RE: WAS-XML

["Ken Kousky" <kkousky () ip3inc com>]

Kevin  - thanks for your posting. I was quite confused between AVDL and
WAS-XML and I guess I still am unclear as to who's on first.
Is there a clear distinction between the objectives of the two
committees?

KWK

-----Original Message-----
From: Kevin Heineman [mailto:kheineman () spidynamics com] 
Sent: Wednesday, May 14, 2003 11:03 AM
To: webappsec () securityfocus com
Subject: Re: WAS-XML

In-Reply-To: <200305141245.IAA28700 () bellerophon cnchost com>

A month or so ago there was a thread about a new standards committee 
within OASIS called Application Vulnerability Description Language 
(AVDL).  This committee was created to create a uniform way of
describing 
web application security vulnerabilities. The AVDL technical committee
is 
working to create a standard XML definition (AVDL) to facilitate the 
exchange of information relating to web application security 
vulnerabilities between security related products.  Examples of some 
products that may take advantage of AVDL are vulnerability assessment 
tools, application security gateways, reporting tools, correlation 
systems, remediation tools.

The WAS-XML committee has been chartered with a similar purpose.  I
think 
it is great that so much attention is being focused on our industry.  I 
envision that the two committees must work together to develop a uniform

standard for the industry.  I encourage those of you who are members of 
OASIS to join both committees.  This will help ensure there is open 
communication between the committees and that they complement each
other.

Kevin Heineman
Co-Chair AVDL Technical Committee
Vice President of Engineering
SPI Dynamics





> Received: (qmail 19935 invoked from network); 14 May 2003 12:33:06
-0000
> Received: from outgoing3.securityfocus.com (205.206.231.27)
>  by mail.securityfocus.com with SMTP; 14 May 2003 12:33:06 -0000
> Received: from lists.securityfocus.com (lists.securityfocus.com 
[205.206.231.19])
>       by outgoing3.securityfocus.com (Postfix) with QMQP
>       id 2FD8EA3123; Wed, 14 May 2003 06:40:11 -0600 (MDT)
> Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
> Precedence: bulk
> List-Id: <webappsec.list-id.securityfocus.com>
> List-Post: <mailto:webappsec () securityfocus com>
> List-Help: <mailto:webappsec-help () securityfocus com>
> List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
> List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
> Delivered-To: mailing list webappsec () securityfocus com
> Delivered-To: moderator for webappsec () securityfocus com
> Received: (qmail 22778 invoked from network); 14 May 2003 12:21:50
-0000
> Message-ID: <200305141245.IAA28700 () bellerophon cnchost com>
> Errors-To: <mark () curphey com>
> From: Mark Curphey <mark () curphey com>
> To: <webappsec () securityfocus com>
> Reply-To: mark () curphey com
> Subject: WAS-XML
> Date: Wed, 14 May 2003 08:45:48 -0400 (EST)
> In-Reply-To: 
> MIME-Version: 1.0
> ReplyTo: mark () curphey com
> Content-Type: text/plain
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> I just wanted to let you all know about a new Technical Commitee that I

am chairing that has been formed at OASIS (http://www.oasis-open.org). 
> Web Application Security XML (WAS-XML)
> The original Call For Participation for this TC may be found at 
http://lists.oasis-open.org/archives/tc-announce/200305/msg00002.html
> The charter for this TC is as follows.
>
> Name
>
> OASIS Web Application Security XML (WAS-XML) Technical Committee
>
> Statement of Purpose
>
> Like many other parts of the IT industry, the information security 
industry has grown extremely fast with few standards bodies and often 
little co-operation and co-ordination between vendors and the user 
community.
> When security researchers and software vendors publish security 
advisories, they usually do so in an ambiguous textual form or embed the

data into a proprietary data file that only works with their own 
proprietary security tools. The same vulnerability can be (and often is)

described in several different ways, using different language and
context, 
quantifying the impact and threat and therefore the risk in different
ways 
and with different ratings assessments. This textual data can also not
be 
used to provide automated immediate protection by web security
assessment 
and intrusion protection tools.
> The WAS-XML technical committee will produce;
>
> a classification scheme for web security vulnerabilities 
> a model to provide guidance for initial threat, impact and therefore
risk 
ratings 
> an XML schema to describe web security conditions that can be used by 
both assessment and protection tools 
> The technical committee will unite industry consensus and provide 
standards from which vendors and users will benefit. It will leverage
and 
extend the work of the OWASP VulnXML project that has been established
for 
over a year. The existing VulnXML work is being given to OASIS as part
of 
this proposal.
> We will liaise with the OASIS AVDL TC whose mission is to develop 
communication protocols for application security tools to integrate.
There 
is a clear distinction between the description of the data and the 
subsequent inter-technology communication of it and given the
substantial 
work and thought already undertaken, the WAS-XML TC will leverage that
and 
focus on the data portion of this problem. The proposers of this TC 
anticipate that the AVDL specification will consume WAS-XML data.
> List of Deliverables
>
> Web Security Classification Scheme - within 12 weeks of TC formation 
> Web Security Risk Ranking Model - within 16 weeks of TC formation 
> WAS-XML Schema (fully documented) - within 24weeks of TC formation 
> WAS-XML Developers Guide - within 24 weeks of TC formation 
> WAS-XML Overview for Security Researchers and Software Vendors - within

24 weeks of TC formation
> There is a public comments list for non-OASIS members at was-
comment () lists oasis-open org
>