In-Depth

Web Services: Protecting Yourself from Partners' Security Problems

OASIS unveils XML schema to provide initial threat, impact, and risk ratings guidance in consistent manner

• By Mathew Schwartz
• 06/04/2003

The Organization for the Advancement of Structured Information Standards (OASIS), a global consortium that sets worldwide standards for security, Web services, conformance, business transactions, electronic publishing, topic maps, and interoperability within and between marketplaces, announced its members are creating a new, open data format to describe Web application security vulnerabilities. The model will provide initial threat, impact, and risk ratings guidance for companies, as well as an XML schema to describe Web security conditions that can be used by both assessment and protection tools.

The goal of the web applications security (WAS) standard will be to reduce the amount of redundant information produced for security vulnerability alerts, and simplify the process of understanding which systems are affected. In particular, the application vulnerability description language, as it’s also known, will create a uniform way of describing application security vulnerabilities through the XML format.

“The growing sophistication of security threats requires standards for classifying risk and determining the impact of new Web Security vulnerabilities,” notes Gerhard Eschelbeck, chief technology officer and vice president of engineering of security audit company Qualys Inc. in Redwood Shores, Calif.

The potential of Web Services is to increase the flow and automation of information exchange between Web servers, or between servers and people. Unfortunately, tying different servers together—often across different corporate firewalls—means that organizations are exposed to a greater range of security threats. What starts out as a breach in a partner’s Web server can quickly work its way into a Web Services partner’s server, or an attacker can compromise the integrity of data flowing between servers, potentially sabotaging important information. In a supply chain, for example, incorrect inventory requests could trigger unwanted manufacturing operations, with grave financial consequences.

To deal with potential Web Services threats, organizations need more automated, standardized ways of disseminating security warnings, say experts.

“Currently, security advisories are published in ambiguous textual forms or proprietary data files. The same vulnerability is often described in several different ways, using different languages and contexts that quantify risks in different ways,” notes Mark Curphey, chair of the OASIS WAS Technical Committee.

What’s needed, he says, is consistency. “WAS will allow vulnerabilities to be published and received in a consistent manner.” As a result, “risks will be universally understood by law enforcement agencies, government representatives, companies, and organizations, regardless of which tools or technologies are used.”

This approach means all organizations get immediate access just to the information they need; they can ignore the rest. In addition, because the information is in XML format, organizations can create filters so different types of security threats automatically trigger appropriate organizational responses.

Vendors can also build similar functionality into their products, says John Pescatore, vice president for Internet Security at Gartner Inc. in Stamford, Conn. “The OASIS WAS standard effort will play a key role in supporting innovation in security assessment tools and application-level intrusion prevention products.” In fact, he says, having a “standard vulnerability description language” will aid IT buyers in evaluating and selecting product features and purchasing what best suits their environment.

OASIS WAS Technical Committee members include NetContinuum, Qualys, Sanctum, SPI Dynamics, and others. The committee will hold its first meeting in July.

For more information, see the OASIS WAS-XML Technical Committee Web site:http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=was

Related ESJ Stories:

Communicator Unveils First Liberty Product
http://info.101com.com/default.asp?id=232

Securing Web Services
http://www.esj.com/columns/article.asp?EditorialsID=96