OVAL Working Group on Unauthenticated Tests

Teleconference - 7 April 2005

Attendees

Mike Murray, nCircle -- Working Group Chair
Matthew Wojcik, MITRE -- OVAL Moderator
Raffael Marty, ArcSight
Dennis Moreau, Configuresoft
Mike Nearing, nCircle
Joel Weisz, nCircle
Abiola Fayemi, nCircle

Minutes compiled by Mike Murray.

Meeting Summary

The second meeting was intended to get the working group back on track. The meeting itself had a relatively small turnout, but key issues were discussed, and next steps were decided upon.

Through discussion, three main areas of work have been identified as relevant to the effort:

  • Metadata: things like invasiveness of tests, confidence levels for individual tests and for an unauth definition as a whole
  • Individual test types: how to represent an open port test, a banner check, protocol analysis or interaction, etc
  • The schema, or the broader structure for unauth definitions: how to order the data, how to fit it into the OVAL family, how much it looks like existing OVAL

Through the discussion, those on the call agreed that the first two areas are the key areas, and the solutions to those areas will end up creating the schema.

A good deal of the discussion centered on the creation of the metadata for the checks - specifically, about methods for definitions of confidence, accuracy, and invasiveness. Some of this work appears similar to some work that Mike's team had performed internally at nCircle - he committed to posting that work to the Developer list in the near future.

In addition, Matt suggested that CVSS may be useful for the definition of some of this metadata. There could be a base confidence level associated with test types, with further Additional categories will likely arise from further discussion on the issue. Raffy brought up the fact that the user may want to tailor some of these values to the environment, again, similar to CVSS.

At Matt Wojcik's suggestion, those on the call agreed that working on defining test types should happen first. The committed next steps are to choose a small number of vulnerabilities (5-10) and attempt to develop unauthenticated test types for them.

Back to top

Page Last Updated: June 06, 2006