OASIS addressed another layer of security concerns around Web services Wednesday when it ratified the Application Vulnerability Description Language (AVDL) 1.0 as a standard, the organization's highest level of ratification.
AVDL is an XML schema that enables security products to communicate information about new and existing Web application vulnerabilities between themselves, according to AVDL Technical Committee co-chairman Kevin Heineman.
"This is plugging a pretty big need," said Heineman, who is also the vice president of engineering services at application security software and service provider SPI Dynamics Inc. of Atlanta.
SPI Dynamics products are already AVDL compliant, as are similar offerings from NetContinuum Inc. of Santa Clara, Calif., which sells application security gateway software, and Citadel Security Software Inc. of Dallas, which sells vulnerability management software. NetContinuum and Citadel also have representatives on the AVDL TC.
Research firm Gartner Inc. said close to 80 new application vulnerabilities are announced every week. The AVDL spec takes a step toward reducing the threat posed by the rapidly closing window between the time a vulnerability is announced and when hackers have an exploit ready.
"In the past, there was no good way for customers to do assessments of Web applications to find vulnerabilities and act on them," Heineman said. "With AVDL, customers can now have a seamless way to find vulnerabilities."
AVDL acts as an intermediary between vulnerability assessment software and application firewalls. Vulnerability information is exported in a standardized manner using the AVDL specification and imports that data into the firewall. The firewall then generates rules to protect against the vulnerability. AVDL can also communicate to vulnerability remediation products that can correct flaws in real time, Heineman said.
"The biggest benefit is that it allows customers to continue to buy best-of-breed products," Heineman said.
By using AVDL-compliant vulnerability scanners, network managers no longer have to compare assessment logs to their application firewall rules, patch management systems and correlation engines. AVDL provides a standard means to do these comparisons automatically.
"Organizations are drowning in the flood of security bulletins and alerts while application vulnerability exploits are wreaking havoc on networks around the globe," said Jan Bialkowski, TC co-chairman and chief technology officer at NetContinuum. "Since AVDL is an easy schema to implement, we hope to see rapid adoption, advancing the industry to an era where all security products can share and effectively utilize vulnerability data via AVDL.