News

OASIS claims XML security standard

• By Rich Seeley
• April 16, 2003

Developing an XML standard to provide communications between security products monitoring Web applications is the objective of Application Vulnerability Description Language (AVDL), according to its proponents.

At this week's RSA Conference in San Francisco, application security vendors NetContinuum (http://www.netcontinuum.com), SPI Dynamics (http://www.spidynamics.com), Citadel Security Software Inc. (http://www.citadel.com), GuardedNet Inc. (http://www.guarded.net), and Teros (http://www.teros.com) announced the new standards effort, which will be managed by the OASIS (http://www.oasis-open.org) standards consortium.

AVDL will use XML to define, categorize and classify application vulnerabilities so that information can be shared by security products from initial development through the ongoing maintenance phase, according to the vendors.

"What we are attempting to do is define a standard for communication between the various point solutions that are out there to bring it all together into a complete application security life cycle," said Brian Cohen, CEO at SPI Dynamics.

The application layer is not well covered by security products developed during the past 15 years for the enterprise network environment, according to Wes Wasson, chief strategy officer at NetContinuum. As Web services applications are developed, they will be increasingly vulnerable to hacking and other security threats, including carelessness and errors, he added.

"You have environments where, from a security perspective, you can have Web developers and designers uploading, modifying applications and exposing directories on an ongoing basis with very little thought or even knowledge of the security impact," Wasson told XML eport. "There's obviously far more room for error at the application layer."

As Web services transport data via HTTP, applications will be the weak link in the security chain, Wasson said.

"The thing we're seeing on the horizon is that the move to a world where far more information will be transported over HTTP -- most notably in XML Web services -- and the infrastructure for Web services is kind of getting baked into all the platforms we run our apps on. [This means] the exposure for application layer threats will ratchet up again," he said. "Because then it becomes easier for hackers and folks writing worms to disguise even more traditional threats inside SOAP wrappers."

When approved by OASIS, AVDL would become part of application development and QA tools, added SPI Dynamics' Cohen.

"I believe that over time it's going to become more of a requirement for developers to have some awareness of security and to build more secure apps," Cohen told XML Report. "As they do that, they'll need their tools to support them. If their tool has the capability to do unit assessment of security and to provide that information back to developers so they can take corrective action, it would awfully nice if it could be done in such a way that it could communicate with the QA tool being used in that organization so that it can be aware of vulnerabilities as they are discovered and make sure that vulnerability is checked for in the test plan."

The first meeting of the full OASIS Technical Committee for AVDL has been scheduled for May 15, 2003, according to the vendors introducing the standard. The announced schedule calls for the first candidate AVDL specification to be posted for comment by the third quarter of this year, with a final AVDL 1.0 specification posted by the end of 2003. Additional information on AVDL is available at http://www.avdl.org, while additional information on OASIS is available at http://www.oasis-open.org.