The 10,000 people expected to attend the RSA Conference 2004 this week in San Francisco will be treated to new approaches to the age-old security problems of fixing vulnerabilities and verifying user identities.

At last year's RSA Conference, the Organization for the Advancement of Structured Information Standards (OASIS) launched an effort to define application vulnerabilities in a common XML-based format (see this week's Tech Update on AVDL). The goal was not only to have vulnerability-assessment tools define problems the same way but automatically share the information with patch management products and application-layer firewalls so holes can be plugged quickly.

OASIS' efforts will come to fruition at this year's show when it announces the completion of Application Vulnerability Description Language (AVDL) Version 1.0. Security vendors backing AVDL will demonstrate how AVDL addresses Web vulnerabilities.

Citadel, NetContinuum, Spi Dynamics and other vendors on the show floor will transmit XML-based information between their various scanning tools, patch products and application firewalls.

The U.S. Department of Energy plans to use AVDL messages as the basis for computer-incident advisories.

"We'd like to see all vendor and patch-management information in the same format," says John Diaz, security consultant at the Department of Energy. The department keeps a vulnerability database and plans to put what it calls "AVDL listeners" on its Oracle-based portal this spring to push out vulnerability alerts to departmental security teams.

"Application vulnerabilities propagate so rapidly today that the old methods of dealing with them no longer suffice," says Gartner analyst John Pescatore, who will participate in panel discussions about AVDL at the show. "New standards like AVDL offer one of the best hopes of breaking this cycle by dramatically reducing the time between the discovery of a new vulnerability and the effective response at enterprise sites."

As part of an interoperability demonstration, NetContinuum will show how its application-layer firewall can receive an AVDL message from Spi Dynamics' WebInspect vulnerability-assessment tool and automate a blocking function to prevent the hole from being exploited.

Spi Dynamics also will announce a distributed version of WebInspect it calls Assessment Management Platform, which will be able to inspect hundreds of Web applications and servers across various locations from a central management console. That product is scheduled to ship next quarter.

"If Spi Dynamics discovers a vulnerability and sends it over in AVDL format, NetContinuum would take that information and automate the blocking," says Wes Wasson, NetContinuum vice president of marketing.

He notes that AVDL, which OASIS is expected to approve next month, likely will evolve to include use of digital signatures - a way to verify the identity of the sender.

Not all patch management vendors, though, are gung-ho about AVDL.

For example, PatchLink this week is expected to introduce Version 6.0 of its Update product, which handles patch distribution across multiple remote offices from a central point. The vendor has no immediate plans to add AVDL support.

PatchLink's scanning tool shares data with its patch-updating product, says Chris Andrews, vice president of product management. "AVDL could be something we'd do in the future, though," he adds.