Industry News Coverage - 2004 Archive

Below is a comprehensive monthly review of the news and other media's coverage of OVAL. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

Date: 12/2004
Publication: Department of Computer Science, Princeton University

Byline: Xinming Ou, Sudhakar Govindavajhala, Andrew W. Appel
Headline: "TR-718-04: Policy-based Multihost Multistage Vulnerability Analysis"

Excerpt or Summary:
OVAL is mentioned throughout this technical report that describes MulVAL, "an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis [MulVAL] on a network." MulVAL automatically integrates formal vulnerability specifications from the bug-reporting community and is scaleable to networks with thousands of machines. MulVAL "comprises a scanner—run asynchronously on each host and which adapts existing tools such as OVAL to a great extent—and an analyzer, run on one host whenever new information arrives from the scanners."

OVAL is mentioned throughout the report and OVAL and the OVAL Reference Definition Interpreter are used by MulVAL to scan the network, conduct the tests for vulnerabilities using OVAL definitions, and to report the results. The report describes what OVAL is and details the OVAL System Characteristics Schema for collecting the information, OVAL Definition Schema for writing OVAL Definition tests, and OVAL Results Schema for presenting the results of the tests. The paper also mentions the OVAL Board, provides a breakdown of OVAL definitions as of January 31, 2005, and notes that the OVAL Reference Definition Interpreters are available for Red Hat Linux and Microsoft Windows platforms. After the presence of a vulnerability is identified by OVAL, MulVAL uses ICAT, "a vulnerability database developed by the National Institute of Standards and Technology" to describe "how [the vulnerability] can be exploited and what are the consequences".

OVAL is also included in the paper's abstract, in which the authors state: "Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines. We implemented our framework on the Red Hat Linux platform. Our framework can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language. We tested our tool on a real network with hundreds of users. The tool detected a policy violation caused by software vulnerabilities and the system administrators took remediation measures."

Date: 12/2004
Publication: Information Security Magazine

Byline: Jay Beale
Headline: "'Big O' For Testing"

Excerpt or Summary:
OVAL was the main topic of this article in which the author describes OVAL and states: "The Open Vulnerability Assessment Language (OVAL) project, headed by nonprofit MITRE and funded by the Department of Homeland Security's U.S.-CERT, is being developed as a standardized process by which security tool creators, operating system vendors and security professionals test systems for exploitable vulnerabilities. XML-based OVAL leverages MITRE's Common Vulnerabilities and Exposures (CVE) initiative . . . [and] gives security managers the ability to test for a particular CVE vulnerability in OVAL-compliant applications and platforms. OVAL will tell testers whether vulnerable software is installed and, if so, whether it has a vulnerable configuration. OVAL provides a schema that describes the platforms and presents a query customized to each vulnerability that determines whether a machine is at risk."

The article describes OVAL definitions and the OVAL Schemas, including the System Characteristics Schema and Results Schema; discusses the OVAL Definition Interpreters; mentions the platforms currently supported by OVAL; notes the importance and participation of the OVAL Board; and advocates OVAL compatibility.

The author concludes the article with the following statement: "OVAL promises to improve the quality of our vulnerability assessment tests as the vendors analyze and critique them, and allow end users to create new tests. The best way to support this effort is to look at the language, try the vulnerability assessment tool and push your vendors towards OVAL compatibility."

Date: 12/20/2004
Publication: netForensics Web Site

Headline: "netForensics Security Strategist Appointed to MITRE Open Vulnerability Assessment Language Board"

Excerpt or Summary:
The main topic of this press release is that Anton Chuvakin, Ph.D., GCIA, GCIH, and Security Strategist for netForensics, Inc. was appointed to the OVAL Board. The release describes what the OVAL effort is and isn't and includes a link to the OVAL Web site. The article also includes a quote by Patrick Guay, netForensics EVP Product Management and Marketing, who states: "Anton is an excellent example of the level of security practitioner we have in place to develop [netForensics, Inc.'s] robust SIM solution and to support our customers unique requirements. As a member of the OVAL Board he will continue to offer this insight and innovation for developing a common standard for describing system vulnerabilities and methods for checking them."

There are currently 31 OVAL Board Members from 26 organizations around the world.

Date: 12/20/2004
Publication: Qualys Web Site

Title: "Qualys CTO Gerhard Eschelbeck Joins OVAL Board"

Excerpt or Summary:
The main topic of this press release is that Gerhard Eschelbeck, Qualys' CTO and VP of Engineering for Qualys, has joined the OVAL Board. The release also explains what OVAL is, and announces that Qualys will be making its products OVAL-compatible: "Qualys will be adding OVAL support to its QualysGuard vulnerability management solution in 2005, allowing customers to import existing OVAL definitions and rapidly develop custom vulnerability detection signatures through a standardized XML based language."

Also included is a quote by Eschelbeck, who states: "As an industry, we have made significant strides in standardization with CVE, and I am honored to join this community effort to extend the standardization of vulnerability definitions," said Gerhard Eschelbeck, CTO and VP of Engineering for Qualys. "Qualys values and is fully committed to supporting the OVAL effort, which will ease the burden on security administrators in identifying and eliminating security vulnerabilities."

Qualys is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP products are listed on the OVAL-Compatible Products and Services page.

Date: 12/20/2004
Publication: Citadel Web Site

Title: "Citadel Security Software Announces OVAL Compatibility"

Excerpt or Summary:
The main topic of this press release was Citadel Security Software Inc. announcing that its Hercules product would be OVAL-compatible." In the release Citadel "announced its plan to be compatible with MITRE's OVAL (Open Vulnerability Assessment Language) Results Schema, a standardized format for presenting data from a system evaluated by OVAL, enabling customers to remediate vulnerabilities identified by OVAL-compatible scanning tools."

The release describes what OVAL is and explains how Citadel will be integrating OVAL into Hercules: "With Citadel integrating the ability to read results from the OVAL Results Schema, Hercules will import results from vulnerability scanners or other network tools that produce output in an OVAL Results Schema format to quickly remediate vulnerabilities. Additionally, Citadel will be integrating other aspects of OVAL such as OVAL Compliance Definitions, Patch Definitions, and Vulnerability Definitions."

Also included is a quote by OVAL Board member and CTO of Citadel Security Software Carl Banzhof, who states: "With OVAL positively impacting the global computing community, we are proud to contribute to its leadership efforts on providing security interoperability standards," said. "Through our work with DISA, we understand why federal agencies rely on OVAL vulnerability identification and reporting standards and are dedicated to providing the compatibility and integration that can greatly ease their vulnerability management burden."

Citadel Security Software is a member of the OVAL Board and its Hercules product is listed on the OVAL-Compatible Products and Services page.

Date: 12/15/2004
Publication: nCircle Web Site

Title: "nCircle's Mike Murray Appointed to Open Vulnerability Assessment Language (OVAL) Board"

Excerpt or Summary:
The main topic of this press release was the appointment of Mike Murray of nCircle Network Security, Inc. to the OVAL Board. The release describes what OVAL is, notes that Murray is nCircle's Director Of Vulnerability and Exposure Research, and mentions that Murray will lead OVAL's working group "to adapt the OVAL standard to include remote vulnerability checks."

The release also includes a quote by Murray, who states: "As OVAL continues to make significant contributions to the security industry, I am pleased to have the opportunity to participate in helping to achieve their goals. Leading OVAL's first [unauthenticated remote scanning] working group is a great opportunity, and I look forward to working closely with such a dedicated and talented group in the security industry."

Date: 10/2004
Publication: Information Security Magazine

Byline: Andrew Briney
Headline: "Why I Love AVDL"

Excerpt or Summary:
OVAL was mentioned briefly in this opinion article about AVDL, in which the author states: "Combined with other efforts designed to standardize vulnerability intelligence - I'm thinking mostly of MITRE's work on the Open Vulnerability Assessment Language (OVAL) - AVDL paints a picture of how the future could be. It's a future where vulnerability and threat management devices throughout the network, and up and down the stack, can be managed through a common language."

AVDL stands for Application Vulnerability Description Language, an interoperability standard proposed by four application security vendors as part of the Organization for the Advancement of Structured Information Standards (OASIS) standards process. OASIS is a "not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards." AVDL is different from OVAL because their objective is to create more interoperability among security tools by using XML to describe application security vulnerability information that tools can exchange, while the focus of the OVAL effort is to provide a baseline method for performing vulnerability and configuration issue testing on end systems. OVAL has three main pieces: an OVAL XML language standard for describing the software configuration state of end systems, OVAL schemas for collecting and reporting information about the state of end systems, and OVAL content consisting of libraries of logical tests for the presence of a particular vulnerability or configuration issue on particular end systems Established prior to AVDL, OVAL is an information security community effort that includes participation from numerous organizations around the world through the OVAL Community Forum and the OVAL Board. This participation includes Citadel Security Software, one of the organizations proposing AVDL, which is also a member of the OVAL Board.

Date: 9/13/2004
Publication: CVE Web site

Byline: Robert Roberge
Headline: "Secure Element's Dan Bezilla Appointed to MITRE OVAL Board"

Excerpt or Summary:
This article on the CVE Web site discusses the growth of the CVE List from its inception in 1999 to its current total of 7,191 total CVE names; growth of community participation on the CVE Editorial Board; and growth of CVE-Compatible Products and Services and the number of organizations including CVE names in their security advisories.

OVAL was mentioned in the CVE compatibility section in a discussion about services that are built upon CVE: "CVE has also been used as the basis for entirely new services . . . MITRE's Open Vulnerability Assessment Language (OVAL) is the common language for security experts to discuss the technical details of how to identify the presence of vulnerabilities on computer systems using XML definitions that are each based on a CVE name."

OVAL is listed on the CVE Web site as CVE-compatible (read our Statement of CVE Compatibility), and in February 2004 became one of only 14 information security products and services to be recognized as officially CVE-Compatible at an award ceremony at RSA Conference 2004 in San Francisco, California, USA. For more information about CVE and CVE compatibility, visit http://cve.mitre.org.

Date: 8/4/2004
Publication: Secure Elements Web site

Byline: OASIS
Headline: "Secure Element's Dan Bezilla Appointed to MITRE OVAL Board"

Excerpt or Summary:
This press release by Secure Elements announced that Daniel Bezilla, chief technical officer and co-founder of Secure Elements, has joined the OVAL Board. The release describes what the OVAL effort is and isn't, the responsibilities of the Board, and includes a link to the OVAL Web site. The article includes a quote by Bezilla, who states: "I'm pleased to be able to contribute to the efforts to strengthen cyber security efforts through standards and industry-government initiatives. These initiatives serve our collective best interest, and deserve joint contributions by the public and private sector. I'm looking forward to contributing to the discussions that have been the foundation for OVAL's groundbreaking achievements."

The article also includes a quote by OVAL Board Moderator Matthew N. Wojcik, who states: "Complete vulnerability and configuration management is emerging as a required discipline for the security industry. OVAL is excited to have Dan on our Board, as he has demonstrated industry leadership, especially in the field of complete vulnerability management."

There are currently 29 OVAL Board Members from 21 organizations around the world.

Date: 6/24/2004
Publication: Cover Pages Web site

Byline: OASIS
Headline: "Application Vulnerability Description Language (AVDL) Becomes an OASIS Standard"

Excerpt or Summary:
OVAL is mentioned in a news item on this OASIS-sponsored Web site about the version 1.0 specification of the OASIS Application Vulnerability Description Language being approved as an OASIS Standard. OVAL is referenced as an inspirational source for elements of the document: "The AVDL TC Chairs indicate that some features of the AVDL specification design were inspired by MITRE's Open Vulnerability Assessment Language (OVAL), which uses the Common Vulnerabilities and Exposures (CVE) [List]."

AVDL stands for Application Vulnerability Description Language, an interoperability standard being proposed by four application security vendors as part of the Organization for the Advancement of Structured Information Standards (OASIS) standards process. OASIS is a "not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards." AVDL is different from OVAL because their objective is to create more interoperability among security tools by using XML to describe application security vulnerability information that tools can exchange, while the focus of the OVAL effort is to provide a baseline method for performing vulnerability testing on end systems. OVAL has two main pieces: an OVAL XML language standard for describing the software configuration state of end systems, and OVAL content consisting of libraries of logical tests for the presence of a particular vulnerability on particular end systems (these tests are expressed as software configuration conditions in the OVAL language). Established prior to AVDL, OVAL is an information security community effort that includes participation from numerous organizations around the world through the OVAL Community Forum and the OVAL Board. This participation includes Citadel Security Software, one of the organizations proposing AVDL, which is also a member of the OVAL Board.

Date: 5/17/2004
Publication: Security Wire Perspectives, Vol. 6, No. 39

Byline: Robert A. Martin
Headline: "Security Patches Got You Running in Circles?"

Excerpt or Summary:
How OVAL can assist with patching is the main topic of this article by OVAL Team Member Robert A. Martin. The article describes what OVAL is and how system administrators would have an easier time managing patches if their vendor's security advisories included OVAL definition tests for the vulnerabilities, since the publicly available OVAL definition include "ways of testing for vulnerable software, patches and workarounds."

The article also addresses the question of why organizations should adopt OVAL: "Why recommend OVAL? It will save your system and security administrators time, and that translates to lower overhead for you. They can also secure your systems more quickly because they can apply the workarounds and won't have to wait to deploy a patch. Scanning tools will immediately report on successful mitigation, showing the success of any workarounds your system and security administrators have implemented whether or not they applied the patches. "

The article also discussed the OVAL Board, CVE, the benefits of participating in this development of OVAL vulnerability data as part of the OVAL Community Forum, and provides a link to the OVAL Web site.

Date: 4/2004
Publication: Proceedings of Software Quality Management XII - New Approaches to Software Quality (Book)

Author: D. Edgar-Nevill, M. Ross, and G. Staples (Editors)
Publisher: The British Computer Society

Excerpt or Summary:
A chapter of this publication, included in "Section 2 Standards," is entitled "CVE and OVAL - International Security Standards That Are Making A Difference". It was written by Robert A. Martin, OVAL Team Member and CVE Compatibility Lead.

Date: 4/29/2004
Publication: Cover Pages Web site

Byline: OASIS
Headline: "OASIS TC Approves Application Vulnerability Description Language (AVDL) Draft"

Excerpt or Summary:
OVAL is mentioned in a news item on this OASIS-sponsored Web site about the version 1.0 specification of the OASIS Application Vulnerability Description Language being submitted for consideration as an OASIS Standard. OVAL is referenced as an inspirational source for elements of the document: "According to a declaration presented by the AVDL TC Chairs, some features of the AVDL specification design were inspired by MITRE's Open Vulnerability Assessment Language (OVAL), which uses the Common Vulnerabilities and Exposures (CVE) [list]."

AVDL stands for Application Vulnerability Description Language, a new interoperability standard being proposed by four application security vendors as part of the Organization for the Advancement of Structured Information Standards (OASIS) standards process. OASIS is a "not-for-profit, global consortium that drives the development, convergence and adoption of e-business standards." AVDL is different from OVAL because their objective is to create more interoperability among security tools by using XML to describe application security vulnerability information that tools can exchange, while the focus of the OVAL effort is to provide a baseline method for performing vulnerability testing on end systems. OVAL has two main pieces: an OVAL XML language standard for describing the software configuration state of end systems, and OVAL content consisting of libraries of logical tests for the presence of a particular vulnerability on particular end systems (these tests are expressed as software configuration conditions in the OVAL language). Established prior to AVDL, OVAL is an information security community effort that includes participation from numerous organizations around the world through the OVAL Community Forum and the OVAL Board. This participation includes Citadel Security Software, one of the organizations proposing AVDL, which is also a member of the OVAL Board.

Page Last Updated: June 09, 2006