Re: WAS-XML

["Mark Curphey" <mark () curphey com>]

I think I would characterize the two efforts as complimentary not
competitive.

The WAS-XML proposers are more focused (biased) on the source data
description portion of the problem and AVDL (as I understand it) is more
focused in the communications part of the problem. WAS-XML is essentially
extending and formalizing the OWASP VulnXML work that started over a year
ago.

AVDL and WAS-XML will work together to ensure there is a synergy and we are
already starting those discussions. I would imagine (and hope) that at some
point in the future the two become very tightly coupled.

----- Original Message ----- 
From: "Ken Kousky" <kkousky () ip3inc com>
To: "'Kevin Heineman'" <kheineman () spidynamics com>;
<webappsec () securityfocus com>
Sent: Wednesday, May 14, 2003 1:17 PM
Subject: RE: WAS-XML


> Kevin  - thanks for your posting. I was quite confused between AVDL and
> WAS-XML and I guess I still am unclear as to who's on first.
> Is there a clear distinction between the objectives of the two
> committees?
>
> KWK
>
> -----Original Message-----
> From: Kevin Heineman [mailto:kheineman () spidynamics com]
> Sent: Wednesday, May 14, 2003 11:03 AM
> To: webappsec () securityfocus com
> Subject: Re: WAS-XML
>
> In-Reply-To: <200305141245.IAA28700 () bellerophon cnchost com>
>
> A month or so ago there was a thread about a new standards committee
> within OASIS called Application Vulnerability Description Language
> (AVDL).  This committee was created to create a uniform way of
> describing
> web application security vulnerabilities. The AVDL technical committee
> is
> working to create a standard XML definition (AVDL) to facilitate the
> exchange of information relating to web application security
> vulnerabilities between security related products.  Examples of some
> products that may take advantage of AVDL are vulnerability assessment
> tools, application security gateways, reporting tools, correlation
> systems, remediation tools.
>
> The WAS-XML committee has been chartered with a similar purpose.  I
> think
> it is great that so much attention is being focused on our industry.  I
> envision that the two committees must work together to develop a uniform
>
> standard for the industry.  I encourage those of you who are members of
> OASIS to join both committees.  This will help ensure there is open
> communication between the committees and that they complement each
> other.
>
> Kevin Heineman
> Co-Chair AVDL Technical Committee
> Vice President of Engineering
> SPI Dynamics
>
>
>
>
>
> > Received: (qmail 19935 invoked from network); 14 May 2003 12:33:06
> -0000
> > Received: from outgoing3.securityfocus.com (205.206.231.27)
> >  by mail.securityfocus.com with SMTP; 14 May 2003 12:33:06 -0000
> > Received: from lists.securityfocus.com (lists.securityfocus.com
> [205.206.231.19])
> > by outgoing3.securityfocus.com (Postfix) with QMQP
> > id 2FD8EA3123; Wed, 14 May 2003 06:40:11 -0600 (MDT)
> > Mailing-List: contact webappsec-help () securityfocus com; run by ezmlm
> > Precedence: bulk
> > List-Id: <webappsec.list-id.securityfocus.com>
> > List-Post: <mailto:webappsec () securityfocus com>
> > List-Help: <mailto:webappsec-help () securityfocus com>
> > List-Unsubscribe: <mailto:webappsec-unsubscribe () securityfocus com>
> > List-Subscribe: <mailto:webappsec-subscribe () securityfocus com>
> > Delivered-To: mailing list webappsec () securityfocus com
> > Delivered-To: moderator for webappsec () securityfocus com
> > Received: (qmail 22778 invoked from network); 14 May 2003 12:21:50
> -0000
> > Message-ID: <200305141245.IAA28700 () bellerophon cnchost com>
> > Errors-To: <mark () curphey com>
> > From: Mark Curphey <mark () curphey com>
> > To: <webappsec () securityfocus com>
> > Reply-To: mark () curphey com
> > Subject: WAS-XML
> > Date: Wed, 14 May 2003 08:45:48 -0400 (EST)
> > In-Reply-To:
> > MIME-Version: 1.0
> > ReplyTo: mark () curphey com
> > Content-Type: text/plain
> > Content-Transfer-Encoding: 7bit
> > Content-Disposition: inline
> >
> > I just wanted to let you all know about a new Technical Commitee that I
>
> am chairing that has been formed at OASIS (http://www.oasis-open.org).
> > Web Application Security XML (WAS-XML)
> > The original Call For Participation for this TC may be found at
> http://lists.oasis-open.org/archives/tc-announce/200305/msg00002.html
> > The charter for this TC is as follows.
> >
> > Name
> >
> > OASIS Web Application Security XML (WAS-XML) Technical Committee
> >
> > Statement of Purpose
> >
> > Like many other parts of the IT industry, the information security
> industry has grown extremely fast with few standards bodies and often
> little co-operation and co-ordination between vendors and the user
> community.
> > When security researchers and software vendors publish security
> advisories, they usually do so in an ambiguous textual form or embed the
>
> data into a proprietary data file that only works with their own
> proprietary security tools. The same vulnerability can be (and often is)
>
> described in several different ways, using different language and
> context,
> quantifying the impact and threat and therefore the risk in different
> ways
> and with different ratings assessments. This textual data can also not
> be
> used to provide automated immediate protection by web security
> assessment
> and intrusion protection tools.
> > The WAS-XML technical committee will produce;
> >
> > a classification scheme for web security vulnerabilities
> > a model to provide guidance for initial threat, impact and therefore
> risk
> ratings
> > an XML schema to describe web security conditions that can be used by
> both assessment and protection tools
> > The technical committee will unite industry consensus and provide
> standards from which vendors and users will benefit. It will leverage
> and
> extend the work of the OWASP VulnXML project that has been established
> for
> over a year. The existing VulnXML work is being given to OASIS as part
> of
> this proposal.
> > We will liaise with the OASIS AVDL TC whose mission is to develop
> communication protocols for application security tools to integrate.
> There
> is a clear distinction between the description of the data and the
> subsequent inter-technology communication of it and given the
> substantial
> work and thought already undertaken, the WAS-XML TC will leverage that
> and
> focus on the data portion of this problem. The proposers of this TC
> anticipate that the AVDL specification will consume WAS-XML data.
> > List of Deliverables
> >
> > Web Security Classification Scheme - within 12 weeks of TC formation
> > Web Security Risk Ranking Model - within 16 weeks of TC formation
> > WAS-XML Schema (fully documented) - within 24weeks of TC formation
> > WAS-XML Developers Guide - within 24 weeks of TC formation
> > WAS-XML Overview for Security Researchers and Software Vendors - within
>
> 24 weeks of TC formation
> > There is a public comments list for non-OASIS members at was-
> comment () lists oasis-open org
> >