[Debian-OASIS] Fwd: [OASIS members] AVDL specification submitted for OASIS Standard

Mark Johnson mrj@debian.org
Thu, 29 Apr 2004 18:27:05 -0400


----- Forwarded message from "Karl F. Best" <karl.best@oasis-open.org> -----
    Date: Thu, 29 Apr 2004 08:16:42 -0400
    From: "Karl F. Best" <karl.best@oasis-open.org>
Reply-To: karl.best@oasis-open.org
 Subject: [OASIS members] AVDL specification submitted for OASIS Standard
      To: members@lists.oasis-open.org, tc-announce@lists.oasis-open.org

OASIS members:

The OASIS Application Vulnerability Description Language (AVDL) TC has 
submitted the Application Vulnerability Description Language (AVDL) v1.0 
specification, which is an approved Committee Draft, for review and 
consideration for approval by OASIS members to become an OASIS Standard. 
The TC's submission is attached below.

In accordance with the OASIS Technical Process, the specification has 
already gone through a 30 day public review period. OASIS members now 
have until the 15th of the month to familiarize themselves with the 
submission. OASIS members should give their input on this question to 
the voting representative of their organization.

By the 16th of the month I will send out a Call For Vote to the voting 
representative of each OASIS member organization, who will have until 
the end of the month to cast their ballots on whether this Committee 
Draft should be approved as an OASIS Standard.

The normative TC Process for approval of Committee Drafts as OASIS 
Standards is found at 
http://www.oasis-open.org/committees/process.php#standard

Any statements related to the IPR of this specification are posted at 
http://www.oasis-open.org/committees/avdl/ipr.php

-Karl

=================================================================
Karl F. Best
Vice President, OASIS
office  +1 978.667.5115 x206     mobile +1 978.761.1648
karl.best@oasis-open.org      http://www.oasis-open.org



1. A formal specification that is a valid member of its type, together 
with appropriate documentation for the specification, both of which must 
be written using approved OASIS templates.

AVDL Committee Draft Specification Version 1.0
http://www.oasis-open.org/committees/download.php/6163/AVDL%20Specification_V1.pdf

AVDL XML Schema
http://www.oasis-open.org/committees/download.php/5065/avdl.xsd


2. A clear English-language summary of the specification.

The Application Vulnerability Description Language (AVDL) specification 
describes a standard XML format that allows entities (such as 
applications, organizations, or institutes) to communicate information 
regarding web application vulnerabilities. Simply said, AVDL is a 
security interoperability standard for creating a uniform method of 
describing application security vulnerabilities using XML.

With the growing adoption of web-based technologies, applications have 
become far more dynamic, with changes taking place daily or even hourly. 
Consequently, enterprises must deal with a constant flood of new 
security patches from their application and infrastructure vendors. To 
make matters worse, network-level security products do little to protect 
against vulnerabilities at the application level. To address this 
problem, enterprises today have deployed a host of best-of-breed 
security products to discover application vulnerabilities, block 
application-layer attacks, repair vulnerable web sites, distribute 
patches, and manage security events. Enterprises have come to view 
application security as a continuous lifecycle. Unfortunately, there is 
currently no standard way for the products these enterprises have 
implemented to communicate with each other, making the overall security 
management process far too manual, time-consuming, and error prone.

Enterprise customers are asking companies to provide products that 
interoperate. A consistent definition of application security 
vulnerabilities is a significant step towards that goal. AVDL fulfills 
this goal by providing an XML-based vulnerability assessment output that 
will be used to improve the effectiveness of attack prevention, event 
correlation, and remediation technologies.


3. A statement regarding the relationship of this specification to
similar work of other OASIS TCs or other standards developing organizations.

The AVDL Technical Committee would like to acknowledge earlier efforts 
in promotion of application vulnerabilities and standardization of their 
representation and interchange. Their work inspired many ideas 
incorporated into the AVDL standard.

The following works are related to AVDL:

    i. The Open Vulnerability Assessment Language developed at the Mitre 
Corporation "is the common language for security experts to discuss and 
agree upon technical details about how to check for the presence of a 
vulnerability on a  computer system". Using SQL, OVAL queries are based 
on broadly recognized Common Vulnerabilities and Exposures  (CVE) 
database and by "specifying logical conditions on the values of system 
characteristics and configuration attributes, OVAL queries characterize 
exactly which systems are susceptible to a given vulnerability."

    ii. VulnXML developed by the Open Web Application Security Project 
(OWASP) "could be used by automated assessment tools to test for known 
security issues". Closely related and also developed at OWASP was 
Application Security Attack Components or ASAC which "is a basic 
classification scheme of web application security issues. The aim of 
this project was to create a common language and a consensus 
understanding among the industry to describe the same issue in the same 
way." Their work continues at OASIS Web Application Security TC.


4. Certification by at least three OASIS member organizations that they 
are successfully using the specification consistently with the OASIS IPR 
Policy.

Citadel
http://lists.oasis-open.org/archives/avdl/200403/msg00012.html

NetContinuum
http://lists.oasis-open.org/archives/avdl/200403/msg00021.html

SPI Dynamics
http://lists.oasis-open.org/archives/avdl/200403/msg00011.html


5. An account of each of the comments/issues raised during the public 
review period, along with its resolution.

The document is located at
http://www.oasis-open.org/committees/download.php/5774/AVDL%20Public%20Review%20Comments.doc

It lists the comments received during the public review conducted from 6 
February to 8 March 2004, and their resolution. Note: only one comment 
was received during this period.


6. An account of and results of the voting to approve the approve the 
specification as a Committee Draft.

Approval of the specification as a Committee Draft was 26 March 2004. 
The ballot results can be found at the following link:
http://www.oasis-open.org/committees/ballot.php?id=409&vr=1&ew=

Approval to submit the Committee Draft to OASIS membership for 
consideration as an OASIS standard. The ballot can be found at the 
following link:
http://www.oasis-open.org/committees/ballot.php?id=410&vr=1&ew=


7. An account of or pointer to votes and comments received in any 
earlier attempts to standardize substantially the same specification, 
together with the originating TC's response to each comment.

There have been no other attempts to standardize this specification to 
OASIS.


8. A pointer to the publicly visible comments archive for the 
originating TC.

AVDL TC List:
http://lists.oasis-open.org/archives/avdl/

AVDL TC Comment List:
http://lists.oasis-open.org/archives/avdl-comment/


9. A statement from the chair of the TC certifying that all members of 
the TC have been provided with a copy of the OASIS IPR Policy.

"All members of the Technical Committee have been provided with access 
to the OASIS IPR policy.  An email was sent  on March 4, 2004 to the 
members of the Technical Committee with a link to the policy. In 
addition, this submission complies with the requirements of the IPR policy."


10. Optionally, a pointer to any minority reports submitted by one or 
more TC members who did not vote in favor of approving the Committee 
Draft, or certification by the chair that no minority reports exist.

There are no minority reports to list with this specification.


Submitted by the TC chairs:
Kevin Heineman, kheineman@spidynamics.com
Jan Bialkowski, jan@netcontinuum.com




_______________________________________________________________
This email list is used solely by OASIS for official consortium
communications. Opt-out requests may be sent to
member_services@oasis-open.org, however, all members are strongly
encouraged to maintain a subscription to this list.

----- End forwarded message -----



____________________________________________________________
Mark Johnson      <mrj@debian.org>
Debian XML/SGML:  <http://debian-xml-sgml.alioth.debian.org>
Home Page:        <http://dulug.duke.edu/~mark/>
GPG fp: DBEA FA3C C46A 70B5 F120  568B 89D5 4F61 C07D E242