Article

Latest Web services spec tackles application flaws

Michael S. Mimoso, Editorial Director

OASIS addressed another layer of security concerns around Web services Wednesday when it ratified the Application Vulnerability Description Language (AVDL) 1.0 as a standard, the organization's

    Requires Free Membership to View

highest level of ratification.

AVDL is an XML schema that enables security products to communicate information about new and existing Web application vulnerabilities between themselves, according to AVDL Technical Committee co-chairman Kevin Heineman.

This is plugging a pretty big need.
Kevin Heineman
Co-chairAVDL Technical Committee

"This is plugging a pretty big need," said Heineman, who is also the vice president of engineering services at application security software and service provider SPI Dynamics Inc. of Atlanta.

SPI Dynamics products are already AVDL compliant, as are similar offerings from NetContinuum Inc. of Santa Clara, Calif., which sells application security gateway software, and Citadel Security Software Inc. of Dallas, which sells vulnerability management software. NetContinuum and Citadel also have representatives on the AVDL TC.

Research firm Gartner Inc. said close to 80 new application vulnerabilities are announced every week. The AVDL spec takes a step toward reducing the threat posed by the rapidly closing window between the time a vulnerability is announced and when hackers have an exploit ready.

"In the past, there was no good way for customers to do assessments of Web applications to find vulnerabilities and act on them," Heineman said. "With AVDL, customers can now have a seamless way to find vulnerabilities."

FOR MORE INFORMATION

Bookmark these security resources from around the Web

 

Get a clear picture of the Web services standards bodies

AVDL acts as an intermediary between vulnerability assessment software and application firewalls. Vulnerability information is exported in a standardized manner using the AVDL specification and imports that data into the firewall. The firewall then generates rules to protect against the vulnerability. AVDL can also communicate to vulnerability remediation products that can correct flaws in real time, Heineman said.

"The biggest benefit is that it allows customers to continue to buy best-of-breed products," Heineman said.

By using AVDL-compliant vulnerability scanners, network managers no longer have to compare assessment logs to their application firewall rules, patch management systems and correlation engines. AVDL provides a standard means to do these comparisons automatically.

"Organizations are drowning in the flood of security bulletins and alerts while application vulnerability exploits are wreaking havoc on networks around the globe," said Jan Bialkowski, TC co-chairman and chief technology officer at NetContinuum. "Since AVDL is an easy schema to implement, we hope to see rapid adoption, advancing the industry to an era where all security products can share and effectively utilize vulnerability data via AVDL.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: