Security companies are working together to create a standard protocol that will enable all information about holes and vulnerabilities to be shared.
Progressing from an idea to a published Oasis standard in less than a year, the AVDL (application vulnerability description language) specification must be one of the quickest IT standards ever created.
Three vendors in the emerging field of application-layer security are showing their products working together at the RSA security show this week. In addition - and most unusually of all for a standard at this stage of development - at least one user, the US Department of Energy's IT security group, has committed to using it.
The AVDL 1.0 specification is in the final stages of Oasis approval and the three vendors in question -Citadel, NetContinuum and SPI Dynamics - have already implemented the draft AVDL specification into their product lines.
"AVDL is a lifecycle play," said Brian Cohen, chief executive of SPI Dynamics. "It is extremely important to identify problems early." AVDL shares data on vulnerabilities in Web-based applications, so tools like firewalls, intrusion detection systems and remediation systems can respond better and other security tools can be co-ordinated. The result is less manual intervention and quicker fixes, according to the group.
This display of co-operation, in a cutthroat market, has come about through self-interest. Attacks at the application layer are increasing and the AVDL group are small start-ups that have come out with specialist tools that scan application software for weaknesses, block applications layer attacks and fix the holes through patch management.
By linking their products, these vendors hope to reassure users entering this new area. "Users can select the best point products rather than being locked in to one vendor's products," said Cohen. Inter-communication will also mean less manual user intervention is required.
The next step the group would like to see is users adopting AVDL for in-house security processes, and larger vendors adding AVDL interfaces to business software, so their security needs can be better met by application security tools.
"If this sounds like something you might want, get on board and ask your application vendors when they are supporting AVDL," said Wes Wasson, chief strategy officer at NetContinuum. One user, the US Department of Energy's security incident response service, plans to AVDL-enable an incident response portal, so that reported vulnerabilities can be handled more efficiently.
“Application vulnerabilities propagate so rapidly today that the old methods of dealing with them no longer suffice,” said John Pescatore, a vice president at Gartner. “New standards like AVDL offer one of the best hopes of breaking this cycle by dramatically reducing the time between the discovery of a new vulnerability and the effective response at enterprise sites.”
AVDL is an XML schema that describes web application security properties and vulnerabilities, so they can be communicated between security tools. The Oasis group, which evolved from an organization dedicated to the generalised mark-up language, SGML, has a lot of experience in XML standards, including one for Web services security and another for describing whole modular IT rooms.
AVDL members include a spread of functions, including Cenzic, which handles quality assurance, Citadel's automated remediation product, event management from GuardedNet, a security gateway from NetContinuum, a firewall from Teros, audits and vulnerability management from Qualys, and testing from SPI Dynamics. Services company WhiteHat has also got involved.