Cenzic, Citadel, Department of Energy CIAC, GuardedNet, NetContinuum, Qualys,
SPI Dynamics, Teros and WhiteHat Among Growing Number of Organizations To
Support AVDL
RSA Conference, SAN FRANCISCO, Feb. 23 /PRNewswire/ -- Leading application
security vendors and organizations Cenzic, Citadel, Department of Energy
Computer Incident Advisory Capability (CIAC), GuardedNet, NetContinuum,
Qualys, SPI Dynamics, Teros and WhiteHat Security, today announced support for
the new Application Vulnerability Description Language (AVDL) developed by the
OASIS international standards consortium. Growing vendor adoption of AVDL
gives security professionals far more freedom and flexibility in managing
application security risk and securing critical resources.
AVDL enables application security products from different vendors to
easily and rapidly share data about security vulnerabilities. As originally
promised, less than one year after its initial proposal, the OASIS AVDL
Technical Committee (TC) has completed the 1.0 specification.
"Application vulnerabilities propagate so rapidly today that the old
methods of dealing with them no longer suffice," said John Pescatore, vice
president at Gartner. "New standards like AVDL offer one of the best hopes of
breaking this cycle by dramatically reducing the time between the discovery of
a new vulnerability and the effective response at enterprise sites."
AVDL addresses the business problem of how companies manage ongoing
application security risk on a day-to-day basis. With application
vulnerabilities now accounting for 75 percent of all attacks, companies have
begun deploying a host of next-generation security tools to find application
vulnerabilities, block application-layer attacks, patch systems and manage
application security events. AVDL enables end users to take this protection
one step further by enabling seamless communication between application
security products at all stages of the application lifecycle.
Several vendors will be demonstrating AVDL interoperability of their
products at the 2004 RSA Conference to highlight the growing maturity and
commercial viability of AVDL automation. Members of the OASIS AVDL Technical
Committee -- Citadel, NetContinuum and SPI Dynamics -- have already
implemented the draft AVDL specification into their product lines and will
offer live demonstrations at each vendor's booth: Citadel #1610, NetContinuum
#510, and SPI Dynamics #1535.
AVDL Technical Details
AVDL provides a rich XML schema that fully describes web application
security properties and vulnerabilities. The basic concept embodied in the
schema is an application-level transaction, called a probe, which describes a
multi-step exchange between a client and a web application server. Such probes
may specify valid and expected request-response exchanges between browsers and
servers, or may specify application vulnerability exploits.
The probe format allows various security devices to precisely and
unambiguously communicate with each other, creating a seamlessly integrated
secure web application environment at every stage of the application
lifecycle -- including development, testing, implementation, production and
audit.
For example, a security scanner maps out the application and detects its
flaws and vulnerabilities. The scanner then sends its assessment in the form
of a set of AVDL probes to other security devices. The recipients, such as
patch management systems or security gateways, use the AVDL input to
automatically generate configuration recommendations, preventing accidental
omissions and mistakes inherent in manual interventions and eliminating a
significant source of security holes and operators' worries. Ultimately, the
security administrators manage the process by rejecting, modifying, or
approving the recommended operations.
How to Get Involved
Participants in the application security field -- end users, vendors, and
researchers alike -- are invited to bring their experience and expertise to
help shape the future of AVDL and the security community. Organizations and
professionals are encouraged to contact the vendors they rely on for
application development, deployment and security and ask them when their
products will support AVDL. Security and application vendors interested in
implementing AVDL in their products can obtain additional information on how
to work with the specification at http://www.avdl.org. The OASIS AVDL Technical
Committee, http://www.oasis-open.org/committees/avdl, is open to all interested
parties.
Specification Availability
The OASIS AVDL Technical Committee has approved version 1.0 of the AVDL
Specification and related XML Schema as a Committee Draft. The prescribed 30-
day public review period is underway. AVDL has already begun to gather
significant industry momentum with organizations from the private, government
and public sectors announcing support for the specification. Early support for
AVDL has been announced by a variety of vendors and organizations, including:
Cenzic, Inc. (http://www.cenzic.com), a provider of application vulnerability
management solutions for custom and off-the-shelf enterprise applications,
plans to support AVDL. "AVDL is a good step toward standardization and could
make it easier for application security experts, network operators and QA
professionals to work together," said John Weinschenk, CEO at Cenzic. "We
believe standards are required in the application security space and we'll
plan on supporting any standards that help customers get more efficient in
their implementations."
Citadel Security Software (http://www.citadel.com) (OTC Bulletin Board: CDSS), a
leader in automated vulnerability remediation and policy compliance solutions,
has implemented the AVDL standard in its Hercules product line. "As a provider
of vulnerability remediation and policy enforcement solutions, Citadel's goal
is to offer enterprise customers a full life cycle vulnerability management
solution," said Citadel CTO Carl Banzhof. "With the introduction of AVDL 1.0,
we extend our capability to provide interoperability between industry-leading
network and application security technologies and our vulnerability management
solutions. Private enterprise and public sector customers will benefit
enormously from the greater flexibility and consistency for implementing
security policies with a standard approach to managing vulnerability data."
Department of Energy -- CIAC (http://www.ciac.org), the central security incident
response organization for the Department of Energy (DOE) and National Nuclear
Security Administration (NNSA), plans to AVDL-enable its new Security Incident
Response Portal. "CIAC plays a vital role in monitoring daily security alerts,
disseminating relevant information to our users and helping them respond
quickly to new threats," said John Dias, Senior Security Analyst at the DOE-
CIAC. Unfortunately, this process is far too labor-intensive today. "To help
address this growing problem, CIAC will debut a new Security Incident Response
Portal this spring based on a Web Services architecture that is AVDL-aware.
This will allow the CIAC Portal to automatically interpret new application
security alerts published in AVDL format and disseminate this information to
security managers far more quickly than is currently possible."
GuardedNet, Inc. (http://www.guarded.net), a provider of security event
management software solutions, believes that implementing AVDL will further
enhance the company's ability to provide a common interface and taxonomy with
which to analyze and respond to security event data. "As providers of a
security event management platform, GuardedNet is a strong proponent of
standards for communicating security event data," said Rich Telljohann, vice
president of business development for GuardedNet. "We are a big supporter of
the AVDL initiative and are excited to see significant progress and industry
adoption of this standard."
NetContinuum, Inc. (http://www.netcontinuum.com), a leading provider of
application security gateways and co-chair of the OASIS AVDL TC, has already
integrated AVDL into its product line. The company's new "AVDL Recommendation
Wizard" reads AVDL input and generates recommended security policies based on
the AVDL input the gateway received. Users then have the option to first run
the policy setting in passive mode, if preferred, before setting it to active
blocking mode. "AVDL is not a difficult standard to implement," said Jan
Bialkowski, CTO of NetContinuum and co-chair of the AVDL TC. "Since most
products already 'speak' XML, implementing AVDL is simply a matter of
rearranging the XML structure to fit the AVDL schema. The TC spent nearly a
year working through all the tough issues and various implementation scenarios
to ensure the AVDL schema would be easy to implement. The hard work is done
and AVDL is ready for broad adoption by security and application vendors,
alike."
Qualys, Inc. (http://www.qualys.com), the market leader of on-demand Network
Security Audits and Vulnerability Management, plans to add AVDL output
capabilities to its QualysGuard service. "As an early participant in the AVDL
process, Qualys is excited to see this important standard near completion,"
said Gerhard Eschelbeck, CTO and VP of engineering of Qualys. "AVDL provides
end users with a standardized way to view and share vulnerability information
that will ultimately simplify the security management processes."
SPI Dynamics, Inc. (http://www.spidynamics.com), the expert in web application
security testing and enterprise security risk management, and co-chair of the
OASIS AVDL TC, has integrated AVDL 1.0 into its WebInspect product line,
enabling customers to export comprehensive application vulnerability
information in AVDL format. "We are pleased to see this broad-based support
for the AVDL initiative from additional leading application security vendors
and the larger software community," said Caleb Sima, co-founder and CTO of SPI
Dynamics. "With their assistance, our hope is to see AVDL's adoption grow so
that every application platform, development tool, and custom or packaged
application within the enterprise can generate a simple AVDL file indicating
the legitimate security parameters of that application. By reading these
files, any AVDL-compliant security product could automatically ensure
protection for each unique application, from the development phase to full
production."
Teros, Inc. (http://www.teros.com), the company that secures web infrastructures
from application-level attacks, will be supporting AVDL in their web
application firewall appliance. "A standardized approach to application
vulnerability management and closer cooperation between layered security
technologies gives customers flexibility in their application security
choices," said Abhishek Chauhan, co-founder and CTO of Teros. "We support AVDL
and the ability for vulnerability information to be shared between multiple
application and network layer security systems."
WhiteHat Security (http://www.whitehatsec.com), a leading provider of Web
application security software services, supports open standards like AVDL and
advocate benefits of vendor interoperability. "Every time a code change is
made to a web application, there is a potential for new security
vulnerabilities," said Jeremiah Grossman, CEO of WhiteHat Security. "Whether
the web site is an online bank or eCommerce store, the security of the web
application is paramount to the security of confidential data. Web application
security is an incredibly complicated issue to manage and vendor cooperation
will help customers close the window of exposure."
About AVDL
The Application Vulnerability Description Language (AVDL), developed by
the OASIS international standards consortium, enables application security
products to easily communicate and share data regarding security
vulnerabilities. Supported by leading application security vendors and users,
the AVDL specification creates a uniform way of describing application
security vulnerabilities using XML. With a sharp focus on solving the
practical security problems security professionals face on a daily basis, AVDL
will help organizations reduce the time, effort, and cost of managing
application security products and vulnerabilities. Additional information on
AVDL is available at http://www.avdl.org and http://www.oasis-open.org/committees/avdl.
CONTACT: Sonya Hotaling of NetContinuum, +1-408-961-5657, or
sonya@netcontinuum.com; or Ashley Vandiver of SPI Dynamics, +1-678-781-4841,
or +1-404-432-8657, or avandiver@spidynamics.com.
SOURCE NetContinuum, Inc.
 back to top
Related links:
http://www.netcontinuum.com
CONTACT:
Sonya Hotaling of NetContinuum,
+1-408-961-5657, or sonya@netcontinuum.com; or Ashley Vandiver of
SPI Dynamics, +1-678-781-4841, or +1-404-432-8657, or
avandiver@spidynamics.com
|
