Uploaded image for project: 'OASIS Common Security Advisory Framework (CSAF) TC'
  1. OASIS Common Security Advisory Framework (CSAF) TC
  2. CSAF-4

Analysis of "Application Vulnerability Description Language (AVDL)" and any possible relation to CSAF work products



    • Type: Task
    • Status: New
    • Priority: Critical
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:



      This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
      It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ),
      which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
      of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).

      This issue allows us to track and document progress and findings of the CSAF TC of the following:

      1. understand and summarize AVDL
      2. ensure synergy potentials are identified
      3. discussion of the relation to and reaction on AVDL
      4. documentation of result

      When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was:

      URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf
      Authors/Editors ==
      Jan Bialkowski, NetContinuum, jan@netcontinuum.com
      Kevin Heineman, SPI Dynamics, kheineman@spidynamics.com

      AuthorInstitution = OASIS
      DocumentDate = May 2004

      DocumentTitle = Application Vulnerability Description Language v1.0
      DocumentStatus = OASIS Standard

      Abstract ==
      This specification describes a standard XML format that allows entities (such as
      applications, organizations, or institutes) to communicate information regarding
      web application vulnerabilities.

      Simply said, Application Vulnerability Description Language (AVDL) is a security
      interoperability standard for creating a uniform method of describing application
      security vulnerabilities using XML.

      With the growing adoption of web-based technologies, applications have become
      far more dynamic, with changes taking place daily or even hourly.
      Consequently, enterprises must deal with a constant flood of new security patches
      from their application and infrastructure vendors.
      To make matters worse, network-level security products do little to protect against
      vulnerabilities at the application level. To address this problem, enterprises today
      have deployed a host of best-of-breed security products to discover application
      vulnerabilities, block application-layer attacks, repair vulnerable web sites,
      distribute patches, and manage security events.
      Enterprises have come to view application security as a continuous lifecycle.
      Unfortunately, there is currently no standard way for the products these enterprises
      have implemented to communicate with each other, making the overall security
      management process far too manual, time-consuming, and error prone.

      Enterprise customers are asking companies to provide products that interoperate.
      A consistent definition of application security vulnerabilities is a significant step towards
      that goal.
      AVDL fulfils this goal by providing an XML-based vulnerability assessment output
      that will be used to improve the effectiveness of attack prevention, event correlation,
      and remediation technologies.

      The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above).

      To ease processing of this issue, some content is copied here (as of 2016-11-24):

      ContentCopy ==

      The goal of AVDL is to create a uniform way of describing application security vulnerabilities.
      The OASIS AVDL TC creates an XML definition for exchange of information relating to security
      vulnerabilities of applications exposed to networks.
      For example, the owners of an application may use a scanning tool to test their application
      for exposed vulnerabilities to various types of malicious attacks.
      That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format.
      That AVDL information may be utilized by application security gateways to recommend the
      optimal attack prevention policy for that specific application.
      Remediation products could use AVDL files to suggest the best course of action for
      correcting problems, while reporting tools could use AVDL to correlate event logs with
      areas of known vulnerability.




            • Assignee:
              sdrees Stefan Hagen
            • Watchers:
              2 Start watching this issue


              • Due: