OASIS to develop common security language

A new committee at the Organization for the Advancement of Structured Information Standards (OASIS) is laying the groundwork for a new classification system to describe Web security vulnerabilities.

The OASIS Web Application Security (WAS) Technical Committee will be responsible for developing an XML (Extensible Markup Language) schema that describes Web security conditions and provides guidelines for classifying and rating the risk level of application vulnerabilities, according to a statement released by OASIS on Wednesday.

The new committee is made up of representatives from a number of companies in the security space including Netcontinuum, Qualys, Sanctum and SPI Dynamics.

Once defined and adopted, the WAS vulnerability descriptions would replace a system in which the same application security vulnerability is described in different ways by different organizations, according to OASIS.

The new OASIS WAS standards will be similar to the list of Common Vulnerabilities and Exposures (CVE) that is used to standardize the description of network level vulnerabilities, said Wes Wasson, vice president of marketing at Netcontinuum in Santa Clara, Calif.

Unlike the CVE list, however, WAS descriptions will tackle the thornier issue of describing application vulnerabilities that could be exploited using multiple avenues of attack, Wasson said.

The announcement Wednesday follows the formation in April of a related technical committee to develop an XML definition for exchanging information on security vulnerabilities between network applications.

The OASIS Application Vulnerability Description Language (AVDL) Technical Committee is intended to develop standards to deploy heterogenous but interoperable security technology relying on a standardized description of vulnerabilities.

The work of the WAS Technical Committee will track closely with that of the AVDL Technical Committee, which will make sure diverse security products can work with the common vulnerability descriptions developed by the WAS group, Wasson said.

"The AVDL [Technical Committee] is oriented to the next stage of the process, which is looking at the vulnerabilities as a business problem. So after our classifications are all lined up, the question is 'What do I do with the information? How do I make sure my vulnerability scanning tools talk to my firewall and patch management systems?' " Wasson said.

While the WAS Technical Committee will not meet until early July, Wasson said that the group should hit the ground running, given that many of its members have already been participating in the Open Web Application Security Project (OWASP), an open-source group tackling many of the same issues.

OWASP plans to submit its Vulnerability Description Language (VulnXML), an open-standard data format for describing Web application security vulnerabilities, to the new committee, OASIS said.

That standard should be quickly adopted by the OASIS WAS Technical Committee as its schema for describing attacks, Wasson said.

That completed, the Committee will need to focus on the harder task of developing an infrastructure for responding to new vulnerabilities that are discovered.

That infrastructure, like the one currently in place for the CVE list, will involve processes for collecting information about new vulnerabilities from companies and security researchers, developing descriptions for those vulnerabilities, then making that information public via a Web site such as the CVE site, which is managed by the nonprofit MITRE, Wasson said.