OASIS Application Vulnerability Description Language TC

The original Call For Participation for this TC may be found at http://lists.oasis-open.org/archives/tc-announce/200304/msg00000.html

The charter was revised at the first TC meeting on 15 May 2003, as minuted at http://www.oasis-open.org/apps/org/workgroup/avdl/download.php/2339/Minutes%204-15-03%20revised.txt

The charter for this TC is as follows.


OASIS Application Vulnerability Description Language (AVDL) Technical Committee

Statement of Purpose

The goal of AVDL is to create a uniform way of describing application security vulnerabilities. The AVDL TC is formed to create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. For example, the owners of an application may use a scanning tool to test their application for exposed vulnerabilities to various types of malicious attacks. That tool may catalogue and record vulnerabilities detected into an XML file in AVDL format. That AVDL information may be utilized by application security gateways to recommend the optimal attack prevention policy for that specific application. Remediation products could use AVDL files to suggest the best course of action for correcting problems, while reporting tools could use AVDL to correlate event logs with areas of known vulnerability.

The AVDL TC will focus on defining a schema that enables easy communication concerning security vulnerabilities between any of the various security entities that address Hypertext Transfer Protocol (HTTP 1.0 and HTTP 1.1) application-level protocol security. AVDL will describe attacks and vulnerabilities that use HTTP as a generic protocol for communication between clients and proxies/gateways to other Internet systems and hosts. Security entities that might utilize AVDL include but are not limited to: vulnerability assessment tools, application security gateways, reporting tools, correlation systems, remediation tools, etc. AVDL is not intended to communicate network layer vulnerability information such as network topology, TCP related attacks or other network layer issues. Nor is AVDL intended to carry any information about authentication or access control, these issues are covered by SAML and XACML.

Applications which utilize HTTP and HTML, including but not limited to "web services," as their foundation access and communication scheme are vulnerable to various types of malicious attacks. The goal of the AVDL TC is to define a language for describing information which can be used to protect such an application. This information may include but is not limited to, vulnerability information as well as known legitimate usage information.

Vulnerability information may include:

  • Discreet, previously known vulnerabilities against the application's software stack or any of its components e.g., OS type/version, App server type, web server type, database type, etc.
  • Information on an application's known legitimate usage schemes, e.g., directory structures, HTML structures, legal entry points, legal interaction parameters, etc.

AVDL will be capable of describing any of these types of information.

List of Deliverables

  • First candidate AVDL specification posted for comment September, 2003
  • First candidate specification closed for comment 30 days after initial posting
  • AVDL 1.0 final specification posted December, 2003