Because traditional security tools such as firewalls, VPNs and intrusion-detection systems inadequately protect against application-layer attacks, security managers are turning to next-generation application security products such as vulnerability scanners, application security gateways and patch management systems. However, these best-of-breed stand-alone systems still require individual and separate user interactions, leaving the overall security management process too manual, time-consuming and error-prone.
Application Vulnerability Description Language (AVDL) is a new security interoperability standard in development by the Organization for the Advancement of Structured Information Standards. Proposed by leading application security vendors and users, AVDL creates a rich and effective set of consistent XML schema definitions to describe application security properties and vulnerabilities. Using AVDL, security tools and products from different vendors will be able to communicate to coordinate their security operations and automate security management.
AVDL integration creates a secure Web application environment that automates mundane security operations, such as patching and reconfiguration, to meet evolving application requirements and security policies. This frees security administrators to focus on higher-level policy analysis.
Because all new vulnerability alerts can be described consistently in AVDL, automation of security management also vastly reduces the incident response time, closing critical vulnerability windows and enhancing security posture. AVDL-based security alert bulletins will give users highly efficient access to the collective expertise of all participants in this field, where even the largest organizations are challenged to keep up with rapid industry evolution.
The basic concept embodied in the AVDL schema is an application-level transaction, called a probe, which describes HTTP exchanges between browsers and Web application servers. Defined mark-ups allow specification of the HTTP messages in full detail at various levels of abstraction (raw byte stream, or parsed to HTTP header constructs). Such probes might specify valid and expected request-response exchanges between browsers and servers, or might specify application vulnerability exploits.
In the former case, traversal-step probes supply a host of information, including target URLs, links, cookies and other headers, as well as query or form parameters, their attributes and ranges of legitimate values. The traversal probes can be used to automate enforcement of safe usage policies.
In the latter case, vulnerability probes further highlight questionable constructs and supply detailed specifications of vulnerabilities, including human-readable description and machine-readable assessment information such as vulnerability severity, applicability and its historical records. The vulnerability probes supply information necessary to configure protective "deny" rules and information about hot fixes if any are available, workarounds and so forth that can be used to automate management of remediation processes.
In a typical usage scenario, a security scanner maps out the application and detects its flaws and vulnerabilities. The scanner then sends its assessment in the form of a set of AVDL probes to other security devices. The recipients, such as patch management systems or security gateways, use the AVDL input to automatically generate configuration recommendations.
The process prevents accidental omissions and mistakes inherent in manual interventions. Ultimately security administrators manage the process by rejecting, modifying or approving the recommended operations.
AVDL technology delivers on its promise of reducing time, effort and cost, while improving accuracy, reliability and ultimately the security of the installations. Several vendors will demonstrate interoperability of their products at this week's RSA Conference to highlight the growing maturity and commercial viability of AVDL automation.
Participants in the application security field, users, vendors and researchers are invited to bring their experience and expertise to shape the future of AVDL and the security community.
Bialkowski is CTO of NetContinuum. Heineman is vice president of engineering at SPI Dynamics. They are co-chairs of the OASIS AVDL Technical Committee and can be reached at email@example.com and firstname.lastname@example.org, respectively.
Learn more about this topicApplication Vulnerability Description Language
More info on the proposed standard.AVDL technical committee
OASIS page, includes and AVDL FAQ.