Breaking News - Operating Systems
& Middleware:
OASIS Members Collaborate To
Address Security Issues
Members of the OASIS interoperability consortium announced plans to define
a
standard method of exchanging information concerning security vulnerabilities
within Web services and Web applications. The new OASIS Application
Vulnerability Description Language (AVDL) Technical Committee will address the
challenge of how businesses manage ongoing application security risk on a day-
to-day basis.
"Although there are several products available that help companies discover
application vulnerabilities, block application-layer attacks, repair
vulnerable web sites, distribute patches and manage security events, there is
currently no universal way for these products to communicate with one another,
making pragmatic risk management a highly manual, often complex process,"
explained Kevin Heineman of SPI Dynamics, co-chair of the OASIS AVDL Technical
Committee. "The goal of AVDL is to enable companies to manage and simplify the
full application security lifecycle by providing a uniform way to communicate
application security vulnerabilities, policies and events using XML."
"With the growing adoption of Web-based technologies, applications have
become
far more dynamic, often changing daily, or even hourly," said Jan Bialkowski
of NetContinuum, co-chair of the OASIS AVDL Technical Committee. "Keeping pace
with these rapidly changing threats will increasingly require close
cooperation between various security components. The formation of this
technical committee will give vendors an optimal forum to synchronize their
products across the entire application security lifecycle."
Initial members of the OASIS AVDL Technical Committee include Booz Allen
Hamilton, NetContinuum, Reed Elsevier, Sanctum, SPI Dynamics, and others.
Participation remains open to all organizations and individuals, and OASIS
will host an open mail list for public comment. The committee will hold its
first meeting on 15 May 2003.
Industry Support for AVDL
"Sanctum fully supports OASIS and the AVDL TC as a cross vendor effort to
unify the terminology, and standardize the way application level
vulnerabilities are communicated and represented to users in the industry.
Sanctum's AppScan, an automated security testing tool, will take full
advantage of this standard to allow for interoperability with third party
reporting and assessment tools," said Steve Orrin, CTO of Sanctum, Inc.
About OASIS
OASIS (Organization for the Advancement of Structured Information
Standards)
is a not-for-profit, global consortium that drives the development,
convergence, and adoption of e-business standards. Members themselves set the
OASIS technical agenda, using a lightweight, open process expressly designed
to promote industry consensus and unite disparate efforts. OASIS produces
worldwide standards for security, Web services, XML conformance, business
transactions, electronic publishing, topic maps and interoperability within
and between marketplaces. Founded in 1993, OASIS has more than 2,000
participants representing over 600 organizations and individual members in 100
countries.
Web site: www.oasis-open.org
|
