Standards organizations share the stage at RSA

Security event to host LibertyAlliance, XML spec news

The AVDL group submitted its idea to OASIS for study. In turn, OASIS has created a technical committee to develop an XML definition for exchanging information on the security vulnerabilities of applications exposed to networks.

A draft specification from the AVDL Technical Committee is scheduled for September, with a final specification due in December, according to OASIS.

If widely adopted, the AVDL standards will enable customers to deploy diverse "best of breed" security technology to protect their network without having to sacrifice integration and interoperability, according to Wes Wasson, chief security strategy officer at NetContinuum.

Though initially intended to foster interoperability among the products of the five sponsoring companies, AVDL has the potential to be adopted by additional product platforms and to move further up the development chain, according to Brian Cohen, CEO of SPI Dynamics.

AVDL backers hope that development platform vendors and OASIS members such as Microsoft, BEA Systems, and IBM will join the AVDL Technical Committee and help shape the development of the AVDL standard so that it can be easily integrated with their development environments, according to Cohen.

Asked about the potential of resistance from those large companies, or from companies that are wary of more standards, Wasson and Cohen said that demand from their customers was driving them to promote the AVDL standard.

"Customers are drowning in the complexity of the application security problem," Wasson said. "Our customers are driving this. They see it as a real business solution to real business problems."

Finally, the Information Security Systems Association (ISSA) is making what it calls a "historic announcement" at RSA. The group, an international non-profit organization made up of information security professionals and practitioners, will announce its intention to take over and complete development of the Generally Accepted Information Security Principles (GAISP).

The announcement is quite significant, according to Mike Rasmussen, vice president of marketing for ISSA and an analyst at Forrester Research.

"What GAAP [Generally Accepted Accounting Principles] is for the accounting world, [GAISP] is trying to be for the security world," Rasmussen said.

Originally formulated as the Generally Accepted System Security Principles (GASSP) in response to Recommendation No. 1 of the 1990 U.S. National Research Council report, "Computers at Risk," the standards were managed by the International Information Security Foundation (IISF) and are based on other existing guidelines such as those created by the Organization for Economic Cooperation and Development, according to information provided by ISSA.

IISF published so-called "pervasive principles" in 1992 that provided high-level recommendations on information security standards, accountability and ethics to business executives. Despite updating those principles again in 2002, the GASSP effort was flagging, according to Rasmussen.

By taking over the project and renaming the standards to the GAISP, ISSA hopes to breathe new life into the project.