Security firms create standard protocol

Security companies are working together to create a standard protocol that will enable all information about holes and...

Security companies are working together to create a standard protocol that will enable all information about holes and vulnerabilities to be shared.

Progressing from an idea to a published Oasis standard in less than a year, the AVDL (application vulnerability description language) specification must be one of the quickest IT standards created.

Three suppliers in the emerging field of application-layer security are showing their products working together at the RSA security show this week. In addition - and, most unusually of all for a standard at this stage of development - at least one user, the US Department of Energy's IT security group, has made a commitment to using it.

The AVDL 1.0 specification is in the final stages of Oasis approval and the three companies in question - Citadel Security Software, NetContinuum and SPI Dynamics - have already implemented the draft AVDL specification into their product lines.

"AVDL is a lifecycle play," said Brian Cohen, chief executive of SPI Dynamics. "It is extremely important to identify problems early."

AVDL shares data on vulnerabilities in web-based applications, so tools such as firewalls, intrusion detection systems and remediation systems can respond better and other security tools can be co-ordinated. The result is less manual intervention and quicker fixes, the group claimed.

By linking their products, the companies hoped to reassure users entering this new area. "Users can select the best point products rather than being locked in to one vendor's products," said Cohen.

Inter-communication will also mean less manual user intervention is required.

The next step the group would like to see is users adopting AVDL for in-house security processes, and larger supplierrs adding AVDL interfaces to business software, so their security needs can be better met by application security tools.

"If this sounds like something you might want, get on board and ask your application vendors when they are supporting AVDL," said Wes Wasson, chief strategy officer at NetContinuum.

One user, the Department of Energy's security incident response service, plans to AVDL-enable an incident response portal so that reported vulnerabilities can be handled more efficiently.

“Application vulnerabilities propagate so rapidly today that the old methods of dealing with them no longer suffice,” said John Pescatore, a vice president at Gartner.

“New standards like AVDL offer one of the best hopes of breaking this cycle by dramatically reducing the time between the discovery of a new vulnerability and the effective response at enterprise sites.”

AVDL is an XML schema that describes web application security properties and vulnerabilities, so they can be communicated between security tools.

The Oasis group, which evolved from an organisation dedicated to the generalised mark-up language, SGML, has a lot of experience in XML standards, including one for web services security and another for describing whole modular IT rooms.

AVDL members include a spread of functions, including Cenzic, which handles quality assurance, Citadel's automated remediation product, event management from GuardedNet, a security gateway from NetContinuum, a firewall from Teros, audits and vulnerability management from Qualys, and testing from SPI Dynamics. Services company WhiteHat is also involved.

Peter Judge writes for

Read more on IT risk management