What is AVDL and Why was it Created?

With the growing adoption of web-based technologies, applications have become far more dynamic, with changes taking place daily, sometimes hourly. With dozens of security patches and application level vulnerabilities released each week, enterprises must deal with a constant flood of new security patches from their application and infrastructure vendors. To make matters worse, network level security products do little to protect against these vulnerabilities at the application level. To address this problem, enterprises today have deployed a host of best-of-breed security products to discover application vulnerabilities, block application-layer attacks, repair vulnerable web sites, distribute patches and manage security events.

Enterprises view application security as a continuous lifecycle. Unfortunately, there is currently no standard way for these products to communicate with each other, making the overall security management process far too linear, manual and time-consuming.

Enterprise customers are asking companies to provide products that interoperate. A consistent way to describe application security vulnerabilities via XML is a significant step towards that goal. Today, these vendors proposing AVDL are actively engaged in projects whereby XML-based vulnerability descriptions will be used to improve the responsiveness and effectiveness of attack prevention, event correlation, and remediation technologies. XML establishes a common framework, but XML alone does not ensure vendor interoperability.

The Application Vulnerability Description Language (AVDL) is a new security interoperability standard within the Organization for the Advancement of Structured Information Standards (OASIS) that was first proposed in April 2003 by several leaders within the application security space. AVDL creates a uniform way of describing application security vulnerabilities using XML.