Security No-Brainer #9: Application Vulnerability Scanners Should Communicate with Application Firewalls
If a web application security testing tool tells me I have a vulnerability in an application, what do I do? “Fix it” is the right answer, but not always so easy if my development organization is backlogged or, worse, I don’t have access to the source code. Another answer is to shield the application from attacks on the vulnerability using an application-level firewall – in this example a web application firewall.
Why can’t the web application security testing tool simply exchange knowledge of the vulnerability with the firewall in a standardized way? Then the firewall could detect and block attacks on this known vulnerability. Seems like a no-brainer. However, attempts to standardize this have failed. Application Vulnerability Description Language (AVDL) is a defunct, XML-based standard for the exchange of application vulnerabilities between vulnerability assessment tools and other products, typically shielding tools, such as application firewalls, that could proactively shield the application from the vulnerability. AVDL was adopted as a standard in 2004 by the Organization for the Advancement of Structured Information Standards (OASIS); however, The AVDL committee was officially closed by OASIS in January 2006.
In Gartner’s 2008 Hype Cycle for Data and Application Security, I marked AVDL as “obsolete”. In this year’s Data and Application Security Hype Cycle, I dropped it all together.
Even if no successor to AVDL appears, proprietary linkages will suffice. Multiple web application scanners and web application firewalls provide this capability today with explicit partnerships. The value is too compelling. It’s time to start requiring this capability in our web application security testing tool providers via partnerships with web application firewall vendors.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.