[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [was] RE: [members] OASIS TC Call for Participation: Web Application Security TC
Hi Andrea, Thanks for the mail. I will set up a conference call to discuss. I will contact you about proposed times shortly. Thanks Mark ----- Original Message ----- From: "Andrea Westerinen" <andreaw@cisco.com> To: <karl.best@oasis-open.org>; <was@lists.oasis-open.org> Cc: <wg-secpam@dmtf.org> Sent: Wednesday, May 14, 2003 3:50 PM Subject: [was] RE: [members] OASIS TC Call for Participation: Web Application Security TC > Resending - had an email failure on the was list. > Andrea > > -----Original Message----- > From: Andrea Westerinen [mailto:andreaw@cisco.com] > Sent: Wednesday, May 14, 2003 12:38 PM > To: 'karl.best@oasis-open.org'; 'was@lists.oasis-open.org' > Cc: 'wg-secpam@dmtf.org' > Subject: RE: [members] OASIS TC Call for Participation: Web Application > Security TC > > > Karl and WAS-XML team members, > I have joined the WAS TC and am very interested in its work. I would > like to suggest synergy and a liaison between this group and the DMTF's > (Distributed Management Task Force's) Security Protection and Management > working group (aka SPAM). The SPAM WG is pursuing similar goals. Its > charter is attached. > > Andrea > > -----Original Message----- > From: Karl F. Best [mailto:karl.best@oasis-open.org] > Sent: Tuesday, May 13, 2003 5:49 AM > To: members@lists.oasis-open.org; tc-announce@lists.oasis-open.org; > xml-dev@lists.xml.org; was@lists.oasis-open.org > Subject: [members] OASIS TC Call for Participation: Web Application > Security TC > > > A new OASIS technical committee is being formed. The OASIS Web > Application Security Technical Committee (WAS TC) has been proposed by > the following members of OASIS: Steven Taylor, Bank of America; Martin > Nystrom, Cisco; William Hau, IBM; Steve Orrin, Sanctum; and the > following Individual members: Yuval Ben-Itzak, Phil Brass, Dave Cole, > Mark Curphey, Rogan Dawes, David Endler, Jeremy Poteet, Kerry Rollins, > Tim Smith, Jeff Williams, David Raphael, Jason Childers, Gabriel > Lawrence, and Andrew Jacquith. > > The proposal for a new TC meets the requirements of the OASIS TC Process > > (see http://oasis-open.org/committees/process.shtml), and is appended to > > this message. The proposal, which includes a statement of purpose, list > of deliverables, and proposed schedule, will constitute the TC's > charter. The TC Process allows these items to be clarified (revised) by > the TC members; such clarifications (revisions), as well as submissions > of technology for consideration by the TC and the beginning of technical > > discussions, may occur no sooner than the TC's first meeting. > > As specified by the OASIS TC Process, the requirements for becoming a > member of the TC are that you must 1) be an employee of an OASIS member > organization or an Individual member of OASIS; 2) notify the TC chair of > > your intent to participate at least 15 days prior to the first meeting; > and 3) attend the first meeting of the TC. > > For OASIS members, to sign up for the TC using the new OASIS > collaborative tools, go to the TC's public page at > http://www.oasis-open.org/committees/was and click on the button for > "Join This TC" at the top of the page. You may add yourself to the > roster of the TC either as a Prospective Member (if you intend to become > > a member of the TC) or an Observer. A notice will automatically be sent > to the TC chair, which fulfills requirement #2 above. You must sign up > for membership at least 15 days before the first meeting and must attend > > the first meeting of the TC in order to become a member. > > Note that membership in OASIS TCs is by individual, and not by > organization. > > For non-OASIS members, a public comment list > was-comment@lists.oasis-open.org is available for the public to make > comments on the work of this TC; the public may subscribe to this list > by going to the mail list web page at > http://lists.oasis-open.org/ob/adm.pl. > > The archives of the TC's private and comment mail lists are visible to > the public at http://lists.oasis-open.org/archives/ > > Further information about this topic may be found on the Cover Pages > under the topic of "Application Security" at > http://xml.coverpages.org/appSecurity.html > > > -Karl > > ================================================================= > Karl F. Best > Vice President, OASIS > office +1 978.667.5115 x206 mobile +1 978.761.1648 > karl.best@oasis-open.org http://www.oasis-open.org > > > OASIS Proposal for WAS-XML > > Name of the TC > > The name of the technical committee will be WAS-XML (Web Application > Security XML). > > Statement of Purpose > > Like many other parts of the IT industry, the information security > industry has grown extremely fast with few standards bodies and often > little co-operation and co-ordination between vendors and the user > community. > > When security researchers and software vendors publish security > advisories, they usually do so in an ambiguous textual form or embed the > > data into a proprietary data file that only works with their own > proprietary security tools. The same vulnerability can be (and often > is) described in several different ways, using different language and > context, quantifying the impact and threat and therefore the risk in > different ways and with different ratings assessments. This textual data > > can also not be used to provide automated immediate protection by web > security assessment and intrusion protection tools. > > The WAS-XML technical committee will produce; > > - a classification scheme for web security vulnerabilities > - a model to provide guidance for initial threat, impact and therefore > risk ratings > - an XML schema to describe web security conditions that can be used by > both assessment and protection tools > > The technical committee will unite industry consensus and provide > standards from which vendors and users will benefit. It will leverage > and extend the work of the OWASP VulnXML project that has been > established for over a year. The existing VulnXML work is being given > to OASIS as part of this proposal. > > We will liaise with the OASIS AVDL TC whose mission is to develop > communication protocols for application security tools to integrate. > There is a clear distinction between the description of the data and > the subsequent inter-technology communication of it and given the > substantial work and thought already undertaken, the WAS-XML TC will > leverage that and focus on the data portion of this problem. The > proposers of this TC anticipate that the AVDL specification will consume > > WAS-XML data. > > List of Deliverables > > - Web Security Classification Scheme - within 12 weeks of TC formation > - Web Security Risk Ranking Model - within 16 weeks of TC formation > - WAS-XML Schema (fully documented) - within 24weeks of TC formation > - WAS-XML Developers Guide - within 24 weeks of TC formation > - WAS-XML Overview for Security Researchers and Software Vendors - > within 24 weeks of TC formation > > Language > > This TC will conduct its business in English. > > Date and time of first meeting > > The first meeting will be help on July 3rd, 2003 at 12pm ET via > teleconference in English. > > Meeting Schedule > > This technical committee will hold teleconference calls every two weeks > on Fridays at 10am EST. It is proposed to hold a face to face meeting > in September in Washington DC. > > Proposers > > Steven Taylor - Bank of America (steven.g.taylor@bankofamerica.com) > Martin Nystrom - Cisco - (mnystrom@cisco.com) > William Hau - IBM (whau@uk.ibm.com) > Steve Orrin - Sanctum Inc. (sorrin@sanctuminc.com) > Yuval Ben-Itzak - Individual - (yuval@kavado.com) > Phil Brass - Individual - (pbrass@iss.net) > Dave Cole - Individual - (dave.cole@foundstone.com) > Mark Curphey - Individual (mark.curphey@watchfire.com) > Rogan Dawes - Individual (rdawes@deloitte.co.za) > David Endler - Individual - (dendler@idefense.com) > Jeremy Poteet - Individual (jpoteet@tech-partners.com) > Kerry Rollins - Individual - (kerry.Rollins@ey.com) > Tim Smith - Individual (tim.smith@alphawest.com.au) > Jeff Williams - Individual (jeff.williams@aspectsecurity.com) > David Raphael - Individual - (david.raphael@ericsson.com) > Jason Childers - Individual (childers_j@yahoo.com) > Gabriel Lawrence - Individual (gabe@ucsd.edu) > Andrew Jacquith - Individual (ajaquith@atstake.com) > > Chair > > The Chair will be Mark Curphey (mark.curphey@watchfire.com). > > Telephone meeting sponsors > > The telephone meeting sponsor will be OWASP. > > Face to Face meeting sponsors > > The face to face meeting sponsor will be OWASP. > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: members-unsubscribe@lists.oasis-open.org > For additional commands, e-mail: members-help@lists.oasis-open.org >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]