OVAL Board Minutes

2005-09-15, 13:00 - 14:30 EDT (GMT -0400)

Attendees

Raffael Marty - ArcSight
Kent Landfield - Citadel
Barry Day - DesktopStandard
Department of Defense
Robert Stull - eEye
Steve Manzuik - eEye
John Wilson - Microsoft
Andrew Buttner - MITRE
Robert Martin - MITRE
David Proulx - MITRE
Matthew Wojcik (OVAL Moderator) - MITRE
Anton Chuvakin - netForensics
Chris Andrew - Patchlink
Patrick Ravenel - Preventsys
Mark Cox - Red Hat
Andrew Bove - Secure Elements
Rob Hollis - ThreatGuard

Agenda

• OVAL status update
• OVAL Version 4.2?
• Version 5 update: schema issues decided and outstanding
• Intellectual Property agreement proposal
• Compatibility program

Welcome to new OVAL Board members

• Andrew Bove, Secure Elements (replaces Dan Bezilla)
• Nick Connor, Assuria

Meeting Summary

OVAL Status Update

First OVAL Developer Days held July 18-19, 2005

The event was a great success, with much productive discussion and networking. MITRE received very positive feedback, and plans to hold similar events in the future. One possibility is a single-day gathering in conjunction with the RSA 2006 conference.

Content

Over 100 vulnerability definitions have been submitted by ThreatGuard, and should appear on site by September 16th. This is the first large submission of content from outside MITRE, and is an exciting example of OVAL collaboration. MITRE would like to encourage others to respond in kind.

Compatibility

New inquiries about the compatibility program and declarations are coming in steadily. Three new organizations have declared since the last Board meeting, with more in progress.

OVAL-ID compatibility has been introduced, for services which use OVAL-IDs as references. It is a separate category from more functional compatibility types, reflecting the different level of required effort and added value. OVAL-ID compatibility declarations are on a separate page on the web site; three organizations have declared.

Current Efforts

The OVAL team's main focus now is on Version 5 development. Discussion has been primarily on the Developer list. Board members are asked to be sure they are subscribed.

Concurrent work is ongoing to develop an OVAL Intellectual Property agreement, and continues on the compatibility program.

OVAL Version 4.2

There has been serious interest expressed by a vendor who wants to start authoring OVAL definitions to publish with their security advisories. Facilitating this is a high priority for MITRE.

The vendor would like to move ahead before OVAL Version 5 is official (projected for March 2006), but requires organizationally distinct OVAL-IDs. See the Developer Days minutes and the recent Developer List thread for details on the proposed format.

MITRE is consequently considering releasing a Version 4.2 minor release update to the schemas. Possible modifications include:

• New ID format to support namespaces
• New platform (HP-UX draft submitted by ThreatGuard)
• Minor changes to existing platform schemas (Red Hat tests)

The Board was reminded that minor release updates must not invalidate existing content.

OVAL Version 5

A summary was given of the current state of work on Version 5. A number of issues seem to be basically settled, since discussion on those topics has died down. Others are either still under discussion, or are on the to-do list. It was stressed that even the "settled" issues are largely still theoretical stage. Even MITRE has not done much drafting of definitions in the new format, and no tool implementation.

Issues that seem mostly settled:

• New object declaration format, allowing for more complex object sets
• "State" elements, providing for constraints on attributes of objects (e.g. file version < 3)
• New conception of a test: associates one (or more, for some tests) set(s) of objects with a state, and evaluates to true or false.
• Multiple references allowed in a definition
• Metadata will largely be kept. Some of the current metadata which is specific to the needs of the OVAL Repository will likely be moved into an optional section. Still to be determined is what metadata should be allowed and required on elements lower than the definition level (tests, objects, states).
• Results format--supporting a full version should be required for compatibility, thin styles can be negotiable, with OVAL possibly defining a thin format as a published alternative.
• New ID format will be urn style, as
  OVAL:<org as reverse dns>:<type>:<local ID>
  Example: OVAL:org.mitre.oval:def:123
  The datatype (integer, string) of the final <local ID> portion is still under discussion.

Issues still to come:

• Extending definitions: what should be a test vs a definition, especially considering the requests for system inventory definition? How do the software and configuration sections impact definition extension? Or sections for other definition types, such as patch definitions?

  A Board member suggested that Version 5 should provide explicit logic for how to extend definitions by section. This would allow definition authors to express exactly what is meant, and give tools maximum flexibility during interpretation. There was some agreement, but also a concern that OVAL may be much more complex in Version 5, and the proposal could add complexity. The issue needs more thought and discussion.

• Variables need to be made more useful and cleaned up
• There's a standing request for pass / fail logic in definitions, allowing short-circuit operation, which needs to be considered and discussed.
• Patch definitions: there has been little additional work since the Developer Days discussion, but they are still in the queue.

Other areas

Unauthenticated testing: the working group has not met recently, and doesn't seem close to having a proposal ready. Unless there has been development MITRE is unaware of, or work suddenly accelerates, it seems unlikely that unauthenticated testing will be ready for the Version 5 draft.

Responding to a question, the Moderator explained that MITRE is facilitating and participating in the working group, but does not have the resources or sponsor demand currently to drive this area of development.

MITRE posed a question: would a weekly or bi-weekly call to discuss schema issues be useful, or is mailing list discussion working well? Board members expressed interest in calls focused on specific issues of importance. It was suggested that MITRE schedule calls for specific topics as needed.

Intellectual Property agreement proposal

A draft IP agreement for the OVAL project was sent to the Board email list recently, and there has been some comment. The draft was authored by MITRE's legal department with consideration of OVAL's goals and similar documents from organizations such as the IETF.

There was some discussion of the draft. The draft's sections on sublicensing were questioned, since sublicensing generally involves a financial arrangement. There were concerns about the rights and responsibilities regarding copyright of authors of OVAL content, and what it means to submit or publish content. It was suggested that IETF RFCs 3978 and 3979 should be re-examined as a possible model.

Compatibility program

A new draft of the compatibility requirements was sent to Board list the morning of the teleconference. This version attempts to incorporate the discussion at Developer Days and since, and adds information about OVAL-ID compatibility. Board members are asked to please review the requirements and provide comments.

MITRE's plan is for functional testing of capabilities in a testbed lab environment. Organizations that have achieved OVAL Compatibility will also be asked to aid in future reviews (e.g. a Compatible Results Producer asked to provide results files as test input to a Candidate Results Consumer). Ideas for performing reviews include at MITRE Bedford, at trade shows, or at government sponsors locations.

To aid in determining respective levels of effort and working through the details of the process, a limited review will take place at MITRE Bedford 22-23 September 2005. Invitees included the vendors who have informed MITRE they have implemented OVAL capabilities and expressed a desire to be Reviewed. MITRE hopes to hold an open invitation Review within six months.

Page Last Updated: February 07, 2008