Security firms seek common tongue

A standards body plans to build a universal format for communicating the risk associated with network security problems.

Martin LaMonica Former Staff writer, CNET News

Martin LaMonica is a senior writer covering green tech and cutting-edge technologies. He joined CNET in 2002 to cover enterprise IT and Web development and was previously executive editor of IT publication InfoWorld.

See full bio

Martin LaMonica

May 28, 2003 8:55 a.m. PT

2 min read

A group of computer security companies plans to create a standardized way to share information on potential network security problems.

The Organization for the Advancement of Structured Information Standards, or OASIS, on Wednesday announced the formation of the Web Application Security (WAS) technical committee, which will develop a model and a data format for describing security problems. The planned standard will convey information via an XML document to classify and rate the risks of vulnerabilities once they are discovered.

The companies participating in the OASIS WAS technical committee include NetContinuum, Qualys, Sanctum, and SPI Dynamics.

Right now, security advisories are published in a variety of formats, something that hampers effective communication across different organizations, Mark Curphey, chair of the OASIS WAS Technical Committee, said in a statement. Corporations, as well as government institutions and law enforcement agencies count on rapid access to security information in order to patch network holes that are vulnerable to hacks or break-ins.

"WAS will allow vulnerabilities to be published and received in a consistent manner. Risks will be universally understood by law enforcement agencies, government representatives, companies and organizations, regardless of which tools or technologies are used," Curphey said.

The need for a better way of sharing data on security risks is becoming increasingly important, particularly as the use of Web services takes hold, said Ron Schmelzer, an analyst at ZapThink.

Web services applications use standardized means to make it easier to share information between applications. That simplified data exchange will usher in many more security problems, which creates a growing need to effectively communicate vulnerabilities, he said.

Web services applications "will continuously need to be on the lookout for security vulnerabilities and interact with each other to provide a cohesive network of secured systems," said Schmelzer.

The proposed WAS specification will work in conjunction with other standards under development at OASIS, including the Application Vulnerability Description Language (AVDL). The WAS specification will define how information will be shared, while AVDL will describe the potential vulnerability.

By combining the WAS with AVDL, companies that track network security problems and have a common format to understand the severity of vulnerabilities, according to OASIS.

The WAS Technical Committee will consider related work from other groups and companies, including a similar language under development at the open-source Open Web Application Security Project.