Oasis to develop common security language

A new committee at the Organisation for the Advancement of Structured Information Standards (Oasis) is laying the groundwork for...

A new committee at the Organisation for the Advancement of Structured Information Standards (Oasis) is laying the groundwork for a new classification system to describe web security vulnerabilities.

The Oasis Web Application Security (WAS) technical committee will be responsible for developing an XML schema that describes web security conditions and provides guidelines for classifying and rating the risk level of application vulnerabilities.

The new committee is made up of representatives from a number of companies in the security space including Netcontinuum, Qualys, Sanctum and SPI Dynamics.

Once defined and adopted, the WAS vulnerability descriptions would replace a system in which the same application security vulnerability is described in different ways by different organisations, said Oasis.

The new Oasis WAS standards will be similar to the list of Common Vulnerabilities and Exposures (CVE) that is used to standardise the description of network-level vulnerabilities, said Wes Wasson, vice-president of marketing at Netcontinuum.

Unlike the CVE list, however, WAS descriptions will tackle the thornier issue of describing application vulnerabilities that could be exploited using multiple avenues of attack, Wasson said.

The announcement follows the formation in April of a related technical committee to develop an XML definition for exchanging information on security vulnerabilities between network applications.

The Oasis Application Vulnerability Description Language (AVDL) technical committee is intended to develop standards to deploy heterogenous but interoperable security technology relying on a standardised description of vulnerabilities.

The work of the WAS technical committee will track closely with that of the AVDL technical committee, which will make sure diverse security products can work with the common vulnerability descriptions developed by the WAS group, Wasson said.

"The AVDL is oriented to the next stage of  the process, which is looking at the vulnerabilities as a business problem. So after our classifications are all lined up, the question is 'What do I do with the information? How do I make sure my vulnerability scanning tools talk to my firewall and patch management systems?' " Wasson said.

While the WAS technical committee will not meet until early July, Wasson said the group should hit the ground running, given that many of its members have already been participating in the Open Web Application Security Project (OWASP), an open-source group tackling many of the same issues.

OWASP plans to submit its Vulnerability Description Language (VulnXML),  an open-standard data format for describing web application security vulnerabilities, to the new committee.

That standard should be adopted quickly by the Oasis WAS technical committee as its schema for describing attacks, Wasson said.

The committee will then need to focus on the harder task of developing an infrastructure for responding to new vulnerabilities that are discovered.

The infrastructure will involve processes for collecting information about new vulnerabilities from companies and security researchers, developing descriptions for those vulnerabilities, then making that information public via a website such as the CVE site, Wasson said.

Paul Roberts writes for IDG news service

Read more on Hackers and cybercrime prevention