If a web application security testing tool tells me I have a vulnerability in an application, what do I do? “Fix it” is the right answer, but not always so easy if my development organization is backlogged or, worse, I don’t have access to the source code. Another answer is to shield the application from attacks on the vulnerability using an application-level firewall – in this example a web application firewall.
Why can’t the web application security testing tool simply exchange knowledge of the vulnerability with the firewall in a standardized way? Then the firewall could detect and block attacks on this known vulnerability. Seems like a no-brainer. However, attempts to standardize this have failed. Application Vulnerability Description Language (AVDL) is a defunct, XML-based standard for the exchange of application vulnerabilities between vulnerability assessment tools and other products, typically shielding tools, such as application firewalls, that could proactively shield the application from the vulnerability. AVDL was adopted as a standard in 2004 by the Organization for the Advancement of Structured Information Standards (OASIS); however, The AVDL committee was officially closed by OASIS in January 2006.
In Gartner’s 2008 Hype Cycle for Data and Application Security, I marked AVDL as “obsolete”. In this year’s Data and Application Security Hype Cycle, I dropped it all together.
Even if no successor to AVDL appears, proprietary linkages will suffice. Multiple web application scanners and web application firewalls provide this capability today with explicit partnerships. The value is too compelling. It’s time to start requiring this capability in our web application security testing tool providers via partnerships with web application firewall vendors.