Name of Your Organization:

SecPod Technologies

Web Site:

http://www.secpod.com

Adopting Capability:

SecPod SCAP Feed

Capability home page:

http://www.scaprepo.com/

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Repository — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

The feed is available on a subscription model for both vendors (Redistributable License) and end users (EULA).

The SecPod SCAP Feed can be accessed at http://www.scaprepo.com and customers will be provided with credentials to login and use the repository. Additionally, a web service interface will be provided for customers to automatically download the OVAL Definitions. The feed metadata can also be accessed via RSS.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The OVAL Definitions are primarily version 5.10 compliant and lower versions are supported for backward compatibility.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Customers can open a support ticket using the credentials provided and it is driven through SLA.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

All issues are investigated by the technical support team. If a defect is confirmed, it’ll be fixed by the development team. The synchronization tool will automatically pick up the latest updates upon fixing the issue. Customers will be informed through the support ticket and closed if the fix is satisfactory.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

http://www.scaprepo.com/
http://www.scaprepo.com/whatami.html
http://www.scaprepo.com/faq.html

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

The repository is compliant to schema version 5.10 and all Tests, Objects, States, and Variables as in the schema are supported. In the current release, repository contains OVAL Definitions for:

  • Microsoft Windows Operating Systems and applications
  • All Linux Operating Systems
  • Enterprise applications and servers
  • Oracle Solaris
  • IBM AIX
  • Apple Mac OSX

OVAL content is added into the repository regularly and the coverage scope is expanded continuously.

OVAL Content Error Reporting <AR_3.3>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Customers can open a support ticket using the credentials provided and it is driven through SLA.

All issues are investigated by the technical support team. If a defect is confirmed, it’ll be fixed by the development team. The synchronization tool will automatically pick up the latest updates upon fixing the issue. Customers will be informed through the support ticket and closed if the fix is satisfactory.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

The OVAL content present in SecPod SCAP Repo is completely tested and XML schema validation, schematron validations are done. Any content that is downloaded from the repository is guaranteed to be in working condition. If there are issues, customers have the option to open a support ticket and they’ll be resolved.

Definition Repository Capability Questions

Unique IDs <AR_6.1> <AR_6.2> <AR_6.3>

Describe the process by which IDs are assigned and managed in the repository and how global uniqueness of IDs is ensured.

All the definitions in the SecPod SCAP Repo are assigned with ID’s in the oval:org.secpod.oval namespace. The repository management tool will ensure that ID’s assigned are unique. The assigned ID’s are not modified.

Content Versioning <AR_6.4>

Describe the process by which the versions of Definitions, Tests, Objects, States, and Variables are managed in the repository.

Each modification to Definitions, Tests, Objects, States, or Variables, the version is incremented and also the versions for the referencing Tests, Objects, States, or Variables is updated.

Standard References <AR_6.6> <AR_6.7> <AR_6.8>

Indicate how and when CVE-IDs, CCE-IDs, and CPE-IDs are used as references on OVAL Definitions in the repository.

All vulnerability definitions include corresponding CVE name, when available. The vulnerabilities for which CVE names are not available, the definition refers to other well-known identifiers. As and when the CVE name is available, the definition will be updated to include the CVE name.

All configuration checking definitions will include CCE ID.

All inventory definitions include CPE name as reference.

Content Updates <AR_6.9>

Describe the process by which users can retrieve content updates.

The content can be retrieved through SecPod SCAP Repo search interface, and by subscribing to the RSS feed to obtain meta information about OVAL Definitions. Additionally, a web service interface description document is provided to retrieve OVAL Definitions on a regular basis.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Chandrashekhar B
TITLE: CEO

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Chandrashekhar B
TITLE: CEO

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Chandrashekhar B
TITLE: CEO

Page Last Updated: February 27, 2014