Security managers are getting a new tool for combating application vulnerabilities and "death by security bulletin" information overload.
At the RSA Conference, the Application Vulnerability Description Language (AVDL) technical committee, part of the Organization for the Advancement of Structured Information Standards (OASIS), announced that the AVDL 1.0 specification is in the final-approval stage. It expects to finalize AVDL in the next month or two -- less than a year after it was first proposed -- and see it in wide use in the next 12-18 months.
AVDL is an open source, XML-based specification for sharing vulnerability information between products from different vendors. Companies need it: Gartner Group says more than 70% of Web attacks target the application layer, yet patching remains reactive and slow.
"Application vulnerabilities propagate so rapidly today that the old methods of dealing with them no longer suffice," said John Pescatore, a vice president at Gartner, in a statement. AVDL could help, he says, "by dramatically reducing the time between the discovery of a new vulnerability and the effective response at enterprise sites."
The key is allowing products to exchange information. "What we're going to be able to do now that the AVDL 1.0 standard is out there is read AVDL descriptions from any source, and then automatically generate a recommendation for the customer based on that new vulnerability," says Wes Wasson, vice president of marketing and chief strategy officer for application security gateway vendor NetContinuum.
For example, if code-scanning software detects application code vulnerabilities, it can automatically share information, in AVDL format, with in-house security gateways and patch management software from other vendors, and each product can offer configuration recommendations. The end result: security managers get an automated, less error prone way to patch and protect against application security vulnerabilities.
The standard has extensive backing; the working group includes Citadel, the U.S. Department of Energy's Computer Incident Advisory Capability (DOE-CIAC), GuardedNet, IBM, Microsoft, MITRE, NetContinuum, Qualys, SPI Dynamics, Teros and WhiteHat.
One AVDL proponent, DOE-CIAC, plans to release an AVDL-aware security portal "to automatically interpret new application security alerts published in AVDL format," said DOE-CIAC security incidence response manager John Dias in a statement. Security managers should be able to more quickly view only the alerts applicable to their environment, then implement patches. Dias said AVDL "could substantially reduce the manual effort and response time required to respond to a new vulnerability."