Press Release

OASIS Members Collaborate to Address Security Vulnerabilities for Web Services and Web Applications

San Francisco, Calif. (RSA Security Conference); 14 April 2003 — Members of the OASIS interoperability consortium announced plans to define a standard method of exchanging information concerning security vulnerabilities within Web services and Web applications. The new OASIS Application Vulnerability Description Language (AVDL) Technical Committee will address the challenge of how businesses manage ongoing application security risk on a day-to-day basis.

"Although there are several products available that help companies discover application vulnerabilities, block application-layer attacks, repair vulnerable web sites, distribute patches and manage security events, there is currently no universal way for these products to communicate with one another, making pragmatic risk management a highly manual, often complex process," explained Kevin Heineman of SPI Dynamics, co-chair of the OASIS AVDL Technical Committee. "The goal of AVDL is to enable companies to manage and simplify the full application security lifecycle by providing a uniform way to communicate application security vulnerabilities, policies and events using XML."

"With the growing adoption of Web-based technologies, applications have become far more dynamic, often changing daily, or even hourly," said Jan Bialkowski of NetContinuum, co-chair of the OASIS AVDL Technical Committee. "Keeping pace with these rapidly changing threats will increasingly require close cooperation between various security components. The formation of this technical committee will give vendors an optimal forum to synchronize their products across the entire application security lifecycle."

Initial members of the OASIS AVDL Technical Committee include Booz Allen Hamilton, NetContinuum, Reed Elsevier, Sanctum, SPI Dynamics, and others. Participation remains open to all organizations and individuals, and OASIS will host an open mail list for public comment. The committee will hold its first meeting on 15 May 2003.

Industry Support for AVDL

"Sanctum fully supports OASIS and the AVDL TC as a cross vendor effort to unify the terminology, and standardize the way application level vulnerabilities are communicated and represented to users in the industry. Sanctum’s AppScan, an automated security testing tool, will take full advantage of this standard to allow for interoperability with third party reporting and assessment tools," said Steve Orrin, CTO of Sanctum, Inc.

About OASIS (

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,000 participants representing over 600 organizations and individual members in 100 countries.

Additional information:

OASIS AVDL Technical Committee

Cover Pages: Application Security

Press contact:

Carol Geyer OASIS Director of Communications +1.941.284.0403