Industry groups offer proposals in three areas

George V. Hulme, Contributor

March 5, 2003

4 Min Read

I.T. security has come a long way in recent years. But much more needs to be accomplished to make it easier to secure systems, according to those attending the RSA Security conference on computer and information security last week.

Evolving standards may be the answer. Today, security applications designed to block attacks don't talk with apps that find application vulnerabilities. Building-access cards don't speak the same language as smart cards used to log on to a corporate network. And companies that want to use Web services quickly discover that the lack of security standards creates an integration nightmare.

For example, when American Express Co. sought to extend Web services to partners, the financial-services company had to create a unique security infrastructure for each partner, says Michael Barrett, VP of Internet strategy for American Express and president of the Liberty Alliance management board, a group dedicated to developing industry standards for identity management. The lack of standards and vendor interoperability in identity management "just destroys the economic model for Web services," he says.

Last week, the alliance introduced the second phase of its federated identity-management specification, which includes a standard way for users to choose which affiliated Web sites can access their personal information and whether their identity will be revealed. Such permission-based sharing, Barrett says, is critical for any universal identity-management initiative to be successful. The alliance also recently submitted version 1 of its specification to the Organization for the Advancement of Structured Information Standards for possible inclusion in the next version of SAML, the Security Assertion Markup Language, a widely accepted framework for authentication and authorization of Web-services communications.


Here are some of the Web-based security standards under development

Soap The Simple Object Access Protocol is a message-based protocol based on XML for accessing services on the Web

WS-Security A set of Soap extensions used to implement integrity and confidentiality in Web-services applications and provide a standard way for Web-services apps to share secure, signed messages

SAML The Security Assertion Markup Language is based on XML and provides a framework for authentication and authorization of Web services

AVDL The Application Vulnerability Description Language is an XML standard that will define application vulnerabilities

Data: InformationWeek

Standards also are needed to deal with new application vulnerabilities that seem to crop up every day. A group of security vendors has submitted a proposal for an Application Vulnerability Description Language, based on XML, to standards body Oasis. AVDL will be designed to provide a standard way for application vulnerabilities to be defined and classified so security tools will speak the same language when it comes to security threats aimed at apps. The group, founded by Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics, and Teros, hopes to have a version of the spec completed by year's end.

AVDL will let application vulnerability-assessment tools, such as those provided by SPI Dynamics, better report to other security applications the state of app security throughout an organization at any point in time. Security event managers, such as those made by GuardedNet, will be able to better correlate security problems found in applications with actual security attacks and related events.

And there still are big integration challenges between building and IT-access devices. While the federal government has been working on methods for combining building-access cards and IT-access cards for some time, analysts say progress has been slow. "People at the Defense Department are still walking around with two access cards around their neck, one for building access and one for IT access," says John Pescatore, an analyst at Gartner.

Computer Associates last week unveiled the Open Security Exchange, which it says is a collaborative group to establish best practices and promote vendor-neutral specs for integrating the management of security devices and policies. The OSE aims to create a standard that will let physical security devices, such as building-access cards, interoperate better with conventional IT security applications, such as provisioning and access-management apps and smart cards used to access IT resources.

About the Author(s)

George V. Hulme


An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights