OASIS, a nonprofit standards body, said it will create an open data format that helps describe Web security vulnerabilities. The specification will include classification scheme; a model to provide guidance for threat, impact, and risk ratings; and an XML schema to describe security conditions. OASIS designed the specification to be used for assessment and protection tools.
OASIS has assembled a new Web Application Security (WAS) Technical Committee to oversee development of the specification. The team will also consider contributions from other groups and companies. A spokesperson for OASIS said, "The Open Web Application Security Project (OWASP), an Open Source community group dedicated to helping government and industry understand and improve the security of Web applications and services, plans to submit its Vulnerability Description Language (VulnXML) to the new OASIS technical committee."
"Currently, security advisories are published in ambiguous textual forms or proprietary data files. The same vulnerability is often described in several different ways, using different languages and contexts that quantify risks in different ways," explained Mark Curphey, chair of the OASIS WAS Technical Committee. "WAS will allow vulnerabilities to be published and received in a consistent manner. Risks will be universally understood by law enforcement agencies, government representatives, companies, and organizations, regardless of which tools or technologies are used."