(May 28, 2003) - Members of the OASIS standards consortium are uniting to create an open data format to describe Web application security vulnerabilities. The new OASIS Web Application Security (WAS) Technical Committee will produce a classification scheme for Web security vulnerabilities, a model to provide guidance for initial threat, impact, and risk ratings, and an XML schema to describe Web security conditions that can be used by both assessment and protection tools.

"Gartner believes the OASIS WAS standard effort will play a key role in supporting innovation in security assessment tools and application-level intrusion prevention products," said John Pescatore, vice president for Internet Security at Gartner Inc. "Having a standard vulnerability description language will allow enterprises to choose and integrate best-of-breed products to best address changing threat scenarios."

"Currently, security advisories are published in ambiguous textual forms or proprietary data files. The same vulnerability is often described in several different ways, using different languages and contexts that quantify risks in different ways," explained Mark Curphey, chair of the OASIS WAS Technical Committee. "WAS will allow vulnerabilities to be published and received in a consistent manner. Risks will be universally understood by law enforcement agencies, government representatives, companies, and organizations, regardless of which tools or technologies are used."

OASIS WAS Technical Committee members include NetContinuum, Qualys, Sanctum, SPI Dynamics, and others. Participation remains open to all organizations and individuals, and OASIS will host an open mail list for public comment. The committee will hold its first meeting on July 3, 2003.

• How To Save the Web from Clickjacking