com

-----Original Message-----
From: securitydigest () hush com [mailto:securitydigest () hush com] 
Sent: Wednesday, April 02, 2003 1:47 PM
To: webappsec () securityfocus com
Cc: cbanzof () citadel com; jan () netcontinuum com; kheineman () spidynamics com;
advl-comment () lists oasis-open org
Subject: ADVL vs VulnXML


I just noticed on OASIS the newly proposed Application Vulnerbility
Description
Language.

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl

How does this differ from OWASP VulnXML (http://www.owasp.org/vulnxml/)
?

I don't see anyone from OWASP on the committee which is kinda interesting
given they invented the concept over a year ago and have a database running
coming along so I hear. I hope this won't be a case of a few vendors
trying to take thought leadership for something the open source community
has already done!



Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2 

Big $$$ to be made with the HushMail Affiliate Program: 
https://www.hushmail.com/about.php?subloc=affiliate&l=427