Home » Data Protection » Application Security

AVDL: Watch Your Language

The AVDL standard may help infosecurity devices create better defenses by sharing information

May 01, 2004 — CSO — A group of information security vendors is pushing an XML-based interoperability standard for vulnerability data, aiming for industry-wide acceptance. The final draft of the standardcalled Application Vulnerability Description Language (AVDL)was approved by the Organization for the Advancement of Structured Information Standards, or Oasis, in February and was under public review throughout March. Proponents say AVDL is gaining momentum among security vendors and enterprises. With up to 40 new patches and vulnerabilities announced every week, security managers have an increasingly small window in which to react to vulnerabilities.

The XML specification defines and classifies application vulnerabilities in a standardized form that can be understood and used by security products throughout the application-security lifecycle. The standard is designed to make it easier for application-development tools to share information about potential security risks in the preproduction phase; application firewalls to set policies based on new vulnerabilities; security auditors to compare vulnerability reports and security event logs from disparate products; and patching products to read vulnerability assessments from different scanning tools.

Among the primary vendors driving the effort are Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics and Teros. Others involved in the standards development effort include Bank of America, Cisco Systems, IBM, Microsoft and the U.S. Department of Energy (DoE). Some of the security vendors have demonstrated AVDL-enabled products to show how the standard allows disparate products to work together and exchange data.

Security executives applaud the efforts. "Any commonality between security platforms is going to be helpful to us," says Edward Liebig, assistant vice president of global IS security at Manufacturers Life Insurance. "For example, when companies have proprietary operating systems, their error logs all mean something different. When you try to troubleshoot programs, you don't want to need experts in everything. You'd rather have a common language between all these products." Liebig says Manulife has deployed or is considering products that will use the standard, including SPI Dynamics' WebInspect.

This spring, the DoE's Computer Incident Advisory Capability (CIAC) response team will launch a Security Incident Response Portal based on a Web-services architecture that is "AVDL-aware." The portal will automatically interpret new alerts published in AVDL format and disseminate the information to DoE security managers, ensuring they receive only alerts relevant to their environments.