The 10,000 people expected to attend the RSA Conference 2004 this week in San Francisco will be treated to new approaches to the age-old security problems of fixing vulnerabilities and verifying user identities.
At last year's RSA Conference, the Organization for the Advancement of Structured Information Standards (OASIS) launched an effort to define application vulnerabilities in a common XML-based format (see this week's Tech Update on AVDL). The goal was not only to have vulnerability-assessment tools define problems the same way but automatically share the information with patch management products and application-layer firewalls so holes can be plugged quickly.
OASIS' efforts will come to fruition at this year's show when it announces the completion of Application Vulnerability Description Language (AVDL) Version 1.0. Security vendors backing AVDL will demonstrate how AVDL addresses Web vulnerabilities.
Citadel, NetContinuum, Spi Dynamics and other vendors on the show floor will transmit XML-based information between their various scanning tools, patch products and application firewalls.
The U.S. Department of Energy plans to use AVDL messages as the basis for computer-incident advisories.
"We'd like to see all vendor and patch-management information in the same format," says John Diaz, security consultant at the Department of Energy. The department keeps a vulnerability database and plans to put what it calls "AVDL listeners" on its Oracle-based portal this spring to push out vulnerability alerts to departmental security teams.
"Application vulnerabilities propagate so rapidly today that the old methods of dealing with them no longer suffice," says Gartner analyst John Pescatore, who will participate in panel discussions about AVDL at the show. "New standards like AVDL offer one of the best hopes of breaking this cycle by dramatically reducing the time between the discovery of a new vulnerability and the effective response at enterprise sites."
As part of an interoperability demonstration, NetContinuum will show how its application-layer firewall can receive an AVDL message from Spi Dynamics' WebInspect vulnerability-assessment tool and automate a blocking function to prevent the hole from being exploited.
Spi Dynamics also will announce a distributed version of WebInspect it calls Assessment Management Platform, which will be able to inspect hundreds of Web applications and servers across various locations from a central management console. That product is scheduled to ship next quarter.
"If Spi Dynamics discovers a vulnerability and sends it over in AVDL format, NetContinuum would take that information and automate the blocking," says Wes Wasson, NetContinuum vice president of marketing.
He notes that AVDL, which OASIS is expected to approve next month, likely will evolve to include use of digital signatures - a way to verify the identity of the sender.
Not all patch management vendors, though, are gung-ho about AVDL.
For example, PatchLink this week is expected to introduce Version 6.0 of its Update product, which handles patch distribution across multiple remote offices from a central point. The vendor has no immediate plans to add AVDL support.
PatchLink's scanning tool shares data with its patch-updating product, says Chris Andrews, vice president of product management. "AVDL could be something we'd do in the future, though," he adds.
Proof of identity
Another topic that will be front and center at the conference is dealing with the ever-thornier problem of user identity. While simple passwords are used for many networks and applications, they can be shared or stolen. When stronger authentication is required, corporations turn to palm-sized hardware tokens that can generate dynamic passwords that are different - and hence more secure - every time a password is needed.
Smart cards or USB tokens that hold public-key infrastructure (PKI) certificates also can be used to prove identity through cryptographic processes. There are also hybrid tokens that do it all. When a dynamic password is transmitted over a network as the user credential, a special server - such as RSA Security's ACE/Server for the SecurID token authentication - is needed to verify the one-time password is correct.
But adapting applications to use PKI and dynamic-password token and smart-card-based authentication can be time-consuming and expensive for IT departments. To address that, Microsoft and RSA (which manages the annual RSA conference) this week are expected to announce an agreement to add RSA's authentication technology into Microsoft applications and management software.
That has other token vendors concerned. Mark Griffiths, vice president of authentication services at VeriSign Security Services, worries that RSA will "have a captive market" with Microsoft's technology integration. "This would be a lot different than just having an RSA plug-in for the desktop for Microsoft," he says. VeriSign this week is expected to announce plans to offer its own hardware-based authentication tokens.
VeriSign also intends to offer Internet-based authentication services later this year through its 13 worldwide data centers as an outsourced service for companies that want strong authentication with trading partners and employees. This would spare corporations from having to set up their own authentication systems.
Griffiths adds that there is a need to foster interoperability across token vendors' products, so VeriSign is organizing an industry-standards effort called Open Authentication. All the token vendors' products "use a different reference architecture," Griffith says. "Some are time-based, some are sequent-based, using different algorithms in a sequence of keys."
Smart-card token manufacturers Authenex, Gemplus and Schlumberger and are expected to be among those announcing support for the Open Authentication effort this week.
In addition, IBM says it intends to add support for the VeriSign online authentication services into its Tivoli Identity Manager software.
Burton Group analyst Trent Henry says VeriSign's Open Authentication standardization effort addresses a user need for client/server token-based authentication to work across vendor boundaries. But he adds, "I don't know if VeriSign has the industry clout in this area" to drive the effort.
Microsoft's Bill Gates will give the RSA Conference keynote address in which he's expected to offer Microsoft's views on security issues such as authentication. There might be a live demo of software that Microsoft plans to have out later this year in beta.