An XML-based standard designed to allow companies more easily to manage and reduce security risk in constantly changing web services-based environments was put forward yesterday.

The Application Vulnerability Description Language (AVDL) has been proposed by the Organisation for the Advancement of Structured Information Standards (Oasis), a consortium of security vendors including Citadel Security Software, GuardedNet, NetContinuum, SPI Dynamics and Teros.

AVDL will enable companies to define, categorise and classify web services application vulnerabilities in a common way that can be understood by all security products.

"The majority of new attacks today target vulnerabilities at the application layer, a problem we believe will only increase as web services become more widely adopted," said Richard Stiennon, vice president of research at Gartner, in a statement.

"Because web applications are constantly changing, creating a more standardised way for individual security products to share information, AVDL makes a great deal of sense and could significantly benefit enterprise customers."

With the wide adoption of web-based technologies, applications often change daily, or even hourly.

But the lack of standards to define how security products from different vendors interoperate means that keeping up with the changes can be a problem for security administrators.

Ken Kousky, chief executive at research company IP3, said: "As new security technologies are developed, enterprises in the early adopter phase rely on best-of-breed solutions or a number of interoperable combinations to address rising security concerns.

"In our latest research report, IT Security Economics, the Rationality Debate, we found that more than 85 per cent of large organisations view interoperability between security components as one of their top two issues for 2003. Client organisations are simply being overwhelmed."

Oasis described how application vulnerability assessment tools, for example, could create an AVDL file for a particular application that could be read by an attack prevention product to recommend the best policy for protecting a specific application.