The Application Vulnerability Description Language 1.0 specification is nearing completion according to the companies driving the standard, which will demonstrate its uses during the RSA Conference 2004 this week in San Francisco.
Since development of AVDL was launched, by five young security firms, under the umbrella of the OASIS standards body last April, the project has attracted some bigger-name supporters, including Microsoft, IBM and Cisco.
We’re now seeing larger partners and even end users starting to adopt the spec, said Wes Wasson, chief strategy officer at NetContinuum Inc, one of the project’s leaders. We’re seeing adoption a lot sooner that we expected a year ago.
AVDL will be a standard XML-based way to represent information about application vulnerabilities. Version 1.0 will cover vulnerabilities exploitable via HTTP, but other protocols, possibly FTP, DNS or SMTP, will likely be added in future.
AVDL documents can be shared by vulnerability scanners, quality assurance tools, application firewalls, and vulnerability remediation systems. The idea to make it faster to identify problems with their applications and then mitigate the associated risk.
For example, data about a vulnerability found with a scanner could be imported to an application firewall and used to create a policy to block exploits, or imported by a vulnerability remediation tool that could recommend a fix.
Eight firms will announce support for AVDL today: NetContinuum, Citadel, Qualys, White Hat, Teros, GuardedNet, Cenzic and SPI Dynamics. The US Department of Energy will also announce a portal that could be help drive AVDL adoption.
The DoE’s Computer Incident Advisory Capability currently aggregates and filters vulnerability advisories from a multitude of vendors and researchers, on behalf of the government systems administrators that subscribe to its service.
CIAC hopes to encourage vendors to issue AVDL descriptions of newfound vulnerabilities, by AVDL-enabling its portal using web services. The agency says this will allow more automation and easier filtering of potential threat data.
This article is based on material originally published by ComputerWire