News and Events - 2003 Archive

December 31, 2003

Official XML Specification for OVAL Now Available

A final draft of the official OVAL XML Specification is now available in the Official OVAL Schema section of the OVAL Web site. In addition, 55 "draft" OVAL XML Vulnerability Definitions for Microsoft's November Security Bulletins have been posted in the Example Definitions portion of the XML Specification page.

An "OVAL Vulnerability Definition" in XML is the equivalent to an OVAL Query in OVAL's original SQL format. MITRE added XML as a format for OVAL because the data-centric approach of XML makes it easier to extract the logical criteria of a definition and allows it to be combined with other XML data in order to extend the usefulness of OVAL. Along with the official specification, a core Official OVAL XML Schema describes the basics of the format, and individual XML-format schemas for each of the supported Microsoft Windows, Sun Solaris, and Linux platforms specifies how to refer to configuration parameters in the vulnerability definitions and defines what system data to collect and how to collect it.

Refer to the Official OVAL XML Specification page for additional information or to review the specification. Visit the Get OVAL Queries page to review vulnerability definitions.

Back to top
December 17, 2003

New OVAL Board Member

Raffael Marty of ArcSight, Inc. has joined the OVAL Board.

Back to top
December 4, 2003

OVAL Query Index Pages Enhanced with Additional Information

The OVAL Query Index pages in the Review OVAL Queries section have been enhanced with additional information to help users, query writers, and developers locate the information they require more swiftly. All query index pages now include the (1) OVAL-ID, (2) CVE-ID, (3) platform, and (4) the date modified for each query listed. In addition, the OVAL-ID will be a link to the specific query and the CVE-ID a link to the page for the CVE name located on the CVE Web site.

Visit the Review OVAL Queries section to review queries and inserts.

OVAL Queries for Windows XP Now Available on OVAL Web Site

OVAL queries for the Microsoft Windows XP platform are now available for review and comment in the Get OVAL Queries section of the OVAL Web site. There are currently 12 queries for XP, all of which have "Draft" status and are searchable by OVAL-ID and CVE name. In addition, a draft schema for Windows XP is available for comment and review on the Official OVAL Schema page.

Join the OVAL Community Forum to participate in ongoing discussions about these queries, the schema, other previously posted OVAL content, and to submit your own OVAL queries.

OVAL Is Main Topic of Article in Government Computer News

OVAL was the main topic of a December 4, 2003 article in Government Computer News entitled "Look it up: A common language for vulnerabilities." The article quotes CVE Compatibility Lead Robert A. Martin, "[OVAL is] how you describe the test conditions for vulnerabilities." Martin goes on to say that OVAL is the next step in standardizing vulnerability management, and that it describes software configuration parameters used in querying various platforms for known vulnerabilities.

The author also mentions the role CVE names and candidates play in the OVAL effort, describes what CVE is and CVE Compatibility, and notes that "Both the National Institute of Standards and Technology and the Defense Department recommend that agencies give preference to CVE-compatible products." The author also includes the current number of entries on the CVE List: "[CVE] now contains about 2,572 entries, with another 3,832 under evaluation."

The article concludes with the following statement about OVAL: "Although testing and scanning tools are becoming common for discovering vulnerabilities in computer systems, there are no standards for these tasks. OVAL will provide standards so that automating vulnerability management can be more effective, Martin said. It will define the attributes needed to find vulnerabilities in a system, to prioritize them and fix them."

OVAL Introductory White Paper Now Available

A white paper entitled "Introduction to OVAL: A New Language to Determine the Presence of Software Vulnerabilities" is now available for review and download from the Documents page on the OVAL Web site. The white paper introduces the OVAL concept and explains how OVAL improves vulnerability assessment.

Table of contents:

  1. Introduction
  2. Open Vulnerability Assessment Language (OVAL)
  3. An OVAL-Enabled Process
  4. Improving Vulnerability Assessment with OVAL
    • System Administrators and Other End Users
    • Software and Tool Vendors
    • Community Involvement and Support
  5. An OVAL Board of Industry, Academia, and Government Organizations
  6. Broad Industry Participation via the OVAL Community Forum
  7. A Community-Developed OVAL Schema
  8. Creating OVAL Queries
  9. Reference Query Interpreter
    • How the Query Interpreter Works
    • OVAL Query Syntax Checker
    • Other Implementations and Uses of OVAL Actively Encouraged
  10. Value of OVAL's CVE Compatibility
  11. MITRE's Role
  12. Summary of OVAL Benefits
  13. Conclusion

You may download or review this and other documents about OVAL from the Documents page.

'Documents' Page Added to the OVAL Web Site

A Documents page has been added to the OVAL Web site as a resource of OVAL articles, briefings, and papers; OVAL process and technical documents; and other documents such as press releases and the FAQs; which have been written by members of the OVAL team. One such item is the OVAL Brochure, now available for review or download. The brochure is a complete introduction to the OVAL effort, and includes graphical representation of OVAL's role in the information security community and of the stages of an OVAL query. Review these and other documents on the Documents page in the About section of the OVAL Web site.

Back to top
November 19, 2003

XML Specification for OVAL Now Available for Review and Comment

A Draft OVAL XML Specification for OVAL data has been posted for public review and comment in the Official OVAL Schema section of the OVAL Web site. The specification is a direct result of the efforts of the OVAL Developer's Working Group. MITRE instituted the working group in May of this year to develop an XML specification of OVAL as an alternative format for tool developers for use in non-SQL applications, and as a way for query writers to reuse components of existing queries when writing new queries.

XML will be an alternative format to the current SQL format. XML was chosen as an alternative because the data-centric approach of XML makes it easier to extract the logical criteria of a definition, and also allows it to be combined with other XML data in order to extend the usefulness of OVAL. We have posted a core OVAL XML Schema that describes the basics of the format. Also posted are individual XML-format schemas for each of the supported platforms: Microsoft Windows, Sun Solaris, and Linux. Each of these describes certain types of tests that can be encoded within an OVAL definition. Individual examples of definitions—OVAL296 (Windows); Policy (Windows); OVAL9 (Solaris); and OVAL28 (Linux)--are also available for review. Refer to the Draft OVAL XML Specification page for additional information and links.

Comment and discussion on XML and the XML specification are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org.

OVAL to Present Briefing at the Fifth Annual Secure Trusted Operating System Consortium Symposium

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, will present a briefing entitled "CVE and OVAL—Security Standards that Are Making a Difference" at the Fifth Annual Secure Trusted Operating System Consortium Symposium at the Morris & Gwendolyn Cafritz Foundation Conference Center at George Washington University, Washington, D.C., USA. The conference, scheduled for December 1st - 5th, is targeted to "system and lab administrators, programmers, developers, strategists, consultants and other technical staff involved in the design, development, deployment and securing of systems," as well as "anyone for whom security is a requirement and not just a desire."

Visit the OVAL Calendar page for information about this and other upcoming events.

Conference Photos of OVAL Booth at LISA 2003

MITRE hosted an OVAL/CVE exhibitor booth at LISA 2003 October 29th - 30th in San Diego, California, USA. See photos below.

LISA 2003 LISA 2003 LISA 2003 LISA 2003 LISA 2003 LISA 2003
Back to top
November 5, 2003

QUERY INTERPRETER DATA FILES UPDATED: November 5, 2003/Version 1.4

Updated Data Files for the OVAL Reference Query Interpreter for Windows NT 4.0/Windows 2000, Version 1.2, are now available for download from the OVAL Web site. The most recent Data Files update is version 1.4 dated November 5, 2003.

The updated data files include the most recent versions of the following: (1) the official OVAL Schema, (2) the latest Insert Statements, and (3) all new and/or modified Accepted and Interim queries for the Windows NT 4.0 and 2000 platforms. New data file downloads are identified by date and listed by platform on the Query Interpreter MD5 Hash/Checksum and Data Files page.

Since OVAL queries are produced and modified often, users should periodically check the Query Interpreter MD5 Hash/Checksum and Data Files page for updates.

OVAL Hosts Booths at FIAC 2003 and LISA 2003

MITRE hosted an OVAL/CVE exhibitor booth at two events in October, FIAC 2003 and LISA 2003. The first, Federal Information Assurance Conference (FIAC) 2003, was held October 21st and 23rd in Adelphi, Maryland, USA. The event was successful and exposed CVE and OVAL to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. Companies with CVE-compatible products and services also exhibited.

The second event, the Large Installations Systems Administration (LISA) Conference 2003, was held October 29th and 30th in San Diego, California, USA. The LISA conference was also successful and introduced CVE and OVAL to ". . . a wide range of system and network administrators working in the full spectrum of computing environments—large corporations, small businesses, academic institutions, [and] government agencies . . . "

Visit the OVAL Calendar page for information about upcoming events.

Conference Photos of OVAL Booth at FIAC 2003

FIAC 2003 FIAC 2003 FIAC 2003 FIAC 2003
Back to top
October 17, 2003

New OVAL Board Member

Mark West of Microsoft has joined the OVAL Board.

Senior Advisory Council Holds Meeting

The CVE Senior Advisory Council, which also provides oversight for the OVAL effort, held a meeting on Thursday, October 2, 2003. MITRE established the advisory council in 2000 in order to help guide CVE and to ensure the initiative receives appropriate funding. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems.

The meeting included status updates on the CVE Initiative, focusing on the progress of the CVE Compatibility program and the current of compatibility declarations for 135 products from 90 organizations; status updates on the OVAL effort, including a discussion of an XML Schema to represent OVAL queries; policy compliance with regard to system configuration and traceability for Federal Information Security Management Act (FISMA)-like compliance assessments; and a report on the current work of the Department of Homeland Security's National Cyber Security Division (NCSD).

Visit the CVE Web site to view a list of the advisory council members or to read a copy of the council charter.

Back to top
October 6, 2003

"Initial Submission" Queries Now Available for Review on the OVAL Web Site

Initial Submission Queries are now available for review by OVAL-ID, CVE name, and operating system in the Get OVAL Queries section of the OVAL Web site. We are posting initial submissions so that OVAL Community Forum members' efforts are not duplicated in the writing, development, and vulnerability selection of new OVAL queries, and to show the most current coverage of OVAL queries for all supported platforms. Initial Submissions are posted for HP-UX, Windows 2000, and Windows NT 4.0.

OVAL queries have four main levels of status, as outlined in the Stages of an OVAL Query:

  (1) Initial Submission: Queries that are incomplete, under development, or awaiting confirmation of outstanding information. They are assigned OVAL-IDs and are currently under review and/or are being held for additional information by the OVAL Editor.  
  (2) Draft: Reviewed by the OVAL Editor, these "rough draft" queries are now available on the OVAL Web site for review by Forum members, the OVAL Board, and the general public.  
  (3) Interim: Queries that have passed through the rough draft discussion and debate period are moved to "Interim" status by the OVAL Editor. They remain open for review and comment, and are included in Query Interpreter data file downloads.  
  (4) Accepted: Queries that have passed the Interim stage are posted as "Version 1 Accepted Queries," the final stage. Discussion surrounding the creation of the query or threads from the Community Forum are archived to give context for the query. Although in the "final" stage, accepted queries remain open for review and comment. They are included in Query Interpreter data file downloads.  

Concerns or comments on initial submissions should be addressed on the OVAL Community Forum, or directly with the OVAL Editor at oval@mitre.org. Visit the Review Initial Submission Queries page for more information or to review initial submissions.

OVAL Queries for Red Hat Linux Now Available on OVAL Web Site

89 new OVAL queries for the Red Hat Linux platform are now available for review and comment in the Get OVAL Queries section of the OVAL Web site. All 89 have "Draft" status and are searchable by OVAL-ID and CVE name. In addition, a draft schema for Red Hat Linux is available for comment and review on the Official OVAL Schema page. Join the OVAL Community Forum to participate in ongoing discussions about these queries, the schema, other previously posted OVAL content, and to submit your own OVAL queries.

OVAL to Host Booth at FIAC 2003

MITRE is scheduled to host an OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2003 October 21st through the 23rd at the University of Maryland University College Inn and Conference Center, Adelphi, Maryland, USA. The conference will expose OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, and federal managers from numerous agencies of the U.S. federal government.

Visit the OVAL Calendar page for information about FIAC 2003 and other upcoming events.

OVAL to Host Booth at LISA 2003

MITRE is scheduled to host an OVAL/CVE exhibitor booth at LISA 2003 on October 29th and 30th at the Town & Country Resort and Convention Center, San Diego, California, USA. The conference will expose OVAL and CVE to ". . . a wide range of system and network administrators working in the full spectrum of computing environmentslarge corporations, small businesses, academic institutions, [and] government agencies . . . "

Visit the OVAL Calendar page for information about LISA 2003 and other upcoming events.

Back to top
September 12, 2003

'How to Participate on the OVAL Community Forum' Page Added to OVAL Web Site

A new page explaining How to Participate on the OVAL Community Forum has been added to the OVAL Community Forum section of the OVAL Web site. The new page explains in detail the various ways in which new and current Forum members may participate, and are participating, on the Forum and in the OVAL effort in general. Members may contribute within as many of the following broad areas as they wish:

(1) Writing and Development of Existing and New OVAL Queries
(2) Development of Existing and New OVAL Schema
(3) Providing Technical and Other Help to the OVAL Effort
(4) Spreading the Word About the OVAL Effort

See the How to Participate on the OVAL Community Forum page for the specific and detailed ways in which you may actively contribute. As always, active participation is important to the success of the Forum and of OVAL.

Back to top
August 28, 2003

'Calendar of Events' Page Added to OVAL Web Site

A Calendar of Events page has been added to the News section of the OVAL Web site. The calendar will note conferences and other events at which OVAL will be exhibiting an OVAL booth and/or delivering presentations throughout the year. Each listing will include the event name with URL, date of the event, location, and a description of MITRE's activity at the event.

OVAL Is Featured Topic of MITRE Digest Article

OVAL was the featured topic of an August 2003 article in MITRE Digest entitled, "OVAL: A New Language to Determine the Presence of Software Vulnerabilities." The article describes what OVAL is and explains how OVAL improves vulnerability assessment. The article discusses the OVAL Schema, OVAL queries, CVE, and the community-involvement and endorsement aspect of the OVAL effort via the OVAL Board and the OVAL Community Forum. OVAL Editor Matthew N. Wojcik and OVAL Project Manager J. Todd Wittbold are also quoted throughout.

Back to top
August 14, 2003

Updated Schemas for Windows 2000; Windows NT 4.0; and Solaris 7, 8, and 9 Posted for Review

Draft 2 versions of OVAL Schema for Microsoft Windows 2000; Microsoft Windows NT 4.0; and Sun Solaris 7, 8, and 9 have been posted on the OVAL Web site for comment and review. The existing schema versions currently posted on the Official OVAL Schema page—Windows 2000, version 1; Windows NT 4.0, version 1; and Solaris 7/8, version 1—remain the official OVAL Schema, but will be updated to version 2 once the review period is complete.

All OVAL queries use the common OVAL Schema to keep queries consistent and standardized for each platform. Approved by the OVAL Board, each OVAL Schema is operating system-specific, specifies how to refer to configuration parameters in queries, uses the operating system vendors' naming conventions, and defines what system data to collect and how to collect it.

Refer to the Official OVAL Schema page for more information about these and other supported platforms.

Draft Schemas for Windows XP and Red Hat Linux Updated

Updated draft versions of OVAL Schema for Microsoft Windows XP and Red Hat Linux have been posted on the Official OVAL Schema page for comment and review.

The official schemas for Windows 2000; Windows NT 4.0; and Solaris 7, 8, and 9 have also been updated (see article above). Visit the Official OVAL Schema page for information on these and all supported platforms.

Schema for Hewlett Packard UNIX Added to OVAL Web Site

A draft schema for Hewlett Packard UNIX (HP-UX) has been added to the Official OVAL Schema page on the OVAL Web site. Official OVAL Schema for Sun Solaris 7 and 8 was previously available for UNIX.

Schema for Windows Server 2003 Added to OVAL Web Site

A draft schema for Microsoft Server 2003 has been added to the Official OVAL Schema page on the OVAL Web site. Official schema for Microsoft Windows NT 4.0 and Microsoft Windows 2000 were previously available on the site, while Microsoft Windows XP was supported in draft form.

Schema for Sun Solaris 9 Added to OVAL Web Site

A draft schema for Sun Solaris 9 has been added to the Official OVAL Schema page on the OVAL Web site as part of the version 2 update of the Sun Solaris 7/8 schema. The version 2 draft update will now be for the Sun Solaris 7, 8, and 9 platforms. Draft schema for HP-UX is also available for the UNIX platform.

Back to top
August 1, 2003

Updated Data Files for OVAL Query Interpreter for Windows Released

Updated Data Files for the OVAL Reference Query Interpreter for Windows NT 4.0/Windows 2000, Version 1.1, are now available for download from the OVAL Web site.

The updated data files include the most recent versions of the following: (1) the official OVAL Schema, (2) the latest Insert Statements, and (3) all new and/or modified Accepted and Interim queries for the Windows NT 4.0 and 2000 platforms. New data file downloads are identified by date and listed by platform on the Query Interpreter MD5 Hash/Checksum and Data Files page. The most recent Data Files update is version 1.2 dated August 1, 2003.

Since OVAL queries are produced and modified often, users should periodically check the Query Interpreter MD5 Hash/Checksum and Data Files page for updates. Announcements about updates are also made on the News & Events page.

OVAL Hosts Booth at GOVSEC 2003

MITRE hosted a OVAL/CVE exhibitor booth at GOVSEC 2003 on July 23rd and 24th at the Washington Convention Center, Washington D.C., USA. The conference exposed OVAL and CVE to security professionals from U.S. federal, state, and local governments responsible for information security, cyber security, and physical security. Thanks to all who stopped by. Watch this News & Events page for information on upcoming events.

Back to top
July 11, 2003

New OVAL Board Member

Javier Fernandez-Sanguino of Debian has joined the OVAL Board.

REMINDER: OVAL to Host Booth at GOVSEC 2003, July 23-24

MITRE is scheduled to host an OVAL/CVE exhibitor booth at GOVSEC 2003 on July 23rd and 24th at the Washington Convention Center, Washington D.C., USA. We invite you to stop by Booth 1029 and say hello.

Back to top
June 26, 2003

MITRE Releases Source Code for OVAL Query Interpreter

MITRE has released the source code for the OVAL Reference Query Interpreter for Windows NT 4.0/Windows 2000, version 1.1, to further assist developers in incorporating OVAL vulnerability information into their tools and services. The source code is being released under the terms of the GNU General Public License.

The free OVAL Query Interpreter was developed to demonstrate the usability of OVAL queries, and for query writers to use to ensure correct syntax and adherence to the OVAL Schema during the development of draft queries. See the Download the Query Interpreter page for more information about the interpreter and a copy of the license agreement.

OVAL Board Member Mark Cox to Present Briefing that Includes OVAL and CVE at LinuxWorld

OVAL Board member Mark Cox of Red Hat Linux is scheduled to present a briefing that includes OVAL and CVE at the LinuxWorld Conference & Expo on August 7th at the Moscone Center, San Francisco, California, USA. The talk, entitled "Security Response and Vendor Accountability for Open Source Software," is targeted to IT and security managers and other professionals responsible for analyzing and responding to security issues. Part of the talk will examine how MITRE's OVAL and CVE projects can be used to manage security risks in an enterprise. The conference itself is scheduled from August 4th-7th.

OVAL Editor Matthew Wojcik Profiled on MITRE Web Site

OVAL Editor Matthew Wojcik was profiled in a June 2003 "Employee Spotlight" article on the MITRE Web site entitled, "Tough on Computer Intruders: OVAL Helps IT Professionals Identify System Security Flaws." The article describes what OVAL is and explains Wojcik's role in the OVAL effort. The article also describes Wojcik's personal background.

Back to top
June 12, 2003

MITRE Announces Working Group to Develop XML Schema for the OVAL Effort

MITRE and the OVAL Board are forming a working group to develop an XML Schema to represent OVAL queries. Anyone interested in encoding OVAL content in XML as well as discussing other OVAL implementation issues is encouraged to join.

The initial mission of this working group is to develop a schema that will accurately represent all of the vital elements of an OVAL query. The effort is not meant to replace SQL as the primary specification language of the OVAL effort, but to offer an alternative format to assist developers in incorporating OVAL queries into their tools. Other OVAL implementation issues will also be discussed.

To join the working group, subscribe to the OVAL Developer Email List by sending an email message to listserv@lists.mitre.org with the words SUBSCRIBE oval-developer-list in the BODY of the message. The message subject line may be left blank. You must be a member of the OVAL Community Forum to join the working group.

OVAL to Host Booth at GOVSEC 2003

MITRE is scheduled to host a OVAL/CVE exhibitor booth at GOVSEC 2003 on July 23rd and 24th at the Washington Convention Center, Washington D.C., USA. The conference will expose OVAL and CVE to those security professionals from U.S. federal, state, and local governments responsible for information security, cyber security, and physical security. Information security personnel in attendance will include system administrators, network managers, IS managers, CIOs, information risk managers, cryptographers, and telecom managers.

Back to top
May 30, 2003

OVAL Web Site Achieves 100 Queries Milestone

There are now more than 100 queries posted on the OVAL Web site. OVAL queries are developed by members of the OVAL Community Forum, the OVAL Board, and MITRE to reflect the insights and combined expertise of the broadest possible collection of security and system administration professionals. The OVAL effort achieved this milestone with the May 29th site update. A summary of these queries is noted below:

TOTAL OVAL QUERIES: 100
Accepted: 83 Interim: 8 Draft: 9
 
WINDOWS 2000 WINDOWS NT 4.0 SOLARIS 7 SOLARIS 8
  Accepted: 29   Accepted: 14   Accepted: 20   Accepted: 20
  Interim: 7   Interim: 1   Interim: 0   Interim: 0
  Draft: 6   Draft: 3   Draft: 0   Draft: 0

We encourage system administrators, software vendors, security analysts, and other members of the information security community to join the OVAL Community Forum to participate in the development of OVAL queries. An archive of past Forum discussions is also available for reference and review.

Updated Version of OVAL Query Interpreter for Windows Released

Version 1.1 of the OVAL Reference Query Interpreter for Windows NT 4.0/Windows 2000 is now available for download from the OVAL Web site, replacing the previous version. The update eliminates two problems in the earlier version that could have caused inaccuracies in the reporting of vulnerabilities that have been identified on the system.

Along with the new version 1.1 Query Interpreter, the download will include updated Data Files (the official OVAL schema, latest insert statements, and all Accepted and Interim queries to-date) for the Windows NT 4.0 and 2000 platforms. The MD5 hash/checksum verification has also been updated, and is available for download from the Query Interpreter MD5 Hash/Checksum and Data Files page.

See the Download the Query Interpreter page for more information about the interpreter and a copy of the license agreement.

Schema for Debian Linux Added to OVAL Web Site

A draft schema for Debian Linux has been added to the Official OVAL Schema page on the OVAL Web site. A schema for Red Hat Linux was previously available in draft form. In addition to these draft schemas, there is currently an official OVAL Schema for each of the following operating systems: Microsoft Windows NT 4.0, Microsoft Windows 2000, Sun Solaris 7, and Sun Solaris 8. Microsoft Windows XP is now supported in draft form. All OVAL queries use the common OVAL Schema to keep queries consistent and standardized for each platform. Approved by the OVAL Board, each OVAL Schema is operating system-specific, specifies how to refer to configuration parameters in queries, uses the operating system vendors' naming conventions, and defines what system data to collect and how to collect it.

Schema for Windows XP Added to OVAL Web Site

A draft schema for Microsoft Windows XP has been added to the Official OVAL Schema page on the OVAL Web site. Official schema for Microsoft Windows NT 4.0 and Microsoft Windows 2000 were previously available on the site, as was official OVAL Schema for Sun Solaris 7 and Sun Solaris 8. Red Hat Linux and Debian Linux are supported in draft form.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Tuesday, May 20, 2003, with 11 Board members participating. Topics included OVAL status updates; release of the Query Interpreter for Windows; plans for expanding OVAL's supported platforms to include Windows XP, and Debian Linux; the possibility of providing OVAL content in an alternative format for tool developers, such as OVAL in XML; and future plans. You may also read the complete meeting minutes.

Back to top
May 23, 2003

OVAL Presents Paper at New England Chapter of ISSA

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, presented a briefing on OVAL and CVE entitled "Assessing Vulnerabilities, A New Standard For Computer Vulnerability Assessment" at the New England Chapter of the International Systems Security Association (ISSA) in Littleton, Massachusetts, USA, on May 20th. ISSA is "is a not-for-profit international organization of information security professionals and practitioners" that aims to educate and provide peer interaction opportunities to "enhance the knowledge, skill, and professional growth of its members."

Back to top
April 23, 2003

New 'Latest Data Updates' Page Will Identify New Queries and List Changes to Previously Posted OVAL Data

To better assist OVAL users and query writers, we have added a new page to the OVAL Web site that provides details about the new and updated technical data posted on the OVAL site. This new page, Latest Data Updates, is available from the Get OVAL Queries homepage and will identify new OVAL queries, new inserts, queries that have changed status (e.g., from Draft to Interim or Interim to Accepted), queries that have been modified, and inserts that have been modified.

Each listing on the page for a new or modified OVAL query will include the OVAL-ID, platform, CVE or CAN on which the query is based, and the date the query was created or modified. For new or modified inserts, each listing will include the Insert ID, platform, product(s) the insert addresses, and the date the insert was created or modified. An archive of the data changes will also be included on the page. These features will allow users and query writers to track the new and updated information through whichever means is most useful to them.

Join the OVAL Community Forum to participate in the ongoing discussions about new and previously posted queries and content and to submit your own OVAL queries.

Back to top
April 4, 2003

OVAL Query Interpreter Now Available for Download

The OVAL Reference Query Interpreter for Windows NT 4.0/Windows 2000 is now available for download from the OVAL Web site. MITRE developed the free OVAL Query Interpreter to demonstrate the usability of OVAL queries, and for query writers to use to ensure correct syntax and adherence to the OVAL Schema during the development of draft queries. It is not a fully functional scanning tool and has a simplistic user interface, but running the Query Interpreter will provide you with a list of the CVE entries determined by OVAL to be present on the system.

The free download will consist of inserts, the schema, and all accepted and interim queries for the Windows platform. See the Download the Query Interpreter page for more information and a copy of the license agreement.

OVAL to Present Paper at ISSA Innovative Security Technologies Conference

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, will present a briefing on CVE and OVAL entitled "Assessing Vulnerabilities, A New Standard For Computer Vulnerability Assessment" at the International Systems Security Association's (ISSA) Innovative Security Technologies Conference in Arlington, Virginia, USA, on April 23rd.

ISSA is "is a not-for-profit international organization of information security professionals and practitioners" that aims to educate and provide peer interaction opportunities to "enhance the knowledge, skill, and professional growth of its members."

Back to top
March 21, 2003

OVAL Is Featured Topic of IEEE Software Magazine Article

OVAL was the featured topic in an article entitled "Software Language Should Help Protect Networks from Hackers" in the March/April 2003 issue of IEEE Software magazine. In the article the author describes what OVAL is and how it works, mentions the importance of information security community involvement and participation in the development of OVAL queries, includes a link to the OVAL Web site, and notes that OVAL builds upon the CVE Initiative. The author states: "OVAL is a natural follow on [to CVE] that will eliminate most ambiguity that currently plagues IT managers who are always on the lookout for the latest entry points for hackers."

The author quotes Jay Beale, team leader of the Center for Internet Security, and R&D vice president at Stutzman Pierce, a Baltimore consulting group: "OVAL has the potential to make keeping track of known vulnerabilities actually manageable. While it won't do an analysis of the impact of a vulnerability to your organization or discover new vulnerabilities, OVAL can be more comprehensive than these existing approaches."

The article also discusses how OVAL addresses two major issues for network managers. This first is false positives, which occur when one test program determines that an error is present when it is not, "forcing managers to spend hours deciding whether they should fix the problem and how to do so. By adding more structure to tests, OVAL should eliminate many false positives." The second issue is that "end users presently don't know why [scanning] programs give their results, so those trying to fix them don't know which test program to use or whether they need to apply an available software patch. With OVAL, these problems should be a thing of the past."

Regarding community participation, the author says: ". . . OVAL's big benefit is that it provides another avenue for [technologists and programmers] to share ideas. Many of these companies are working on the same problems at the same time, developing proprietary ideas. At times this work is redundant; at other times, the ideas could be enhanced if more programmers were aware of them." The author also states: "Once these programmers use OVAL to create tools for locating vulnerabilities, their customers should find it much easier to prevent viruses, worms, and hackers from wreaking havoc on their systems."

OVAL Exhibits at MISTI's InfoSec World 2003

MITRE hosted an OVAL/CVE exhibitor booth at MIS Training Institute's (MISTI) InfoSec World Conference 2003, March 10-11 at Disney's Coronado Springs Resort, Lake Buena Vista, Florida, USA. The conference was successful and introduced OVAL and MITRE's CVE Initiative to a diverse audience of information security professionals from the banking, finance, real estate, insurance, and health care industries, among others. See photos below.

MISTI 2003 MISTI 2003 MISTI 2003 MISTI 2003
Back to top
March 5, 2003

"Statement of CVE Compatibility" Added to OVAL Web Site

OVAL has added a "Statement of CVE Compatibility" page to the About section. CVE names are used as the basis for all OVAL queries currently collected on the OVAL Web site.

The OVAL Web site is CVE-compatible because it "uses CVE names in a manner that allows it to be cross-referenced with other products/services that employ CVE names." For each CVE vulnerability there is one or more OVAL queries that measure the presence of that vulnerability on an end system. OVAL queries are searchable by CVE name or CVE candidate number and queries called up for review include CVE names.

See the Statement of CVE Compatibility page for more information on CVE, CVE Compatibility, and how OVAL is CVE-compatible.

Conference Photos of OVAL Booth at 7th Annual IA Workshop

MITRE hosted an OVAL/CVE exhibitor booth at the "7th Annual Information Assurance (IA) Workshop" in Williamsburg, Virginia, USA, on January 28th-30th. See photos below.

Tiffany Drew Margie Bob
Back to top
February 17, 2003

OVAL Featured Topic in Information Security Magazine Article about More Granular Security Alerts

OVAL was a featured topic in an article in the February 2003 issue of Information Security Magazine about more granular security alerts. Specifically, the article discusses refining the dissemination of vulnerability alerts and security advisories to "[help] organizations make sense of the daily torrent of virtually unrefined information." In the article, entitled "Groups Develop Granular Security Info," the author discusses how OVAL addresses this problem: "Similarly, the keepers of the Common Vulnerabilities and Exposures list recently launched Open Vulnerability Assessment Language (OVAL) which builds upon CVE to create a means for making vulnerability alerts more applicable to individual enterprises."

The author describes how OVAL works as a community effort and quotes MITRE project leader Margie Zuk on the part OVAL plays: "It's the logical next step. CVE was the beginning of trying to bring some order, and [OVAL] is aimed at improving things." The author then includes a quote by OVAL Editor Matt Wojcik, who states: "One of the problems now is there's such a large amount of information that's exchanged at a general level. At the same time, there isn't a lot of detailed technical information about how to detect if that vulnerability exists on your network." The author notes that OVAL addresses this problem, and then explains that OVAL also addresses the issue of system administrators running various diagnostic software programs to determine if vulnerabilities are present but then getting different answers from the different programs.

The author concludes the article with a quote from co-creator and editor of the CVE List Steve Christey, who states: "[OVAL] brings us one step closer to demystifying and improving how vulnerabilities can be detected on computer systems. It raises the bar by actually creating a bar."

MITRE to Host OVAL/CVE Booth at InfoSec World Conference 2003 March 10-11

MITRE is scheduled to host an OVAL/CVE exhibitor booth at MIS Training Institutes' (MISTI) InfoSec World Conference 2003, at Disney's Coronado Springs Resort, Lake Buena Vista, Florida, USA, March 10-11. The conference will expose OVAL and CVE to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals.

OVAL Community Forum Membership Continues to Grow

An integral component of the OVAL effort is broad community participation. To date, 75 new members have joined the OVAL Community Forum. Forum members are able to review each draft query and discuss and debate it on the lightly moderated forum email list hosted on the OVAL Web site. This allows OVAL queries to reflect the insights and combined expertise of the broadest possible collection of security and system administration professionals.

We encourage system administrators, software vendors, security analysts, and other members of the information security community to join the OVAL Community Forum Email List and participate in this growing industry initiative. Forum discussions are available for reference and review on the Community Forum Discussion Archive page.

Back to top
February 3, 2003

OVAL Hosts Booth at 7th Annual Information Assurance (IA) Workshop, January 28 - 30

MITRE hosted an OVAL/CVE exhibitor booth at the Defense Information Systems Agency (DISA) and National Security Agency (NSA) "7th Annual Information Assurance (IA) Workshop" at the Williamsburg Marriott Hotel, Williamsburg, Virginia, USA, on January 28th-30th. The purpose of the workshop was to "provide a forum in which the IA community can provide updates and work issues on relevant IA topics" that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event was successful and introduced OVAL and CVE to representatives of the DOD and other Federal Government employees and their sponsored contractors.

Back to top
January 8, 2003

OVAL Featured Topic of eWeek Magazine Article

OVAL was the featured topic in the December 16, 2002 issue of eWeek in an article entitled "MITRE Standard Eases Vulnerability Research". In the article the author describes OVAL as "a new language designed to make it easier for researchers to define and explain vulnerabilities found in software." The author also explains how OVAL works, including the OVAL query development process and the use of CVE names as the basis for OVAL queries.

OVAL Launch Featured Topic of ServerWatch.com Article

OVAL was the featured topic in a ServerWatch.com article on December 16, 2002 entitled "MITRE Issues New Standard for Computer Vulnerability Assessment". In the article the author explains how OVAL works, including the OVAL query development process and the use of CVE names as the basis for OVAL queries.

OVAL Launch Featured Topic in Security Wire Digest Article

The launch of OVAL was the featured topic in the December 12, 2002 issue of Security Wire Digest entitled "MITRE Builds on CVE, Launches OVAL". In the article the author describes what OVAL is and how it works, mentions the importance of community involvement and participation in the development of queries, explains the composition of the OVAL Board, and includes a link to the OVAL Web site.

The author also quotes Andre Frech, OVAL Board member and Internet Security Systems X-Force research engineer, who states: "There are no conceivable downside potentials to OVAL. The initiative is flexibly defined so that security professionals are free to contribute or use the parts that are relevant to their issues."

OVAL Launch Featured Topic of eWeek Magazine Article

OVAL was the featured topic in the December 11, 2002 issue of eWeek in an article about the launch of OVAL entitled "New Language Assesses Software Flaws". In the article the author describes the purpose of OVAL and explains how it works, including the query development process. The author also discusses the problem OVAL addresses, which is how "each software vendor seems to define vulnerabilities differently, which often leads to disputes among researchers and vendor representatives." He concludes the article with a quote by OVAL Editor and MITRE senior information security engineer Matthew N. Wojcik, "OVAL solves the consistency problem. The queries provide a baseline for performing vulnerability assessments . . . The widespread availability of OVAL queries will provide the means for standardized vulnerability assessment and result in consistent and reproducible information assurance metrics from systems."

Citadel Press Release Announces New OVAL Board Member

A press release issued by Citadel Security Software on December 10, 2002 announced that Citadel CTO Carl Banzhof joined the OVAL Board. The release, entitled "Citadel CTO Carl Banzhof Appointed to MITRE OVAL (Open Vulnerability Assessment Language) Board" also describes what OVAL is and how it works, notes that OVAL builds upon the CVE Initiative, and mentions the other organizations that make up the OVAL Board.

Back to top

Page Last Updated: March 05, 2013