About OVAL

Open Vulnerability and Assessment Language (OVAL®) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language.

An Open Language

The OVAL community has developed three schemas written in Extensible Markup Language (XML) to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment.

Repositories for Sharing Content

Content written in the OVAL Language as XML-based OVAL Definitions is located in one of the many repositories found within the community. One such repository, the OVAL Repository hosted by The MITRE Corporation, is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Each definition in the OVAL Repository determines whether a specified software vulnerability, configuration issue, program, or patch is present on a system. Other repositories in the community also include OVAL content.

A Community Effort

The information security community contributes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL Developers Forum and by writing definitions for the OVAL Repository through the OVAL Community Forum. An OVAL Board consisting of representatives from a broad spectrum of industry, academia, and government organizations from around the world oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL Web site. This means that OVAL, which is funded by the National Cyber Security Division’s Software Assurance program at the U.S. Department of Homeland Security for the benefit of the community, reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals worldwide.

OVAL in the Enterprise

When enterprises use information security products and services that have adopted OVAL to protect their networks and systems they have confidence that the software vulnerabilities, compliance issues, programs, and patches being tested for by those products are present on the system with a far higher degree of certainty, and fewer false positives, than products that have not adopted the community-developed OVAL standard. Enterprises may also leverage the interoperability of OVAL-enhanced tools that exchange OVAL content. For example, a vulnerability assessment product deployed by the enterprise can leverage a vulnerability research service to quickly and automatically check for the latest vulnerabilities. Similarly, a compliance checking engine can leverage government security guidance to automatically monitor compliance without the need to translate traditional prose based guidance. This allows you to streamline your processes and improve your security posture, significantly enhancing your ROI

Through interoperability use of OVAL also provides for automation, one example of which is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) effort. OVAL is one of six existing standards SCAP uses to enable automated vulnerability management, measurement, and policy compliance evaluation.

In conclusion, use of OVAL enhances many of the areas of enterprise security most important to you including Security Advisory Distribution, Vulnerability Assessment, Patch Management, Configuration Management, Auditing and Centralized Audit Validation, Security Information Management Systems (SIMS), System Inventory, and Malware and Threat Indicator Sharing.

Take the Next Step

Learn more about OVAL in Use, review Products and Services Including OVAL, or contact oval@mitre.org to find out how OVAL can help your enterprise.

Back to top

Page Last Updated: July 16, 2012