XML security standard touted at show

A group of application security vendors affiliated with the Organization for the Advancement of Structured Information Standards (OASIS) will next week announce a proposal for an XML standard for application vulnerabilities. The announcement will be made at the RSA Conference being held in San Francisco.

A group of application security vendors affiliated with the Organization for the Advancement of Structured Information Standards (OASIS) will next week announce a proposal for an XML standard for application vulnerabilities. The announcement will be made at the RSA Conference being held in San Francisco.

The group, made up of Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics and Teros, is promoting the development of the Application Vulnerability Description Language (AVDL), which is intended to standardize information about application vulnerabilities, enabling different products to share vulnerability information in a heterogenous network environment, according to a statement released by the five companies.

The AVDL group submitted its idea to OASIS for study. In turn, OASIS has created a technical committee to develop an XML definition for exchanging information on the security vulnerabilities of applications exposed to networks.

A draft specification from the AVDL Technical Committee is scheduled for September, with a final specification due in December, according to OASIS.

If widely adopted, the AVDL standards will enable customers to deploy diverse "best of breed" security technology to protect their network without having to sacrifice integration and interoperability, according to Wes Wasson, chief security strategy officer at NetContinuum.

Though initially intended to foster interoperability among the products of the five sponsoring companies, AVDL has the potential to be adopted by additional product platforms and to move further up the development chain, according to Brian Cohen, CEO of SPI Dynamics.

AVDL backers hope that development platform vendors and OASIS members such as Microsoft, BEA Systems and IBM will join the AVDL Technical Committee and help shape the development of the AVDL standard so that it can be easily integrated with their development environments, according to Cohen.

Asked about the potential of resistance from those large companies, or from companies that are wary of more standards, Wasson and Cohen said that demand from their customers was driving them to promote the AVDL standard.

"Customers are drowning in the complexity of the application security problem," Wasson said. "Our customers are driving this. They see it as a real business solution to real business problems."

Also at the conference, the Information Security Systems Association (ISSA) is making what it calls a "historic announcement." The group, an international non-profit organization made up of information security professionals and practitioners, will announce its intention to take over and complete development of the Generally Accepted Information Security Principles (GAISP).

The announcement is quite significant, according to Mike Rasmussen, vice president of marketing for ISSA and an analyst at Forrester Research.

"What GAAP (Generally Accepted Accounting Principles) is for the accounting world, (GAISP) is trying to be for the security world," Rasmussen said.

Originally formulated as the Generally Accepted System Security Principles (GASSP) in response to Recommendation No. 1 of the 1990 U.S. National Research Council report, "Computers at Risk," the standards were managed by the International Information Security Foundation (IISF) and are based on other existing guidelines such as those created by the Organization for Economic Cooperation and Development, according to information provided by ISSA.

IISF published so-called "pervasive principles" in 1992 that provided high-level recommendations on information security standards, accountability and ethics to business executives. Despite updating those principles again in 2002, the GASSP effort was flagging, according to Rasmussen.

By taking over the project and renaming the standards to the GAISP, ISSA hopes to breathe new life into the project.

The ISSA hopes to finish specific management guidelines and tactics for CIOs and chief information security officers that build on a set of pervasive principles. It will follow those with detailed principles that recommend activities for risk management and step-by-step instructions for IT staff.

In addition, ISSA will be working to bring the GAISP standards in line with ISO 17799 standards, which many companies are using to guide their security architectures, according to Rasmussen.

The GAISP project will be a massive undertaking, intended to provide security administrators with a single security framework that they can use to measure compliance with a wide range of international security standards and regulations, in addition to specific steps that can be followed to achieve and maintain compliance.

If successful, the GAISP project could help stem the confusion concerning security management, according to Rasmussen.

"Information security is becoming like OSHA," Rasmussen said, referring to the notoriously complicated rules of the U.S. Occupational Safety and Health Administration. "It's a management nightmare. These are practical standards for building and managing information security."

RSA will be the "formal kickoff" of the project, according to Rasmussen.

"We want to communicate a message to let people know that we are working," he said.

Join the discussion
Be the first to comment on this article. Our Commenting Policies