Security startups take OASIS route to interoperability

Five young internet security companies have kick-started the process of developing a standard way to describe application vulnerabilities, and will announce today that the OASIS group will house their work.

The companies – Teros, NetContinuum, SPI Dynamics, Citadel and GuardedNet – have created the Application Vulnerability Description Language project, in order to create a way for their software to exchange messages about security holes.

For a standards process to be initiated by a group of private startups is a rare occurrence indeed, but the companies feel confident they can attract big names to their cause. Several firms are expected to express support this week.

For long term sustained support we would need the big application platform vendors, Wes Wasson, NetContinuum’s chief strategy officer, told ComputerWire, the BEAs and Microsofts of the world.

SPI’s CEO Brian Cohen added: The fact is, there aren’t any large companies in this space. Most of the large security companies are focused on network-level security problems, while application security is a problem being tackled by startups.

AVDL will be used in four types of product, technical committee co-chairs NetContinuum and SPI said – application vulnerability assessment, remediation and patch management, application security gateways and security event management.

These four categories (find, fix, block, report) are all represented by the five companies involved in the project. Teros and NetContiuum compete in the block category, Citadel fixes, GuardNet reports and SPI finds.

Wasson said that the companies expect the first version of AVDL to be finished by the end of the year, but that pre-standard versions of the spec will be incorporated in products from the participating companies before then.

The spec will provide a common way to classify application vulnerabilities. For example, a vulnerability assessment tool could find a security hole, and create a file that could be read by a security gateway or a remediation system.

AVDL will not tread on the toes of other common vulnerability description specs such as CVE or VulnXML, the co-chairs said. We’re taking it to the next level, Wasson said. It’s not so much about researchers classifying new vulnerabilities, as about working with that information in a live network.

Source: Computerwire

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing