OASIS unveils XML schema to provide initial threat, impact, and risk ratings guidance in consistent manner

The Organization for the Advancement of Structured Information Standards (OASIS), a global consortium that sets worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps, and interoperability within and between marketplaces, announced its members are creating a new, open data format to describe Web application security vulnerabilities. The model will provide initial threat, impact, and risk ratings guidance for companies, as well as an XML schema to describe Web security conditions that can be used by both assessment and protection tools.






June 04, 2003
By Mathew Schwartz

The goal of the web applications security (WAS) standard will be to reduce the amount of redundant information produced for security vulnerability alerts, and simplify the process of understanding which systems are affected. In particular, the application vulnerability description language, as it’s also known, will create a uniform way of describing application security vulnerabilities through the XML format.

“The growing sophistication of security threats requires standards for classifying risk and determining the impact of new Web Security vulnerabilities,” notes Gerhard Eschelbeck, chief technology officer and vice president of engineering of security audit company Qualys Inc. in Redwood Shores, Calif.

The potential of Web Services is to increase the flow and automation of information exchange between Web servers, or between servers and people. Unfortunately, tying different servers together—often across different corporate firewalls—means that organizations are exposed to a greater range of security threats. What starts out as a breach in a partner’s Web server can quickly work its way into a Web Services partner’s server, or an attacker can compromise the integrity of data flowing between servers, potentially sabotaging important information. In a supply chain, for example, incorrect inventory requests could trigger unwanted manufacturing operations, with grave financial consequences.

To deal with potential Web Services threats, organizations need more automated, standardized ways of disseminating security warnings, say experts.

Article continues... Enterprise Systems