Press Release

OASIS Works to Establish Classification Standards for Web Security Vulnerabilities

Boston, MA, USA; 28 May 2003 — Members of the OASIS standards consortium are uniting to create an open data format to describe Web application security vulnerabilities. The new OASIS Web Application Security (WAS) Technical Committee will produce a classification scheme for Web security vulnerabilities, a model to provide guidance for initial threat, impact and risk ratings, and an XML schema to describe Web security conditions that can be used by both assessment and protection tools.

"Gartner believes the OASIS WAS standard effort will play a key role in supporting innovation in security assessment tools and application-level intrusion prevention products," said John Pescatore, Vice President for Internet Security at Gartner Inc. "Having a standard vulnerability description language will allow enterprises to choose and integrate best-of-breed products to best address changing threat scenarios."

"Currently, security advisories are published in ambiguous textual forms or proprietary data files. The same vulnerability is often described in several different ways, using different languages and contexts that quantify risks in different ways," explained Mark Curphey, chair of the OASIS WAS Technical Committee. "WAS will allow vulnerabilities to be published and received in a consistent manner. Risks will be universally understood by law enforcement agencies, government representatives, companies, and organizations, regardless of which tools or technologies are used."

OASIS WAS Technical Committee members include NetContinuum, Qualys, Sanctum, SPI Dynamics, and others. Participation remains open to all organizations and individuals, and OASIS will host an open mail list for public comment. The committee will hold its first meeting on 3 July 2003.

"WAS is complementary to the work of the OASIS Application Vulnerability Description Language (AVDL) Technical Committee, which was formed earlier this year to standardize the format for the way security products communicate. AVDL, using WAS vulnerability classification, will deliver a standard method for vulnerabilities to be described and communicated across multi-vendor products," noted Kevin Heineman of SPI Dynamics and Jan Bialkowski of NetContinuum, co-chairs of the OASIS AVDL Technical Committee.

In the interest of convergence, the OASIS WAS Technical Committee will consider contributions of related work from other groups and companies. The Open Web Application Security Project (OWASP), an Open Source community group dedicated to helping government and industry understand and improve the security of Web applications and services, plans to submit its Vulnerability Description Language (VulnXML) to the new OASIS technical committee.

Industry Support for OASIS WAS Technical Committee

"NetContinuum is a strong proponent of cross-vendor efforts like the OASIS WAS Technical Committee that create a more consistent classification and risk rating system for known application vulnerabilities," said Jan Bialkowski, CTO of NetContinuum. "This information will serve as an ideal input to existing standards efforts like AVDL and provide customers with a more standardized approach to application security."

"OASIS has helped significantly drive the adoption and direction of electronic business through its development of global standards, particularly those focused on security," said Gerhard Eschelbeck, Qualys CTO & VP of Engineering and member of the OASIS WAS Technical Committee. "The growing sophistication of security threats requires standards for classifying risk and determining the impact of new web security vulnerabilities. Qualys is committed to developing and incorporating such standards into its Web-based service for vulnerability management, providing solutions that truly meet the needs of customers."

"SPI Dynamics fully supports the efforts of the OASIS WAS Technical Committee to establish standards in the classification of application vulnerabilities. In conjunction with the efforts of the OASIS AVDL Technical Committee, these initiatives provide significant benefits to the customer in securing their Web applications by facilitating interoperability of best-of-breed, multi-vendor products. We look forward to implementing the standards from both of these groups into our Web application assessment product, WebInspect," said Kevin Heineman, VP of Engineering, SPI Dynamics.

About OASIS (http://www.oasis-open.org)

OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit, global consortium that drives the development, convergence, and adoption of e-business standards. Members themselves set the OASIS technical agenda, using a lightweight, open process expressly designed to promote industry consensus and unite disparate efforts. OASIS produces worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Founded in 1993, OASIS has more than 2,000 participants representing over 600 organizations and individual members in 100 countries.

Additional information:

OASIS WAS-XML Technical Committee http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

Cover Pages Technology Report: Application Security http://xml.coverpages.org/appSecurity.html

Press contact: Carol Geyer Director of Communications OASIS (www.oasis-open.org) carol.geyer@oasis-open.org +1.978.667.5115 x209