Affects Version/s: None
Fix Version/s: None
This issue (task) is one of many similar formal issues formalizing the TCs process to analyse similar work.
It deals with the analysis of the "Application Vulnerability Description Language (AVDL) v1.0 [OASIS 200403]" (cf. https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=avdl ),
which has been named explicitedly as similar work in section (2)(a) "Identification of Similar Work"
of the "OASIS Common Security Advisory Framework (CSAF) Technical Committee Charter" (cf. http://www.oasis-open.org/committees/csaf/charter.php ).
This issue allows us to track and document progress and findings of the CSAF TC of the following:
1. understand and summarize AVDL
2. ensure synergy potentials are identified
3. discussion of the relation to and reaction on AVDL
4. documentation of result
When checked at 2016-11-24 the (PDF format) document advertised on the TC page existed at the URL https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf and some bibliographic data identified was:
URL = https://www.oasis-open.org/committees/download.php/7145/AVDL%20Specification%20V1.pdf
Jan Bialkowski, NetContinuum, firstname.lastname@example.org
Kevin Heineman, SPI Dynamics, email@example.com
AuthorInstitution = OASIS
DocumentDate = May 2004
DocumentTitle = Application Vulnerability Description Language v1.0
DocumentStatus = OASIS Standard
This specification describes a standard XML format that allows entities (such as
applications, organizations, or institutes) to communicate information regarding
web application vulnerabilities.
Simply said, Application Vulnerability Description Language (AVDL) is a security
interoperability standard for creating a uniform method of describing application
security vulnerabilities using XML.
With the growing adoption of web-based technologies, applications have become
far more dynamic, with changes taking place daily or even hourly.
Consequently, enterprises must deal with a constant flood of new security patches
from their application and infrastructure vendors.
To make matters worse, network-level security products do little to protect against
vulnerabilities at the application level. To address this problem, enterprises today
have deployed a host of best-of-breed security products to discover application
vulnerabilities, block application-layer attacks, repair vulnerable web sites,
distribute patches, and manage security events.
Enterprises have come to view application security as a continuous lifecycle.
Unfortunately, there is currently no standard way for the products these enterprises
have implemented to communicate with each other, making the overall security
management process far too manual, time-consuming, and error prone.
Enterprise customers are asking companies to provide products that interoperate.
A consistent definition of application security vulnerabilities is a significant step towards
AVDL fulfils this goal by providing an XML-based vulnerability assessment output
that will be used to improve the effectiveness of attack prevention, event correlation,
and remediation technologies.
The completed OASIS Application Vulnerability Description Language (AVDL) TC is described by the info available at the TC page (cf. above).
To ease processing of this issue, some content is copied here (as of 2016-11-24):
The goal of AVDL is to create a uniform way of describing application security vulnerabilities.
The OASIS AVDL TC creates an XML definition for exchange of information relating to security
vulnerabilities of applications exposed to networks.
For example, the owners of an application may use a scanning tool to test their application
for exposed vulnerabilities to various types of malicious attacks.
That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format.
That AVDL information may be utilized by application security gateways to recommend the
optimal attack prevention policy for that specific application.
Remediation products could use AVDL files to suggest the best course of action for
correcting problems, while reporting tools could use AVDL to correlate event logs with
areas of known vulnerability.