By Antone Gonsalves ,
International standards body OASIS said Wednesday that it has launched an effort to develop a common language for describing security problems in web applications.
The OASIS Web Application Security Technical Committee will develop a classification scheme for security troubles and a model for rating risks and for describing the threat and its impact. The panel will also develop the schema for creating a document that will contain the security information. The document schema will be based on extensible markup language, or XML.
Computer security companies that have joined the panel include NetContinuum, Qualys, Sanctum and SPI Dynamics. The group's first meeting is scheduled for July 3.
Today, network security advisories are published in ambiguous text or proprietary data files. In addition, the vulnerabilities are often described in ways that quantify risks in different ways, Mark Curphy, chair of the WAS committee said.
The panel believes developing a universal language will reduce confusion among law enforcement and government agencies, companies and other organizations, regardless of the software they use, Curphy said.
The effort by OASIS, which stands for the Organization for the Advancement of Structured Information Standards, is also expected to provide consistency in describing vulnerabilities that are sure to arise as companies build and deploy applications based on emerging web services standards, Ronald Schmelzer, analyst for high-tech researcher ZapThink LLC, said.
"This is critically important to the ongoing security of web services for a simple reason: implementing web services introduces a whole set of new vulnerabilities in systems that may be otherwise secure," Schmelzer said. "Web services are just abstracted interfaces to system functionality, and as such it becomes harder for systems to get a firm grasp on which users are requesting application functionality and whether or not they are authorized for that functionality."
The WAS committee will work in conjunction with an OASIS panel working on technology called the Application Vulnerability Description Language. AVDL is expected to provide a standard format for the way security products communicate. Combining the two technologies should provide a standard method for describing and communicating vulnerabilities across multi-vendor products, experts said.
In addition, The WAS panel will consider similar technologies submitted by outside groups. The Open Web Application Security Project, for example, plans to submit its Vulnerability Description Language (VulnXML) to the OASIS panel. The OWASP was formed by the open source community.
Try TechWeb's RSS Feed!Cirrus Logic seeking Digital IC Design Engr in Austin, TX
Hebrew SeniorLife seeking Senior Network Analyst in Boston, MA
Agilent seeking NPI Project Manager in Shanghai, CN
UC Berkeley seeking Helpdesk Team Lead in Berkeley, CA
Rohm and Haas seeking Product Portfolio Manager in Philadelphia, PA
For more great jobs, career-related news, features and services, please visit our Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
