Industry News Coverage - 2003 Archive

Below is a comprehensive monthly review of the news and other media's coverage of OVAL. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

Date: 12/4/2003
Publication: Government Computer News

Byline: William Jackson
Headline: "Look it up: A common language for vulnerabilities"

Excerpt or Summary:
OVAL was the main topic of this article, which quotes CVE Compatibility Lead Robert A. Martin, "[OVAL is] how you describe the test conditions for vulnerabilities." Martin goes on to say that OVAL is the next step in standardizing vulnerability management, and that it describes software configuration parameters used in querying various platforms for known vulnerabilities.

The author also mentions the role CVE names and candidates play in the OVAL effort, describes what CVE is and CVE Compatibility, and notes that "Both the National Institute of Standards and Technology and the Defense Department recommend that agencies give preference to CVE-compatible products." The author also includes the current number of entries on the CVE List: "[CVE] now contains about 2,572 entries, with another 3,832 under evaluation."

The article concludes with the following statement about OVAL: "Although testing and scanning tools are becoming common for discovering vulnerabilities in computer systems, there are no standards for these tasks. OVAL will provide standards so that automating vulnerability management can be more effective, Martin said. It will define the attributes needed to find vulnerabilities in a system, to prioritize them and fix them."

Date: 11/2003
Publication: OVAL White Paper

Byline: Matthew Wojcik, Tiffany Bergeron, Todd Wittbold, and Robert Roberge
Headline: "OVAL: A New Language to Determine the Presence of Software Vulnerabilities"

Excerpt or Summary:
This white paper introducing the OVAL concept is posted for review and download on the Documents page on the OVAL Web site. The white paper explains what OVAL is and how OVAL improves vulnerability assessment. Also discussed are an OVAL-enabled process; the OVAL Board of industry, academia, and government organizations; OVAL's broad industry participation via the OVAL Community Forum; the community-developed OVAL Schema; the process for creating OVAL queries; a technical discussion about the Reference Query Interpreter and how other implementations and uses of OVAL are actively encouraged; the value of OVAL's CVE compatibility; MITRE's role; and a summary of OVAL benefits.

Date: 8/2003
Publication: MITRE Digest

Byline: Robert Roberge
Headline: "OVAL: A New Language to Determine the Presence of Software Vulnerabilities"

Excerpt or Summary:
OVAL was the featured topic in this article, which describes what OVAL is and explains how OVAL improves vulnerability assessment. The article discusses the OVAL Schema, OVAL queries, CVE, and the community-involvement and endorsement aspect of the OVAL effort via the OVAL Board and the OVAL Community Forum. OVAL Editor Matthew N. Wojcik and OVAL Project Manager J. Todd Wittbold are also quoted throughout.

Date: 6/2003
Publication: MITRE Web site

Byline: Alison Stern-Dunyak
Headline: "Tough on Computer Intruders: OVAL Helps IT Professionals Identify System Security Flaws"

Excerpt or Summary:
OVAL Editor Matthew Wojcik was profiled in this "Employee Spotlight" article on the MITRE Web site. The article describes what OVAL is and explains Wojcik's role in the OVAL effort. It also describes Wojcik's personal background.

Date: 3/2003
Publication: IEEE Software, Vol. 20, No. 2

Byline: Terry Costlow
Headline: "Software Language Should Help Protect Networks from Hackers"

Excerpt or Summary:
OVAL was the featured topic in this article in which the author describes what OVAL is and how it works, mentions the importance of information security community involvement and participation in the development of OVAL queries, includes a link to the OVAL Web site, and notes that OVAL builds upon the CVE Initiative. The author states: "OVAL is a natural follow on [to CVE] that will eliminate most ambiguity that currently plagues IT managers who are always on the lookout for the latest entry points for hackers."

The author quotes Jay Beale, team leader of the Center for Internet Security, and R&D vice president at Stutzman Pierce, a Baltimore consulting group: "OVAL has the potential to make keeping track of known vulnerabilities actually manageable. While it won't do an analysis of the impact of a vulnerability to your organization or discover new vulnerabilities, OVAL can be more comprehensive than these existing approaches."

The article also discusses how OVAL addresses two major issues for network managers. This first is false positives, which occur when one test program determines that an error is present when it is not, "forcing managers to spend hours deciding whether they should fix the problem and how to do so. By adding more structure to tests, OVAL should eliminate many false positives." The second issue is that "end users presently don't know why [scanning] programs give their results, so those trying to fix them don't know which test program to use or whether they need to apply an available software patch. With OVAL, these problems should be a thing of the past."

Regarding community participation, the author says: ". . . OVAL's big benefit is that it provides another avenue for [technologists and programmers] to share ideas. Many of these companies are working on the same problems at the same time, developing proprietary ideas. At times this work is redundant; at other times, the ideas could be enhanced if more programmers were aware of them." The author also states: "Once these programmers use OVAL to create tools for locating vulnerabilities, their customers should find it much easier to prevent viruses, worms, and hackers from wreaking havoc on their systems."

Date: 2/2003
Publication: Information Security Magazine

Byline: Keith Regan
Headline: "Groups Develop Granular Security Info"

Excerpt or Summary:
OVAL was a featured topic in this article about refining the dissemination of vulnerability alerts and security advisories to "[help] organizations make sense of the daily torrent of virtually unrefined information." The author discusses how OVAL addresses this problem: "Similarly, the keepers of the Common Vulnerabilities and Exposures list recently launched Open Vulnerability Assessment Language (OVAL) which builds upon CVE to create a means for making vulnerability alerts more applicable to individual enterprises."

The author describes how OVAL works as a community effort and quotes MITRE project leader Margie Zuk on the part OVAL plays: "It's the logical next step. CVE was the beginning of trying to bring some order, and [OVAL] is aimed at improving things." The author then includes a quote by OVAL Editor Matt Wojcik, who states: "One of the problems now is there's such a large amount of information that's exchanged at a general level. At the same time, there isn't a lot of detailed technical information about how to detect if that vulnerability exists on your network." The author notes that OVAL addresses this problem, and then explains that OVAL also addresses the issue of system administrators running various diagnostic software programs to determine if vulnerabilities are present but then getting different answers from the different programs.

The author concludes the article with a quote from co-creator and editor of the CVE List Steve Christey, who states: "[OVAL] brings us one step closer to demystifying and improving how vulnerabilities can be detected on computer systems. It raises the bar by actually creating a bar."

Page Last Updated: June 09, 2006