Total Participants

OVAL Adoption Program Participants

All organizations participating in the OVAL Adoption Program are listed below, including those with products and services that have adopted OVAL and those with declarations of intent to adopt OVAL.

Products are listed alphabetically by organization.

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
ADTsys Software Date Declared: Jan 30 2014

Web Site:

Quote/Declaration: ADTsys is leveraging OVAL for company's compliance and vulnerability assessment for web environments. Using analysis engines based on OWASP and CVE transforming security requirements from documents updated. This content uses the OVAL Language as a mechanism to determine the results.

Product Name: ADTsys Cloud Security

Type: Cloud Security

   
  • OVAL Authoring Tool: Planned
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated: Feb 27, 2014

Back to top
Agiliance Date Declared: Feb 26 2014

Web Site:

Quote/Declaration: In order to promote open standards and leveraging existing tools already deployed as authoritative sources of risk, threat, security, governance, and compliance audit details, Agiliance's big data risk management software platform, Agiliance RiskVision, consumes OVAL Definitions, OVAL Results, and OVAL System Characteristics via its user interface or via data connectors. As a consumer of OVAL attributes, Agiliance RiskVision supports OVAL 5.10.1 and prior versions. In addition, Agiliance RiskVision accommodates SCAP in its 'XCCDF and OVAL' import tool.

Product Name: Agiliance RiskVision

Type: Big Data Risk Management Software

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: No

Last Updated: Feb 26, 2014

Back to top
Altex-Soft Date Declared: January 30, 2012

Web Sites:

(Russian) www.altx-soft.ru
(English) www.altex-soft.com

Product Name: Altex-Soft Ovaldb

Type: Web-Based OVAL Repository Database

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: RedCheck

Type: Vulnerability, Patch, and Compliance Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: May 30, 2014

Back to top
Arellia Corporation Date Declared: May 5, 2011

Web Site:

Quote/Declaration: Arellia Security Analysis Solution embraces the OVAL standard to help firms manage security proactively, providing the ability to import OVAL content into the Symantec Management Platform's Configuration Management Database via SCAP data streams, which allows for the continuous monitoring and remediation of security configuration management issues that arise due to system vulnerability and misconfiguration on endpoints within an organization. Arellia Security Analysis Solution performs assessments of OVAL Definitions, generally in the context of XCCDF Benchmark Profiles, on managed computers through an agent-based plug-in to the Symantec Management Agent. OVAL content is delivered to the computers where the assessments are performed then OVAL Results are sent back to the Symantec Management Platform server and correlated into the Configuration Management Database.

Product Name: Arellia Security Analysis Solution

Type: Security Configuration Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated:

Back to top
ATM Software sp. z o.o. Date Declared: February 5, 2013

Web Site:

Quote/Declaration: ATM Information Security Workflow is a application suited for IT assets lifecycle management. It contains Web-based OVAL repository and OVAL compatible vulnerability and compliance scanner.

Product Name: ATM Information Security Workflow

Type: Workflow for server/software lifecycle management with OVAL repository and vulnerability assessment.

   
  • OVAL Authoring Tool: Planned
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated: February 14, 2013

Back to top
Beyond Security Ltd. Date Declared: Aug 7, 2013

Web Site:

Quote/Declaration: The AVDS family of network Vulnerability Assessment and Web Application Security testing solutions are the most accurate and easiest to use in the industry. AVDS uses OVAL to import benchmarks from the OVAL repository and user-developed XML files and to export assessment results files. AVDS is available as a network appliance or hosted solution and will deliver layer 3-7 scanning to businesses and government units of any size. It will find, prioritize and manage the repair of security weaknesses in your network and web applications with the fastest setup and the least maintenance possible.

Product Name: AVDS

Type: Vulnerability and Configuration Assessment and Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Last Updated: Sep 23, 2013

Back to top
Beyond Trust Date Declared: September 8, 2010

Web Site:

Quote/Declaration: Beyond Trust is an innovative leader in vulnerability and security research, providing security solutions that help businesses and users protect their systems and intellectual property from compromise. eEye enables secure computing through world-renowned research and innovative technology, supplying the world's largest businesses with an integrated and research-driven vulnerability assessment, intrusion prevention, and client security solution. eEye is pleased to support the CVE Initiative and will continue to promote the standardization of the CVE naming convention and vulnerability identification.

Product Name: Retina Network Security Scanner

Type: Vulnerability Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 25, 2014

Back to top
Catbird Networks, Inc. Date Declared: September 22, 2010

Web Site:

Quote/Declaration: Catbird delivers a multifunction solution for continuous and measurable security and compliance for virtualized and cloud infrastructures. As a market leader in dynamic and elastic security, Catbird embraces open source and interoperable standards like OVAL. Catbird plans to deliver comprehensive OVAL support in all areas of its award winning product.

Product Name: Catbird vSecurity

Type: Vulnerability Scanner, IDS/IPS, and Firewall

   
  • OVAL Authoring Tool: Planned
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated:

Back to top
Center for Internet Security Date Declared: Feb 26 2014

Web Site:

Quote/Declaration: CIS-CAT is an SCAP-compliant, host-based configuration assessment tool primarily designed to perform compliance assessments against recommendations contained in CIS benchmarks. OVAL-based compliance content developed by third parties, such as DISA and NIST, is also supported by CIS-CAT for major Microsoft products, including Windows, Office, Internet Explorer, and SQL server, as well as Red Hat Enterprise Linux platforms. CIS-CAT's support for OVAL also affords users the ability to perform compliance, vulnerability, inventory, and patch assessments using content generated from numerous sources, including CIS, DISA, and NIST/USGCB, from a single tool.

Product Name: Center for Internet Security Configuration Assessment Tool (CIS-CAT)

Type: Host-Based Configuration Assessment Tool

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 27, 2014

Back to top
Cisco Systems, Inc. Date Declared: February 10, 2012

Web Site:

Quote/Declaration: Traditionally, Cisco discloses information required for an end-user to assess the impact of a vulnerability and any potential steps needed to protect their environment. This information includes all the required technical information for customers to ascertain appropriate remedial action. OVAL provides a framework that allows vendors and their customer to determine if a software vulnerability or patch exists on a given system. Cisco is in the process of adopting OVAL for vulnerability disclosure. Cisco IOS security vulnerability OVAL content is currently supported. Additional products are being considered in the future.

Product Name: Cisco Product Security Incident Response Team (PSIRT) Security Advisories and Vulnerability Disclosures

Type: Cisco Repository of OVAL Content

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Last Updated: Feb 28, 2014

Back to top
Critical Watch Date Declared: November 23, 2010

Web Site:

Quote/Declaration: FusionVM from Critical Watch is an award-winning, patented security risk management solution that automates Vulnerability Management and Configuration Auditing so that compliance is sustained and critical systems are secured. Critical Watch has chosen to adopt OVAL Standards in order to aid in integrations, perform SCAP validation, judge FDCC benchmarks, and extend third party application testing.

Product Name: FusionVM Enterprise Vulnerability Management System

Type: Enterprise Vulnerability Management System

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated:

Back to top
Defense Information Systems Agency Field Security Operations (DISA FSO) Date Declared: July 18, 2012

Web Site:

Quote/Declaration: DISA is adopting OVAL for leveraging enterprise compliance and vulnerability assessment for the U.S. Department of Defense (DoD). Utilizing COTS-based scan engines, DISA is transforming security requirements from prose base documents to machine readable content. This content utilizes the OVAL Language as a mechanism to determine results for secure net worthiness in the DoD while supporting the war fighter.

Product Name: DoD SCAP Content Repository

Type: SCAP Content Repository

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Last Updated:

Back to top
eIQnetworks, Inc. Date Declared: July 2, 2012

Web Site:

Quote/Declaration: eIQnetworks is fully committed to the OVAL standard in SecureVue, a unified situational awareness platform that provides next-generation SIEM, security configuration auditing, compliance automation and full-context forensic analysis all within a single console. SecureVue implements OVAL by providing the ability to import Security Content Automation Protocol (SCAP)-based content, including OVAL content, and comparing targeted systems in real-time.

Product Name: SecureVue

Type: Unified Situational Awareness Platform

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Last Updated:

Back to top
G2, Inc. Date Declared: March 30, 2010

Web Site:

Product Name: eSCAPe - Enhanced SCAP Editor

Type: OVAL Authoring Tool

   
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Last Updated:

Back to top
GCP Global Date Declared: September 24, 2012

Web Site:

Quote/Declaration: ORCA GRC is a web-based solution intended to aid organizations of all sizes in managing their security, risk, compliance, and governance efforts in a single software platform. ORCA uses OVAL Definitions to identify non-conformities in security and compliance in an automated manner simplifying the auditing workflow.

Product Name: ORCA

Type: Governance, Risk, and Compliance (GRC) Solution

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Jun 20, 2013

Back to top
Greenbone Networks GmbH Date Declared: March 30, 2010

Web Site:

Product Name: Greenbone Security Manager

Type: Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
Hewlett-Packard Development Company, L.P. Date Declared: March 9, 2010

Web Site:

Quote/Declaration: HP supports the OVAL standard to assist IT organizations in reducing security risks through automated vulnerability disclosure. HP Sever Automation and Client Automation software suites provide real-time vulnerability detection based on OVAL Vulnerability Definitions. HP Live Network provides a repository and delivery portal of vulnerability and compliance content for HP Server Automation and Client Automation.

Product Name: HP Client Automation

Type: Application Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Product Name: HP Live Network

Type: Content Repository

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Product Name: HP Server Automation

Type: Enterprise Server/Application Lifecycle Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Last Updated: Jul 29, 2014

Back to top
Information-technology Promotion Agency, Japan (IPA) Date Declared: February 2, 2011

Web Site:

Quote/Declaration: IPA offers three products for JVN Security Content Automation Framework. Version Checker is an OVAL-based free, easy-to-use scanner that allows people to easily check whether the software installed on their PC is the latest version. With just one mouse click, people can check the versions of multiple software. The results are easy to understand: a tick mark signifies the latest version and a cross mark signifies an obsolete version. If the software is not the latest version, users can easily access the vendor's download website with just a few clicks. Security Configuration Checker is an XCCDF and OVAL-based free, easy-to-use scanner that assesses Windows security configuration, including the USB autorun feature, password, and lockout policies of CCE. MyJVN API is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia. To enable application developers to use data through an open interface, JVN iPedia has adopted SCAP, a set of standards for describing vulnerability countermeasure information.

Product Name: MyJVN API

Type: Vulnerability Assessment and Configuration Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: MyJVN Security Configuration Checker

Type: Configuration Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: MyJVN Version Checker

Type: Vulnerability Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Mar 3, 2014

Back to top
Institute for Information Industry - CyberTrust Technology Institute Date Declared: December 12, 2012

Web Site:

Quote/Declaration: CSK controller performs automatic compliance auditing to each CSK agent on enterprise endpoints. It can check security mis-configurations, scan systems and application vulnerabilities, evaluate enterprise threats through the baselines which is in the context of XCCDF based on enterprise demands or official compliance. CSK agent gathers all the security information including system configurations, application weakness, service status on each endpoint. Moreover, CSK agent also sends the security content according to the OVAL and CCE definitions to the controller for generating the human-readable reports evaluated by CVSS and specified baselines (USGCB, MS-baselines).

Product Name: Crystal Security Keeper (CSK)

Type: Vulnerability Assessment, Configuration Management, Auditing and Centralized Audit Validation

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: February 20, 2013

Back to top
Inverse Path S.r.l. Date Declared: Mar 10, 2010

Web Site:

Quote/Declaration: Our compliance tool aims at allowing an easy and effective management of security policies. We've always looked at standardization efforts as a very effective approach for improving the state of security and/or known vulnerability checking, OVAL does just that and we are committed in supporting it for seamless integration and empowering users without reinventing the wheel.

Product Name: TPOL - OVAL Security Compliance

Type: Vulnerability, Patch, and Compliance Assessment

  OVAL Adopter
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Mar 12, 2014

Back to top
jOVAL.org Date Declared: June 30, 2011

Web Site:

Product Name: jOVAL Definition Interpreter (jovaldi)

Type: Open Source, Java-based OVAL Definition Interpreter

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
Lunarline, Inc. Date Declared: August 13, 2012

Web Site:

Quote/Declaration: SCAP Sync is a centralized, publicly accessible repository for all types of SCAP Content. SCAP Sync crawls SCAP content publishing sites and keeps a complete version history for each individual piece of SCAP content. SCAP Sync includes a machine-readable REST API so that developers can effortlessly incorporate machine-readable SCAP content into their own programs, web sites, and technology solutions.

Product Name: SCAP Sync

Type: SCAP Content Repository and API

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Last Updated: Feb 27, 2014

Back to top
McAfee, Inc. Date Declared: March 8, 2011

Web Site:

Quote/Declaration: McAfee has long understood the value of standards, actively participating on directional bodies such as the OVAL Board. McAfee was a very early adopter of OVAL and other security automation standards. McAfee has had OVAL Certified products in the past and continues to assure OVAL is used appropriately in a range of McAfee products. Today McAfee uses OVAL in three different security technologies, Policy Auditing, Vulnerability Management, and Network Access. We are using the same content in all three areas. Policy Auditor was the first enterprise class product to natively support SCAP. McAfee NAC was to first Network Access product to support SCAP. OVAL is a critical aspect of that support. Our OVAL support today includes Microsoft, AIX, HP-UX, Solaris, Mac OS X, and various Linux distributions across our product uses. In addition, McAfee is innovating SCAP by supplying and supporting localized SCAP/OVAL content in many different languages. It also provides a means to make XCCDF/OVAL results much more usable than just telling you if you are compliant or not against a specific benchmark. McAfee continues to develop innovative OVAL content for our customers' uses. McAfee has and will continue to invest in OVAL.

Product Name: McAfee Network Access Control

Type: Network Connection Health Check, Auditing and Centralized Audit Validation, Configuration Management, Patch Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: McAfee Policy Auditor

Type: Auditing and Centralized Audit Validation, Configuration Management, Patch Management

  OVAL Adopter
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Product Name: McAfee Vulnerability Manager

Type: Vulnerability Assessment, Auditing and Centralized Audit Validation, Configuration Management, Patch Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Aug 7, 2013

Back to top
Microsoft Corporation Date Declared: March 9, 2011

Web Site:

Quote/Declaration: Microsoft has incorporated OVAL into two of its products, the Microsoft Security Compliance Manager and the SCAP Extension for System Center Configuration Manager 2007. The Microsoft Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization's ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies. The SCAP Extension for System Center Configuration Manager 2007 enables Configuration Manager 2007 to consume Security Content Automation Protocol (SCAP) data streams, assess systems for compliance, and generate report results in SCAP format by taking advantage of the compliance checking capabilities inherent in the desired configuration management (DCM) feature.

Product Name: Microsoft Security Compliance Manager

Type: Security and Compliance Knowledge Management

   
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Product Name: SCAP Extension for System Center Configuration Manager 2007

Type: Enterprise Configuration Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Last Updated:

Back to top
Modulo Security Solutions Date Declared: February 10, 2010

Web Site:

Quote/Declaration: Modulo Risk Manager is a Web-based system that provides large scalability and flexibility to technical control assessment. Assessment in complex environment with hundreds of assets is possible using OVAL to automate configuration analysis in common platforms like Microsoft Operating Systems, Windows-platform Applications and other upcoming technologies, using our definitions evaluator and system characteristics producer. Besides those capabilities, our definitions repository allows interchange with other entities so that Modulo Risk Manager and those entities can accomplish new systems assessments. The MODSIC Project (Modulo Open Distributed SCAP Intelligent Collector) provides an open framework for standardized SCAP distributed collectors using OVAL. It consists of a service that schedules and collects data remotely (agentless), allowing users to input assets and scheduling information and get OVAL System Characteristics and OVAL Results XML files for each asset analyzed through the network. MODSIC is a Modulo open-source initiative, licensed under new-BSD License.

Product Name: MODSIC Project

Type: OVAL Collector Service

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Product Name: Modulo Risk Manager

Type: Governance, Risk Management, and Compliance (GRC) Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Last Updated:

Back to top
National Institute of Advanced Industrial Science and Technology (AIST) Date Declared: January 14, 2011

Web Site:

Quote/Declaration: SIX OVAL is a free and open-source Java class library to build enterprise compliance/vulnerability management applications. The main parts are OVAL domain model and object-XML/object-RDB data mapping. It also provides off-the-shelf server/client components including a repository of definitions and results at the central server, which can be searched from and posted to via a web service connection from any number of clients. The client is capable of getting definitions from the repository, evaluating the content on the local host, and reporting the results back to the central server.

Product Name: SIX OVAL

Type: Enterprise Compliance/Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated:

Back to top
NetIQ Corporation Date Declared: February 9, 2011

Web Site:

Quote/Declaration: As the rate of security threats increases, organizations must be enabled to fully leverage their security investments and rapidly adapt community-driven knowledge and best practices to address these threats. NetIQ Secure Configuration Manager is an award winning, enterprise security and compliance assessment solution and a foundational tool to achieving these objectives. The product's out-of-the-box best practices knowledge simplifies system configuration to proactively and efficiently manage current and emerging security threats. By leveraging both OVAL and XCCDF, NetIQ Secure Configuration Manager enables standards-based integration with other security solutions and helps reduce the cost of achieving security and compliance objectives.

Product Name: NetIQ Secure Configuration Manager

Type: Enterprise Security Configuration Assessment

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Last Updated:

Back to top
New Net Technologies, Ltd. Date Declared: May 30, 2014

Web Site:

Quote/Declaration: NNT Change Tracker Enterprise provides continuous protection against known and emerging cyber security threats in an easy to use solution. NNT Change Tracker leverages OVAL Definitions to provide vulnerability and compliance assessments for a wide-range of platforms and devices. Options provided for both agent-based and agentless vulnerability scans of a wide range of database systems, operating systems, appliances and network devices. NNT Change Tracker is also a CIS Certified Vendor Product for CIS Benchmark Checklist validation.

Product Name: NNT Change Tracker Enterprise

Type: Vulnerability and Compliance Assessment and Management, Host-Based Intrusion Detection

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Last Updated: Jun 9, 2014

Back to top
NopSec, Inc. Date Declared: December 23, 2010

Web Site:

Quote/Declaration: NopSec Vulnerability Risk Management (VRM) automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and charting, elimination of virtually all false positives, remediation tracking, and ticketing system according to business risk. NopSec VRM vulnerability scanning engine has planned support for OVAL Definitions evaluations. It is in beta phase for what concerns the OVAL Results Consumer and OVAL Systems Characteristics Producer Capabilities. NopSec has chosen to adopt the OVAL Standard in order to aid in integrations, perform SCAP validation, judge FDCC benchmarks, and extend third party application testing.

Product Name: NopSec Vulnerability Risk Management (VRM)

Type: Vulnerability Risk Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Jun 27, 2013

Back to top
OpenVAS Date Declared: July 6, 2012

Web Site:

Quote/Declaration: OpenVAS is a vulnerability management and vulnerability scanning software framework. A feed service allows regular updates of Network Vulnerability tests (NVTs). The main security scan phase of the application collects security information about each host in the network being scanned. Subsequently, comprehensive OVAL-related processing is possible. his includes exporting system characteristics for the whole network, and applying the applications reporting framework according to OVAL Definitions.

Product Name: OpenVAS

Type: Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
Pivotal Security LLC Date Declared: November 27, 2012

Web Site:

Quote/Declaration: Pivotal Security's innovative technology combines the benefits of transient agent and network wide de-duplication to provide lightning fast scans while using minimal network resources. We recognize the need for standardization in security assessment, reporting and remediation and as such we've decided to support OVAL. We see OVAL as mature yet flexible standard supported by a vibrant community.

Product Name: Security Scanning SDK

Type: OVAL Definition Evaluator

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated: November 28, 2012

Back to top
Positive Technologies CJSC Date Declared: May 11, 2012

Web Site:

Quote/Declaration: Positive Technologies is a leading provider of vulnerability and compliance management, application security, SCADA security and penetration testing. As one of the development directions, we decided to use the SCAP technology in our products. We are implementing OVAL standards, supporting FDCC/USGCB, and maximizing integration with other open security standards in our products. We also provide an open OVAL repository containing vulnerability descriptions collected from various sources.

Product Name: Positive Technologies OVAL Repository

Type: OVAL Definition Repository

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Apr 22, 2014

Back to top
Red Hat, Inc. Date Declared: February 10, 2010

Web Site:

Quote/Declaration: Red Hat was a founding board member of the OVAL project and has been publishing OVAL Vulnerability Definitions for Red Hat Enterprise Linux Security Advisories since 2006. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards.

Product Name: Red Hat Security Advisories

Type: Product Vulnerability Security Advisories

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: October 24, 2012

Back to top
SAINT Corporation Date Declared: March 5, 2010

Web Site:

Quote/Declaration: SAINT Corporation's vulnerability scanning product is a Web-based application available as a software download, appliance, or Software as a Service (SaaS or "Cloud" technology). SAINT Vulnerability Scanner uncovers areas of weakness and recommends fixes via its extensive tutorials. SAINT is certified under NIST's SCAP specification as an Unauthenticated Vulnerability Scanner and Authenticated Vulnerability and Patch Scanner. SAINT supports OVAL by allowing users to import OVAL checks from the OVAL Repository, as well as importing user-developed XML files containing OVAL checks. SAINT provides view/download of OVAL result files via the GUI. SAINT also reports system characteristics of identified hosts for use in analysis, auditing, remediation and/or patch management.

Product Name: SAINT Vulnerability Scanner

Type: Vulnerability Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
SecPod Technologies Date Declared: December 10, 2010

Web Site:

Quote/Declaration: SecPod is an information security research and development company offering services in the area of threat detection and management. SecPod supports OVAL, an open standard to provide security automation. SecPod SCAP Feed is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE's for various operating systems, enterprise servers, and applications. The feed, also hosted as a repository, is backed with professional support, can be integrated into vendor products, and also consumed by end users. SecPod Saner is a light-weight, easy-to-use enterprise grade vulnerability mitigation software that proactively assesses and secures endpoint systems. SecPod Saner adopts OVAL natively consuming the SCAP feed from the SecPod SCAP Repo content repository.

Product Name: SecPod SCAP Feed

Type: OVAL Repository

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: SecPod Saner

Type: Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 27, 2014

Back to top
Secure Bytes Corporation Date Declared: March 23, 2011

Web Site:

Quote/Declaration: Secure Bytes is an information security software development company focusing on developing automated tools to strengthen information security management system. Secure Bytes' Secure Auditor product is a unified digital risk management solution for conducting automated audits on operating systems, databases, and network devices. Secure Auditor assists organizations in fulfilling requirements defined by regulatory compliance, framework, and standards. Secure Bytes has incorporated OVAL Vulnerability Definitions and the SCAP-based compliance framework into Secure Auditor.

Product Name: Secure Auditor

Type: Automated Auditing Software

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: No

Last Updated:

Back to top
Security-Database Date Declared: April 7, 2010

Web Site:

Quote/Declaration: Security-Database is pleased to support this initiative by supplying OVAL information along with vulnerability information and to provide access to a full mirroring repository of OVAL XML and online OVAL Definitions.

Product Name: IT Dashboard

Type: Web-Based IT Vulnerability and Threats Dashboard

   
  • OVAL Authoring Tool: Planned
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Planned

Product Name: SSA - Security System Analyzer

Type: Security Scanner and Compliance Assessment Software

   
  • OVAL Authoring Tool: Planned
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Planned

Product Name: Security-Database OVAL Repository

Type: Web-Based OVAL Repository Database

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Review Completed Questionnaire

Last Updated: Mar 3, 2014

Back to top
SPAWAR Systems Center Atlantic Date Declared: Februry 25, 2010

Web Site:

Quote/Declaration: The SCAP Compliance Checker has adopted OVAL as part of the FDCC Scanner capabilities of SCAP Validation Program. SCAP Compliance Checker is able to process all four of OVAL's schemas: the Definitions schema, the System Characteristics schema, the Results schema and the Variables schema. SCAP Compliance Checker processes the XCCDF content of a SCAP stream and extracts any variables that need to be imported into the OVAL engine. It then creates an XML file using the OVAL Variables schema that contains these variables. The OVAL engine later uses this file during OVAL processing. By using the industry standard OVAL schemas, SCAP Compliance Checker can share data with any tool that understands OVAL.

Product Name: SCAP Compliance Checker

Type: OVAL Definition Evaluator

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 27, 2014

Back to top
SUSE Date Declared: February 28, 2014

Web Site:

Quote/Declaration: Our customers need an index of fixed security incidents indexed by product, RPM package name and version for use in their security compliance checking. As they are using a wide range of checking tools inventing a new format would have caused unnecessary work on all sides. We have chosen to use the OVAL format for publishing this data, which is in our eyes the accepted industry standard format for this purpose.

Product Name: SUSE Linux Enterprise OVAL Information

Type: Database

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Product Name: SUSE Manager 1.7

Type: Linux Patch and Configuration Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Last Updated: Apr 22, 2014

Back to top
Symantec Corporation Date Declared: May 2, 2011

Web Site:

Quote/Declaration: OVAL is used by Symantec Risk Automation Suite (SRAS) to define and detect system vulnerabilities, patches, and miss-configurations. OVAL content is automatically imported into SRAS from our repository and included in the scanning processes. Leveraging the OVAL standard, SRAS automates vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. OVAL is used by the Symantec Control Compliance Suite (CCS) to define and detect system vulnerabilities, patches and miss-configuration. OVAL content is automatically imported into CCS from our repository and included in the scanning processes. Leveraging the OVAL standard, CCS automates vulnerability detection, configuration reporting, and policy compliance. CCS supports both OVAL as part of an SCAP v1.0 data stream and as stand-alone OVAL definition evaluations.

Product Name: Symantec Control Compliance Suite

Type: Automated Risk and Policy Compliance Management

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Product Name: Symantec Risk Automation Suite

Type: Enterprise Configuration, Vulnerability, Risk, and Compliance Management

   
  • OVAL Authoring Tool: Planned
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Last Updated:

Back to top
Telos Corporation Date Declared: March 26, 2010

Web Site:

Quote/Declaration: Xacta IA Manager combines security compliance and risk assessment functionality with powerful business process automation to establish a centralized governance, risk, and compliance management platform that facilitates compliance assessment, continuous risk and sustained compliance management, and security process automation. Xacta IA Manager's Continuous Assessment and HostInfo have adopted OVAL as an assessment language in addition to the native javascript language. Users have the ability to import OVAL Definitions and scan their endpoints for vulnerabilities, patches, and compliance. Xacta IA Manager also serves as an FDCC scanner to automate the validation and compliance of systems against FDCC standards and supports the use of SCAP content to determine compliance with FDCC and other XCCDF checklists.

Product Name: Xacta IA Manager Assessment Engine

Type: Certification and Accreditation Solution

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: No

Product Name: Xacta IA Manager Continuous Assessment

Type: Certification and Accreditation Solution

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Product Name: Xacta IA Manager HostInfo

Type: Certification and Accreditation Solution

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Planned

Last Updated: Feb 25, 2014

Back to top
ThreatGuard, Inc. Date Declared: February 24, 2010

Web Site:

Quote/Declaration: ThreatGuard offers three products that fully integrate support for OVAL: S-CAT, Secutor Prime, and Secutor Magnus. From 2004 to present day, ThreatGuard has fulfilled OVAL definition consumer compatibility requirements with each major evolution of the language. The ThreatGuard OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. All three products automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. S-CAT has an option to bypass the XCCDF file and process OVAL vulnerability content files to perform vulnerability assessments. Secutor Prime includes an OVAL Notes tab that allows the user to see the decisions made by the interpreter as it processes the OVAL content and includes an option to display the OVAL-ID of vulnerability definitions in the tree as the title for each vulnerability definition. Secutor Magnus can automatically load OVAL-based vulnerability content to perform vulnerability assessments against a variety of operating systems.

Product Name: Secutor Compliance Automation Toolkit (S-CAT)

Type: Universal, Integratable SCAP Assessment Module

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Product Name: Secutor Magnus

Type: Enterprise SCAP Compliance/Vulnerability Management System

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Product Name: Secutor Prime

Type: Desktop Compliance/Vulnerability Assessment Tool

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
Tripwire, Inc. Date Declared: October 19, 2010

Web Site:

Quote/Declaration: Tripwire provides a comprehensive suite of file integrity, policy compliance, and log and event management solutions. Tripwire Enterprise automates change detection and mis-configuration correction to reduce risk of exploits and breaches. Tripwire Enterprise provides SCAP functionality that includes the ability to process OVAL content.

Product Name: Tripwire Enterprise

Type: Security Configuration Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Jun 18, 2014

Back to top
Triumfant, Inc. Date Declared: September 9, 2010

Web Site:

Quote/Declaration: Triumfant Resolution Manager fully supports the use of OVAL to define the method for assessing a given configuration item. When the product imports an SCAP benchmark, it validates and imports the OVAL Definition files for the configuration items and patches referenced by that benchmark. OVAL files can be distributed to groups of computers automatically and can also be updated or deleted automatically. OVAL results are automatically collected each time an assessment is executed and are combined with the information in the appropriate XCCDF profile to produce detail and summary level reports for vulnerability issues, missing patches, and other compliance and policy violations. Resolution Manager is a NIST SCAP validated FDCC scanning tool and will report compliance with FDCC and other XCCDF checklists. The automated remediation capabilities of Resolution Manager can be used to remediate detected problems to continuously enforce configuration policies and eliminate vulnerabilities.

Product Name: Triumfant Resolution Manager

Type: Vulnerability, Patch, and Compliance Assessment

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Last Updated:

Back to top
U.S. Army CERDEC Date Declared: February 10, 2010

Web Site:

Quote/Declaration: Armadillo developed by U.S. Army CERDEC, i.e., GOTS, is a configuration, vulnerability, patch, and software inventory network scanner (with plans to add remediation). It identifies misconfigurations by consuming SCAP bundles which contain XCCDF benchmarks (analogous to STIGs) which define the policy guidance and OVAL Definition files which define probes and expected values (analogous to SRRs). Armadillo produces XCCDF, OVAL and ARF results which allow it to interoperate with other SCAP tools. It works on LANs disconnected from the Internet and is able to probe multiple hosts concurrently over SSH from both Windows and Linux without the need to install any software on the target hosts.

Product Name: Armadillo

Type: Vulnerability Assessment and Remediation

   
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Planned
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Last Updated:

Back to top