July 30, 2003, 4:11 PM — A security industry effort to develop a common language to describe application security vulnerabilities moved one step closer to reality, as two security companies announced the completion of a new XML (Extensible Markup Language) schema for describing application vulnerabilities.
On Wednesday NetContinuum Inc. and SPI Dynamics Inc. said that they completed a cross-platform integration of SPI's WebInspect Enterprise Edition vulnerability testing software and NetContinuum's NC-1000 Web security gateway.
The integration allows vulnerability information from WebInspect scans to be read directly by the NC-1000, then turned into security policies and configuration changes that protect the vulnerable application.
At the heart of the integration is a new XML format that can contain specific information such as the type of server or file affected by a vulnerability, while isolating information such as the HTML (Hypertext Markup Language) or HTTP (Hypertext Transfer Protocol) methods or specific Web cookies involved in exploits, according to Wes Wasson, chief strategy officer at NetContinuum.
SPI modified WebInspect to output assessment information using the expanded format. NetContinuum changed the NC-1000 so that it could read the format and automatically parse it to create security policies, saving administrators the time and effort of having to build those policies manually, Wasson said.
WebInspect has long been able to output assessment data in XML format. However, that information was not structured or complete enough to translate into policies that could block attacks, he said.
Administrators still need to decide which policies to deploy, but the integration will save administrators the time and effort needed to translate vulnerability assessment data into new or modified rules and policies, Wasson said.
"It guarantees that the administrator has a policy that addresses the vulnerabilities identified in the scan," he said.
That is especially important given the growing tendency of hackers to target applications rather than network vulnerabilities and the weeks or months that are often needed for developers to code, test and release a software patch, according to Brian Cohen, chief executive officer of SPI Dynamics.
"You can't patch your way to success," he said.
With the help of the new XML schema, NetContinuum's NC-1000 device can block attacks until a patch is available, Cohen said.
"While, ultimately, you want to correct problems, you also want to have technology that can defeat attacks while they're occurring," he said.
Updated versions of WebInspect and the NC-1000 already support the new schema and the two companies have around 30 customers that use both products and are poised to take advantage of the integration.
One of those customers is container shipping company APL Ltd. of Singapore.
APL is currently evaluating both the NC-1000 and WebInspect products, said David Arbo, director of security at APL.
"Like most companies out there, we're putting a big push into move applications to Web-based interfaces," Arbo said.
As a result, APL is increasingly interested in understanding its exposure to attacks embedded in HTTP traffic, he said.
While the integration is too new to have been fully evaluated, it should make it easier for APL to do automated assessments of application vulnerabilities and enforce policies that protect against vulnerabilities at the application protocol level, Arbo said.
The efforts to develop the new schema may have a broader impact as well.
Both SPI and NetContinuum are members of Organization for the Advancement of Structured Information Standards' (OASIS's) AVDL (Application Vulnerability Description Language) Technical Committee, which is developing standardized descriptions of vulnerabilities designed to enable companies to deploy heterogenous but interoperable security technology.
The two companies submitted the results of their integration to the AVDL Technical Committee for consideration as part of the AVDL 1.0 specification, Cohen said.
The two companies are confident that their schema will be adopted into the AVDL 1.0 specification, but there will probably be additions to address application layer vulnerabilities that are not covered by the SPI Dynamics - NetContinuum integration, Wasson said.
AVDL Technical Committee members have been meeting regularly and provided feedback on the XML schema developed by the two companies, he said.
That could include application layer vulnerabilities involving protocols other than HTTP, such as DNS (Domain Name System) or FTP (File Transfer Protocol), he said.
