OVAL-Compatible Products and Services — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

OVAL-Compatible Products and Services: 20

The products and services listed below have achieved the final stage of MITRE's formal OVAL Compatibility Program and are now "Officially OVAL-Compatible." Each organization's product is now eligible to use the OVAL-Compatible Product/Service logo, and their completed and reviewed "OVAL Compatibility Requirements Evaluation" questionnaires are posted here and on the Organizations Participating page as part of their product listings.


Version 5 Compatible

Products are listed alphabetically by organization name:

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z


BigFix, Inc.Date Declared: June 20, 2006

Web Site: www.bigfix.com
Quote/Declaration: BigFix enables organizations to better manage their global IT infrastructures with solutions to discover, analyze, change, and maintain security and software configurations faster and more accurately, resulting in improved processes, greater visibility, better security and more reliable services while reducing costs.

BigFix supports the adoption of open standards such as OVAL as an important part of reducing IT security risk and improving policy and regulatory compliance. The BigFix Enterprise Suite for Vulnerability and Security Configuration Management consumes OVAL Definitions to provide real-time vulnerability detection and remediation for heterogeneous distributed networks. The suite will produce OVAL Systems Characteristics and OVAL Results to enable tools that consume OVAL to leverage the accurate and real-time configuration and security visibility provided by BigFix solutions.


Name: BigFix Enterprise Suite for Vulnerability and Security Configuration Management, Version 6.0
Type: Real-Time Security Configuration Management Suite 
OVAL Definition Consumer: Yes
OVAL Results Producer: Planned
OVAL Systems Characteristics Producer: Planned
Review Completed Questionnaire

Last Updated: October 4, 2006

Back to top


Configuresoft, Inc.Date Declared: December 1, 2006

Web Site: www.configuresoft.com
Quote/Declaration: OVAL compatibility will improve the efficiency and effectiveness with which our customers can leverage authoritative vulnerability and remediation content, as well as improve inter-application integration across the provisioning, configuration and compliance stacks in the enterprise.


Name: Enterprise Configuration Manager
Type: Assessment and Remediation solution 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Yes
OVAL Results Producer: Yes
OVAL Definition Producer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: No
Review Completed Questionnaire

Last Updated: January 31, 2007

Back to top


GFI Software Ltd.Date Declared: February 20, 2007

Web Site: www.gfi.com
Quote/Declaration: GFI LANguard Network Security Scanner is our award winning software solution which helps security administrators be in contact with the real security status of their network. GFI LANguard N.S.S. integrates the three main pillars of security management i.e. Vulnerability Scanning, Network Auditing and Patch management into one product. The results of the three areas are processed, grouped and linked to provide a unified view which reflects more closely the big picture of the threats which are present on the network.

GFI recognizes the importance of standards in a field which is encountering even bigger challenges, variation of attacks and abuses of IT systems. While searching for a standard which will allow us to adhere to as well as encourage our customers to report vulnerabilities in a particular format, we found a perfect synergy between our technology and OVAL. We believe that such integration will provide a common ground for our customers and security administrators out there to share and unify experiences against these ever increasing threats.


Name: LANguard Network Security Scanner
Type: Network Vulnerability Assessment and Remediation 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Planned
OVAL Results Producer: Planned
Review Completed Questionnaire

Last Updated: April 13, 2007

Back to top


Hewlett-Packard Development CompanyDate Declared: April 17, 2007

Web Site: www.hp.com
Quote/Declaration: The Opsware Server Automation System along with The Opsware Network enables IT organizatons to efficiently manage their server infrastructure, ensure compliance with industry standards and internal best practices, and provides an actionable vulnerability service designed to rapidly identify and remediate network vulnerabilities that apply to the IT organization based on their server infrastructure.

HP (formerly Opsware) supports the OVAL standard for vulnerability disclosure. Standarizing on the OVAL format will assist the IT organization in reducing the vulnerability window between vulnerability notification and remediation.


Name: Opsware Server Automation System
Type: Application Management 
OVAL Definition Consumer: Yes
Review Completed Questionnaire

Name: The Opsware Network
Type: Repository of Content 
OVAL Definition Producer: Yes
Review Completed Questionnaire

Last Updated: November 13, 2007

Back to top


KACE Networks, Inc.Date Declared: June 8, 2006

Web Site: www.kace.com
Quote/Declaration: The KBOX 1000 Series Systems Management Appliances by KACE are a secure line of server appliances that automate routine and complex IT maintenance tasks improving IT productivity and security. Included with the KBOX 1000 Series appliances are a set of security features which provide vulnerability auditing through seamlessly integrating OVAL tests and reporting on the outcomes at both at the individual node and aggregate network levels. The KBOX 1000 Series is also searchable by OVAL-ID. In addition, security policies can be set and enforced through automatic remediation and, if necessary, node quarantine to prevent security breaches and/or network infections.

KACE applauds the OVAL standard efforts as a key enabler for helping IT organizations deal with the very real security and productivity threats that have escalated dramatically in the last five years.


Name: KBOX 1000 Series Systems Management Appliances
Type: IT Automation Appliances 
OVAL Definition Consumer: Yes
Review Completed Questionnaire

Last Updated: October 16, 2006

Back to top


Lumension SecurityDate Declared: September 5, 2006

Web Site: www.lumension.com
Quote/Declaration: The Lumension (formerly PatchLink) OVAL Add-In comes in several versions intregrated with Lumension Update, Lumension Enterprise Reporting and Lumension Scanner Integration. The Add-In is a Web application that consumes results and system characteristic files from clients through manual or automatic uploads. The Add-In consumes definitions from multiple source, consolidates and produces operating system family specific definition files. The Add-In includes command-line-based intrepreters and is designed to work with 3rd party intrepreters to produce system characteristic and result files. Data is stored in a database that supports XML as a native database and has Xpath support.


Name: Lumension OVAL Add-In (Special Edition), Version 6.3
Type: Vulnerability/Patch/Compliance Assessment 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Yes
OVAL Results Producer: Yes
OVAL Systems Characteristics Consumer: Yes
OVAL Systems Characteristics Producer: Yes
Review Completed Questionnaire

Last Updated: September 14, 2007

Back to top


McAfee, Inc.Date Declared: January 29, 2007

Web Site: www.mcafee.com
Quote/Declaration: OVAL is establishing the bar on interoperability between tools in the vulnerability identification and vulnerability remediation management and system state fields. The ability to specifically describe vulnerabilities on a system and exchange that information between tools is doing a great deal to improve the offerings vendors supply to their customers. McAfee is actively working with OVAL to foster and advance this effort.


Name: Hercules Policy Auditor 4.5
Type: Automated Vulnerability Remediation, Compliance Management, Policy Audit, Policy Enforcement and Vulnerability Management 
OVAL Results Consumer: Yes
Review Completed Questionnaire

Name: Hercules Remediation Manager 4.5
Type: Automated Vulnerability Remediation, Compliance Management, Policy Audit, Policy Enforcement and Vulnerability Management 
OVAL Results Consumer: Yes
Review Completed Questionnaire

Last Updated: August 22, 2007

Back to top


MMG Security, Inc.Date Declared: October 12, 2006

Web Site: www.mmgsecurity.com
Quote/Declaration: Sussen is a host-based vulnerability assessment tool. It's purpose is to serach for vulnerabilties, configuration and policy issues on computer systems. Sussen uses agents for distributed deployments and a web interface for management/reporting.

MMG Security fully supports the OVAL standard and is commited to providing support for producing/consuming all OVAL documents and interoperability with other OVAL-compatible products.


Name: Sussen Version 1.0
Type: Vulnerability Assessment / Policy Compliance 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Yes
OVAL Results Producer: Yes
OVAL Systems Characteristics Consumer: Yes
OVAL Systems Characteristics Producer: Yes
Review Completed Questionnaire

Last Updated: February 2, 2006

Back to top


NetIQ Solutions from AttachmateDate Declared: September 12, 2006

Web Site: www.netiq.com
Quote/Declaration: NetIQ Secure Configuration Manager measures and enforces compliance to configuration baselines in accordance with corporate policies, regulations and evolving threats and vulnerabilities. It also performs remediation on compliance and configuration gaps, using security knowledge that is updated in real time. Secure Configuration Manager proactively ensures that organizations are identifying the latest system vulnerabilities and complying with policies to manage information security risk. This allows users to correct exposures before they result in security breaches, failed audits or costly downtime. OVAL is an integral part of NetIQ's approach to assure compliance, manage IT risks and secure assets. NetIQ Secure Configuration Manager consumes OVAL Definitions to provide host based vulnerability assessment for global, heterogeneous environments. NetIQ Secure Configuration Manager also consumes OVAL results, allowing organizations to leverage existing investments in network vulnerability assessment tools while providing a single point of roll-up, scoring and presentation of security configuration and vulnerability assessment results.


Name: NetIQ Secure Configuration Manager 5.6
Type: Configuration and Vulnerability Management 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Planned
OVAL Results Producer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: Planned
Review Completed Questionnaire

Last Updated: January 31, 2007

Back to top


NIST Computer Security DivisionDate Declared: January 18, 2007

Web Site: csrc.nist.gov/
Quote/Declaration: The Security Content Automation Program (SCAP) is a public free repository of security content to be used for automating technical control compliance activities, vulnerability checking (both application misconfigurations and software flaws), and security measurement.


Name: Security Content Automation Program
Type: Repository of Compliance Checks 
OVAL Definition Producer: Yes
Review Completed Questionnaire

Last Updated: January 31, 2007

Back to top


Red Hat, Inc.Date Declared: May 18, 2006

Web Site: www.redhat.com
Quote/Declaration: The Red Hat Security Response team constantly tracks and investigates all security issues affecting Red Hat customers, providing timely and clearly explained patches and security advisories via the Red Hat Network, designed to help customers evaluate and manage their risk. By creating and supporting OVAL patch definitions we provide a structured and machine-readable version of our security advisories, allowing OVAL-compatible tools to test for the presence of described vulnerabilities.


Name: Red Hat Security Advisories
Type: Security Update Advisories 
OVAL Definition Producer: Yes
Review Completed Questionnaire

Last Updated: May 18, 2006

Back to top


Secure Elements, Inc.Date Declared: June 16, 2006

Web Site: www.secure-elements.com
Quote/Declaration: C5 Compliance Platform consists of an integrated security appliance and host-based sensors, and is a plug-and-play compliance and vulnerability management solution. Our sensors are unique in that they are "light weight," with negligible processor, memory, and hard disk requirements. We also use the Common Vulnerabilities and Exposures (CVE) dictionary for standardized naming and vulnerability identification and other information security exposures.


Name: C5 Compliance Platform Version 3.0
Type: Enterprise Compliance and Vulnerability Management 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Yes
OVAL Results Producer: Yes
Review Completed Questionnaire

Last Updated: May 8, 2007

Back to top


Security-DatabaseDate Declared: January 7, 2007

Web Site: www.security-database.com
Quote/Declaration: SSA is a non-intrusive host-based security analyzer that fully uses the capabilities of the OVAL interpreter. Next releases will integrate the ability to report vulnerabilities using OVAL-ID, CVE and CVSS, missed patches, users policy and much more features. Security-Database, a senior security consultants consortium, actively promotes open standards projects. And the OVAL concept is one of the best that IT organizations has to keep an eye on.


Name: Security System Analyzer Version 1.5
Type: Vulnerability Assessment / Policy Compliance 
OVAL Definition Consumer: Yes
OVAL Results Consumer: Yes
OVAL Results Producer: Yes
OVAL Systems Characteristics Consumer: Yes
OVAL Systems Characteristics Producer: Yes
OVAL Definition Producer: No
Review Completed Questionnaire

Last Updated: April 11, 2007

Back to top


ThreatGuard, Inc.Date Declared: January 5, 2004

Web Site: www.ThreatGuard.com
Quote/Declaration: ThreatGuard's Vulnerability Management products utilize accurate vulnerability reporting as one of their cornerstones. The OVAL definitions provided and maintained by the OVAL community represent the most accessible and thorough collection of on-box vulnerability definitions for Windows, Linux, Solaris, HP-UX, and Cisco IOS. ThreatGuard recognizes the advantages in applying the OVAL definitions on a network-wide basis to enhance vulnerability detection, patch management, compliance management, and software inventory and has thus made OVAL Compatibility a significant feature of the ThreatGuard products since January 2005.

By seamlessly including OVAL tests in our vulnerability scanning subsystem, ThreatGuard, Inc. validates and endorses the use of OVAL definitions on a network-wide basis. ThreatGuard also performs value-added steps, such as providing solution text and integrated CVSS references where applicable. By performing these tests in Java from a Linux-based, auto-updated network appliance, ThreatGuard enables a wide array of organizations to take advantage of the OVAL team's tremendous work.


Name: Secutor Prime
Type: Compliance Management and Remediation 
OVAL Definition Consumer: Yes
OVAL Results Producer: Yes
OVAL Results Consumer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: Planned
OVAL Definition Producer: No
Review Completed Questionnaire

Name: ThreatGuard 4.5
Type: Continuous Security Auditing and Compliance Management 
OVAL Definition Consumer: Yes
OVAL Results Producer: Yes
OVAL Results Consumer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: Planned
OVAL Definition Producer: No
Review Completed Questionnaire

Name: ThreatGuard OEM Integration Kit 1.0
Type: Libraries to Build OVAL Compatibility into Third-Party Systems 
OVAL Definition Consumer: Yes
OVAL Results Producer: Yes
OVAL Results Consumer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: Planned
OVAL Definition Producer: No
Review Completed Questionnaire

Name: ThreatGuard On Demand 1.0
Type: On Demand Auditing and Compliance Management 
OVAL Definition Consumer: Yes
OVAL Results Producer: Yes
OVAL Results Consumer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: Planned
OVAL Definition Producer: No
Review Completed Questionnaire

Name: ThreatGuard Traveler 4.5
Type: Continuous Security Auditing and Compliance Management for Service Providers 
OVAL Definition Consumer: Yes
OVAL Results Producer: Yes
OVAL Results Consumer: Planned
OVAL Systems Characteristics Consumer: Planned
OVAL Systems Characteristics Producer: Planned
OVAL Definition Producer: No
Review Completed Questionnaire

Last Updated: January 19, 2007

Back to top

Page Last Updated: June 04, 2009