Firms develop XML schema to protect applications

A quest to develop a common language to describe application security vulnerabilities moved one step closer to reality after two...

A quest to develop a common language to describe application security vulnerabilities moved one step closer to reality after two security companies completed of a new XML (Extensible Markup Language) schema for describing application vulnerabilities.

NetContinuum and SPI Dynamics said they had completed a cross-platform integration of SPI's WebInspect Enterprise Edition vulnerability testing software and NetContinuum's NC-1000 web security gateway. 

The integration allows vulnerability information from WebInspect scans to be read directly by the NC-1000, then turned into security policies and configuration changes that protect the vulnerable application.

At the heart of the integration is a new XML format that can contain specific information such as the type of server or file affected by a vulnerability, while isolating information such as the HTML or HTTP methods or specific web cookies involved in exploits, according to Wes Wasson, chief strategy officer at NetContinuum.

SPI modified WebInspect to output assessment information using the expanded format. NetContinuum changed the NC-1000 so that it could read the format and automatically parse it to create security policies, saving administrators the time and effort of having to build those policies manually, Wasson said.

WebInspect has long been able to output assessment data in XML format. However, that information was not structured or complete enough to translate into policies that could block attacks, he said.

Administrators still need to decide which policies to deploy, but the integration will save administrators the time and effort needed  to translate vulnerability assessment data into new or modified rules and policies, Wasson said.

"It guarantees that the administrator has a policy that addresses the vulnerabilities identified in the scan," he said.

That is especially important given the growing tendency of hackers to target applications rather than network vulnerabilities and the weeks or months that are often needed for developers to code, test and release a software patch, according to Brian Cohen, chief executive officer of SPI Dynamics.

With the help of the new XML schema, NetContinuum's NC-1000 device can block attacks until a patch is available, Cohen said.

"While, ultimately, you want to correct problems, you also want to have technology that can defeat attacks while they're occurring," he said.

Updated versions of WebInspect and the NC-1000 already support the new schema and the two companies have around 30 customers that use both products and are poised to take advantage of the integration.

The final AVDL specification is scheduled to be released in December.

Paul Roberts writes for IDG News Service

Read more on IT risk management