News and Events - 2005 Archive

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, December 15, 2005, with 18 Board members and others participating. Topics included OVAL status updates on Version 5; a progress report on Patch Definitions; OVAL and OVAL-ID Compatibility Program updates, particularly compatibility testing; and OVAL at RSA 2006 in February. You may also read the complete meeting minutes.

OVAL1433 Addresses 0-Day Vulnerability

OVAL1433 addresses "Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution," originally issued on December 28, 2005, that involves a flaw in how Windows XP and Windows Server 2003 handle corrupt WMF/EMF image files. All Windows XP and Server 2003 installations are vulnerable, including those that are fully patched.

The user must take action to open the image file, but these files can be sent via email or instant message, or downloaded by an unsuspecting Web surfer. Reports say the vulnerability can allow the attacker to take full control of the affected system. There is no patch or Hotfix currently available, but Microsoft encourages users to keep their anti-virus and anti-spyware software up-to-date and to employ a firewall.

OVAL Vulnerability Definition OVAL1433—submitted by ThreatGuard, Inc.—tests for this "0-day vulnerability" (i.e., a known vulnerability for which there is currently no patch available).

OVAL Celebrates 3 Years

OVAL began three years ago this month as a new community baseline standard for how vulnerabilities could be identified on local computers. Since that time the initiative has grown significantly and is now a developing international, information security community standard for how to check for the presence of vulnerabilities and configuration issues on computer systems. Highlights of our progress are noted below.

OVAL Schemas

When OVAL began we used Structured Query Language (SQL) for the official OVAL Schema and OVAL queries in SQL to perform the tests. In late 2003, at the request of the community and because of the limits of SQL, we adopted Extensible Markup Language (XML) as the official format for writing OVAL schemas and the XML definitions that perform the tests. OVAL has also grown from a single schema for writing the tests into three separate schemas, one for each step of the overall process: an OVAL System Characteristics Schema for collecting the information, OVAL Definition Schema for writing the tests, and OVAL Results Schema for presenting the results of the tests. The individual tests are standardized, machine-readable XML Vulnerability, Compliance, and Patch Definitions that are hosted in our OVAL Repository. We also created a free OVAL Reference Definition Interpreter to demonstrate the usability of the OVAL Schemas and to carry out OVAL definitions for the Microsoft Windows and Red Hat Linux platforms. We are now on Version 4.2 of the Official OVAL Schemas, and are working on Version 5.

OVAL Repository

In the beginning, OVAL focused only on tests for vulnerabilities, each of which was based on a CVE Name from Common Vulnerabilities and Exposures. When we moved from SQL to XML we expanded the OVAL Repository to include OVAL Vulnerability Definitions, Compliance Definitions, and Patch Definitions. These community-developed tests definitively determine whether the specified vulnerability, configuration issue, or patch is present on a system. Currently, there are 1,010 definitions for Microsoft Windows, 253 definitions for Red Hat Linux, 138 definitions for Sun Solaris, and 17 definitions for HP-UX for a grand total of 1,418 definitions now available to the public for incorporation into information security products and services. More definitions are being added each week.

Community Participation

Since the beginning the OVAL effort has been industry-endorsed via the OVAL Board and through community participation on the OVAL Community Forum and OVAL Developer's List, ensuring that the OVAL schemas and definitions reflect the combined expertise of the broadest possible group of security and system administration professionals worldwide. Community endorsement is further emphasized by the numerous organizations that are listed on the Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility pages stating that their information security products and services are, or will be, compatible with OVAL.

In addition, recent significant participation by the OVAL community include the contribution of component schemas by the Center for Internet Security for Apple Macintosh beginning with Version 4.0 and ThreatGuard, Inc. for HP-UX (Hewlett Packard UNIX) with Version 4.2. ThreatGuard has also contributed numerous OVAL definitions to the OVAL Repository, including the first-ever HP-UX vulnerability definitions in December 2005. Visit the Community Participation page to see the specific ways in which you or your organization can contribute.

OVAL Board

The OVAL Board, which approves the Official OVAL Schemas and evaluates and comments on OVAL Definitions, includes members from major operating system vendors, commercial information security tool vendors, academia, government agencies, and research institutions from around the world. The Board began with 17 members from 13 organizations and has since grown to 39 members from 36 organizations.

Compatible Products and Services

In July 2004 we added an OVAL-Compatible Products and Services program and in November 2005 launched an official "OVAL and OVAL-ID Compatibility Process" for organizations wishing to make their products or services OVAL-compatible and/or OVAL-ID compatible. The formal process includes compatibility evaluations, the posting of questionnaires citing how the organizations have satisfied the Requirements and Recommendations for OVAL and OVAL-ID Compatibility document, and a "branding program" with an official compatibility logo for vendors to include with their products. This process, which ultimately includes publication of the organization's statement on the OVAL Web site along with the use of the Official OVAL and OVAL-ID Compatible logo, allows end users and prospective customers of OVAL and OVAL-ID Compatible Products and Services to compare how the products satisfy the compatibility requirements and to more easily determine which specific implementations are best for their networks and systems.

There are now OVAL Compatibility Declarations for 24 products and services from 13 organizations around the world and OVAL-ID Compatibility Declarations for 12 products and services from 9 organizations around the world.

Our Three-Year Anniversary

We thank all of you who have in any way promoted the OVAL effort, used the OVAL schemas and definitions, and/or adopted OVAL or OVAL-ID compatible products or services for your enterprise. We would also like to thank our sponsors throughout these three years, US-CERT at the U.S. Department of Homeland Security, for their past and current funding and support. We welcome any comments or feedback about OVAL or the OVAL Repository at oval@mitre.org.

ThreatGuard, Inc. Contributes 17 HP-UX OVAL Definitions

OVAL community member ThreatGuard, Inc. has contributed the first-ever OVAL vulnerability definitions for the HP-UX (Hewlett Packard UNIX) platform. These 17 new definitions are posted on the OVAL Definitions page, and are in addition to the many definitions for other platforms previously submitted by ThreatGuard. ThreatGuard also contributed the HP-UX Component Schema to Version 4.2 of OVAL released on December 2, 2005 (see "Two Organizations Contribute Component Schemas for Version 4.2"). OVAL community participation is important for the development of new definitions and new component schemas, and such contributions help the OVAL effort to further build the repository of OVAL definitions and to add support for more platforms.

To participate in the OVAL effort, first subscribe to the OVAL Community Forum or OVAL Developer's Email List. After receiving a confirmation verifying your addition to the list, submit a message expressing your area(s) of interest and/or ways you would like to contribute. Alternatively, you may send an email to oval@mitre.org. We welcome your participation.

OVAL to Host Booth at Homeland Security for Networked Industries 2006 Conference & Expo in January

MITRE is scheduled to host an OVAL/CVE/CME exhibitor booth at Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. The conference is "the first of its kind to encourage cross-industry collaboration on network security issues pertinent to America's critical infrastructures [or those] networks which serve as the backbone for daily life for the American public." It is "an opportunity to listen and network with IT decision makers from a variety of networked industries including utilities, telecom and transportation as well as government."

Organizations listed in the Compatible Products and Services section will also be exhibiting. Please stop by Booth 117, or any of these booths, and say hello.

Updated Version 5.0 Draft OVAL Schemas Now Available

Fourth drafts of the Version 5.0 OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.2. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

Two Organizations Contribute Component Schemas for Version 4.2

Two members of the OVAL community—ThreatGuard, Inc. and the Center for Internet Security—contributed Component Schemas to Version 4.2 of OVAL released on December 2, 2005. ThreatGuard developed the component schema for HP-UX (Hewlett Packard UNIX), and the Center for Internet Security developed the component schema for Apple Macintosh (MacOS was originally developed for Version 4.0). OVAL community participation is important for the development of new component schemas, and such contributions help keep the OVAL effort growing and supporting more platforms.

Component schemas are used to define the specific tests necessary to determine the presence of vulnerabilities, configuration issues, and patches on a specific platform. Other component schemas include Microsoft Windows, Sun Solaris, Red Hat Linux, Debian Linux, UNIX, and Cisco IOS. Working with these component schemas is a core or "parent" schema that provides the general format for an OVAL Definition and a place for expressing platform-independent metadata (e.g., the CVE identifier). See the Official OVAL Schemas page for details.

To participate in the OVAL initiative, first subscribe to the OVAL Community Forum or OVAL Developer's Email List. After receiving a confirmation verifying your addition to the list, submit a message expressing your area(s) of interest and/or ways you would like to contribute. Alternatively, you may send an email to oval@mitre.org. We welcome your participation.

New OVAL Board Member

Nils Puhlmann of Mindjet Corporation has joined the OVAL Board.

New OVAL Board Member

Gregory Toto of BigFix, Inc. has joined the OVAL Board.

OVAL Mentioned in Article about National Vulnerability Database on SecurityFocus.com

OVAL was mentioned in a December 2, 2005 article about the U.S. National Vulnerability Database (NVD) entitled "Federal flaw database commits to grading system" on SecurityFocus.com. OVAL is mentioned as follows: "NVD piggybacks on the Common Vulnerability and Exposures (CVE) [Initiative] ... [and] CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language ... " NVD, OVAL, and CVE are sponsored by the U.S. Department of Homeland Security.

Official OVAL Schemas Updated to Version 4.2

Version 4.2 of the OVAL Schemas are now available on the Official OVAL Schemas page. The OVAL Definition Interpreters, Interpreter Source Code, and Data Files have also been updated.

Version 4.2 of the OVAL Schema includes the following: addition of a component schema for HP-UX (submitted by ThreatGuard, Inc.); modification to the OVAL-ID format; deprecated the rpmversioncompare_test of the redhat schema; added the evr_version element to the rpminfo_test of the redhat schema; added the signature_keyid to the rpminfo_test of the redhat schema; and added the rpmversion datatype; and added the ability to include more than one reference.All of the updates incorporate modifications and revisions that are a direct result of feedback from users.

The following schemas have been updated to Version 4.2 for the OVAL Core schemas and the component (Independent, Apple Macintosh, Cisco IOS, Debian Linux, HP-UX, Microsoft Windows, Red Hat Linux, Sun Solaris, and UNIX) schemas:

The following are also available for using Version 4.2 of OVAL:

The previous versions of the OVAL schemas, definitions, Definition Interpreters, Interpreter source code, and data files have been archived. Visit the Official OVAL Schemas page for the latest information on Version 4.2.

Updated Version 5.0 Draft OVAL Schemas Now Available

Third drafts of the Version 5.0 OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.2. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

PatchLink Corporation Makes Declaration of OVAL and OVAL-ID Compatibility

PatchLink Corporation declared that its enterprise patch management system, PatchLink Update, will be OVAL-compatible and OVAL-ID compatible. For additional information about this and other OVAL and OVAL-ID compatible products and services, visit Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility.

ThreatGuard, Inc. Issues Press Release Announcing Receipt of Two Certificates of OVAL and OVAL-ID Compatibility

OVAL and OVAL-ID compatibility was the main topic of a November 14, 2005 press release by ThreatGuard, Inc. entitled "Threatguard Receives First OVAL Compatibility Awards from MITRE." In the release ThreatGuard announces that its ThreatGuard and ThreatGuard Traveler products both received Official Certificates of OVAL and OVAL-ID Compatibility on November 14, 2005 in a award ceremony at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA.

The release, which also describes OVAL and OVAL compatibility, includes a quote by Rob Hollis, ThreatGuard's Director of Product Development and an OVAL Board Member, who states: "We are quickly approaching our first anniversary of fielding OVAL in our operational products. That should give a clear indication of how dedicated we are to the project. We're not waiting around to see what the industry will do with OVAL. We believe it's the right direction for the industry so we're doing what we can to help drive the effort."

Rob Hollis, ThreatGuard's Director of Product Development (right), and Robert Martin, OVAL Compatibility Lead, at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

Citadel Security Software Inc. Issues Press Release Announcing Receipt of Certificate of OVAL and OVAL-ID Compatibility

OVAL and OVAL-ID compatibility was the main topic of a November 15, 2005 press release by Citadel Security Software Inc. entitled "Citadel Security Software Awarded Certificate of OVAL Compatibility." In the release Citadel announces that its Hercules product has been "certified as fully compliant and compatible with MITRE's Open Vulnerability [and] Assessment Language OVAL-ID[s] and OVAL Results Schema, a standardized format for presenting data from a system evaluated by OVAL, enabling customers to remediate vulnerabilities identified by OVAL-compatible scanning tools." Citadel received the Official Certificate of OVAL and OVAL-ID Compatibility on November 14, 2005 in an award ceremony at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA.

The release, which also describes the goals of OVAL and OVAL compatibility, includes a quote by Carl Banzhof, CTO of Citadel Security Software and an OVAL Board Member, who states: "We are proud to contribute to the leadership efforts on providing interoperability standards for the global security community with OVAL compatibility. Through our work with DISA we understand why federal agencies rely on OVAL vulnerability identification and reporting standards and are dedicated to providing the compatibility and integration that can greatly ease their vulnerability management burden."

Kent Landfield, Citadel's Security Group Director (right), and Robert Martin, OVAL Compatibility Lead, at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

Certificate of OVAL and OVAL-ID Compatibility Awarded to ArcSight, Inc.

ArcSight, Inc. was recently presented with a "Certificate of OVAL and OVAL-ID Compatibility" for its ArcSight ESM product. MITRE held an awards ceremony November 14, 2005 at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C. USA to award compatibility certificates.

Mike Boehm, of ArcSight's Public Sector Group (right), and Robert Martin, OVAL Compatibility Lead, at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

Photo of First-Ever OVAL Compatibility Awards Ceremony

Four information security products and services from three organizations received "Certificates of OVAL and OVAL-ID Compatibility" at MITRE Corporation's awards ceremony held November 14, 2005 at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA, and are now officially "OVAL and OVAL-ID Compatible." All three organizations participated in the ceremony, including ArcSight, Inc., Citadel Security Software Inc., and ThreatGuard, Inc. See photo below.

Mike Boehm, of ArcSight's Public Sector Group; Robert Martin, OVAL Compatibility Lead; Kent Landfield, Citadel's Security Group Director; and Rob Hollis, ThreatGuard's Director of Product Development; at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

OVAL Working Group Holds Teleconference

OVAL's Patch Definition Working Group held a teleconference meeting on Tuesday, November 1, 2005, with eight members participating. Those interested may read the complete meeting minutes. Minutes from other working groups are also available on the Discussion Archives page.

To participate in the OVAL initiative or on an OVAL working group, first subscribe to the OVAL Community Forum or OVAL Developer's Email List. After receiving a confirmation verifying your addition to the list, submit a message expressing your area(s) of interest. We welcome your participation.

Updated Version 5.0 Draft OVAL Schemas Now Available

Version 5.0 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been updated and posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.1. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

OVAL Hosts Booth at 32nd Annual CSI Conference

MITRE hosted an OVAL/CVE/CME exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, in Washington, D.C., USA. The conference exposed OVAL, CVE, and CME to information security and network professionals from industry, academia, and government.

Organizations listed in the OVAL-Compatible Products and Services section also exhibited and "Certificates of OVAL and OVAL-ID Compatibility" were presented in an awards ceremony to three organizations for four products and services that are now considered officially OVAL and OVAL-ID Compatible. See "4 Information Security Products/Services Are Now Registered as Officially 'OVAL and OVAL-ID Compatible'" for more information.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at FIRST Technical Colloquium

OVAL Team Member Drew Buttner presented a briefing about OVAL entitled "OVAL Schema" at the FIRST Technical Colloquium on November 16, 2005, in Redwood Shores, California, USA. The event, which ran November 14th-16th, provided a "discussion forum for FIRST [Forum of Incident Response and Security Teams] member teams to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams."

Visit the OVAL Calendar page for information about this and other upcoming events.

4 Information Security Products/Services Are Now Registered as Officially "OVAL and OVAL-ID Compatible"

Four information security products and services from three organizations have achieved the final stage of MITRE's formal OVAL and OVAL-ID Compatibility Process and are now officially "OVAL and OVAL-ID compatible." Each product is now eligible to use the OVAL and OVAL-ID Compatible Product/Service logo, and their completed and reviewed "OVAL/OVAL-ID Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings in the Compatible Products as Services section on the OVAL Web site.

The following products are now registered as officially "OVAL and OVAL-ID Compatible":

Use of the official OVAL and OVAL-ID Compatible Product/Service logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the OVAL and OVAL-ID compatibility requirements, and therefore which specific implementations are best for their networks and systems.

An awards ceremony was held today at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA, to present Certificates of OVAL and OVAL-ID Compatibility to the organizations that have achieved this final phase. All three organizations participated in the ceremony, including ArcSight, Inc., Citadel Security Software Inc., and ThreatGuard, Inc.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

BigFix, Inc. Makes Declaration of OVAL-ID Compatibility

BigFix, Inc. declared that its real-time security configuration management suite, BigFix Enterprise Suite, will be OVAL-ID compatible. BigFix Enterprise Suite is also declared OVAL-compatible and is listed on the Declarations of OVAL Compatibility page. For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

OVAL to Present Briefing at FIRST Technical Colloquium

OVAL Team Member Drew Buttner is scheduled to present a briefing about OVAL entitled "OVAL Schema" at the FIRST Technical Colloquium on November 16, 2005, in Redwood Shores, California, USA. The event, which runs November 14th-16th, provides a "discussion forum for FIRST [Forum of Incident Response and Security Teams] member teams to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams."

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at VISION 2005

OVAL Editor Matthew N. Wojcik presented a briefing about OVAL and CVE entitled Enablers to Cybersecurity Transformation in the "Protection of Information" track at The Shepard Group's VISION 2005 on November 8, 2005, at Ibis London Earl's Court, UK. The conference itself ran November 7th - 9th.

Visit the OVAL Calendar page for information about this and other upcoming events.

Release Candidates of the Version 4.2 OVAL Schemas Now Available

Version 4.2 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema are now in the Release Candidate stage and are available for review on the Upcoming OVAL Schema Changes - Version 4.2 page. The Version 4.2 Schemas are currently scheduled to move to the Official stage on December 2, 2005.

OVAL Initiative Announces OVAL Compatibility Process and New Compatibility Logo

MITRE has created an "OVAL and OVAL-ID Compatibility Process" for organizations wishing to make their products or services OVAL-compatible and or OVAL-ID compatible. The new process includes formal compatibility evaluations, the posting of questionnaires citing how the organizations have satisfied the OVAL and OVAL-ID compatibility requirements, and a "branding program" with an official OVAL and OVAL-ID compatibility logo for vendors to include with their products and for system administrators and other security professionals to look for when adopting vulnerability management products and services for their enterprise.

Specifically, the expanded OVAL and OVAL-ID Compatibility Process involves two phases:

(1) Declaration Phase-The organization declares its intent to make its product(s) and/or service(s) OVAL and/or OVAL-ID compatible by providing MITRE with such basic information as company name and contact information, the type of product, and the name of the product or service. Once the declaration is reviewed, the organization will be listed on the Declarations of OVAL Compatibility page and/or Declarations of OVAL-ID Compatibility page of the OVAL Web site, provided the products or services are commercially available when we post the declaration.

(2) Evaluation Phase-The organization completes an "OVAL and OVAL-ID Compatibility Requirements Evaluation" questionnaire that specifically states the details of how the organization has satisfied the "Requirements and Recommendations for OVAL and OVAL-ID Compatibility" document. While the second phase takes more effort than the first, it has been designed to minimize the expense for both the submitting organization and MITRE. This approach avoids an evaluation process that would make it too expensive for freeware or smaller software vendors to obtain compatibility. By using the questionnaire and statement of compatibility the level of effort is kept reasonable, while making a good effort to verify that the submitting organization properly understands and correctly implements the OVAL and OVAL-ID compatibility requirements. (An organization must complete phase 1 before starting phase 2.)

This new compatibility process, which ultimately includes publication of the organization's statement on the OVAL Web site and an OVAL and OVAL-ID compatibility logo for use on their products or services, allows end users and prospective customers of OVAL and OVAL-ID compatible products and services to compare how different products satisfy the compatibility requirements and which specific implementations are best for their networks and systems.

ThreatGuard, Inc. Makes Declaration of OVAL and OVAL-ID Compatibility

ThreatGuard, Inc. declared that its threat management product, ThreatGuard Traveler, is OVAL-compatible and OVAL-ID compatible. The ThreatGuard Vulnerability Management System is also declared OVAL-compatible and OVAL-ID compatible and is listed on the declarations pages. For additional information about these and other compatible products and services, visit the Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility pages.

ArcSight, Inc. Makes Declaration of OVAL-ID Compatibility

ArcSight, Inc. declared that its real-time security awareness/incident response solution, ArcSight ESM, is OVAL-ID compatible. ArcSight ESM is also declared OVAL-compatible and is listed on the Declarations of OVAL Compatibility page. For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

Citadel Security Software Inc. Makes Declaration of OVAL-ID Compatibility

Citadel Security Software Inc. declared that its Automated Vulnerability Remediation product, Hercules, is OVAL-ID compatible. Hercules is also declared OVAL-compatible and is listed on the Declarations of OVAL Compatibility page. For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

ArcSight, Inc. Posts OVAL and OVAL-ID Compatibility Questionnaire

ArcSight, Inc. has achieved the second phase of the OVAL and OVAL-ID Compatibility Process by posting an OVAL and OVAL-ID Compatibility Questionnaire for ArcSight ESM . In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible" and/or "Officially OVAL-ID Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page, Declarations of OVAL Compatibility, and the Declarations of OVAL-ID-Compatibility.

Citadel Security Software Inc. Posts OVAL and OVAL-ID Compatibility Questionnaire

Citadel Security Software Inc. has achieved the second phase of the OVAL and OVAL-ID Compatibility Process by posting an OVAL and OVAL-ID Compatibility Questionnaire for Hercules. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible" and/or "Officially OVAL-ID Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page, Declarations of OVAL Compatibility, and the Declarations of OVAL-ID-Compatibility.

ThreatGuard, Inc. Posts OVAL and OVAL-ID Compatibility Questionnaires

ThreatGuard, Inc. has achieved the second phase of the OVAL and OVAL-ID Compatibility Process by posting an OVAL Compatibility Questionnaire for ThreatGuard Vulnerability Management System and an OVAL Compatibility Questionnaire for ThreatGuard Traveler. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible" and/or "Officially OVAL-ID Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page, Declarations of OVAL Compatibility, and the Declarations of OVAL-ID-Compatibility.

OVAL Compatibility Requirements Document Updated

The Requirements and Recommendations for OVAL and OVAL-ID Compatibility document has been updated to Version 1.01 and posted in the Compatible Products and Services section of the OVAL Web site. The document, which details the specific ways in which an organization can make its information security tool, service, Web site, database, archive, or advisory/alert "OVAL-compatible" and/or "OVAL-ID compatible," was updated to comply with the new formal "OVAL and OVAL-ID Compatibility Process."

OVAL to Present Briefing at VISION 2005

OVAL Editor Matthew N. Wojcik is scheduled to present a briefing about OVAL and CVE entitled Enablers to Cybersecurity Transformation in the "Protection of Information" track at The Shepard Group's VISION 2005 on November 8, 2005, at Ibis London Earl's Court, UK. The conference itself runs November 7th - 9th.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at FIAC 2005

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL, CVE, and CME entitled Managing to Make Secure Systems in the Vulnerability Management portion of the "Leveraging Technology to Bridge the Security Gap" track at Federal Information Assurance Conference (FIAC) 2005 on October 26, 2005, at the University of Maryland University College in Adelphi, Maryland, USA.

Visit the OVAL Calendar page for information about this and other upcoming events.

DesktopStandard Corporation Makes Declaration of OVAL-ID Compatibility

DesktopStandard Corporation declared that its group policy-based patch management product, PolicyMaker Software Update, is OVAL-ID compatible. PolicyMaker Software Update and three other DesktopStandard products are also declared OVAL-compatible and are listed on the Declarations of OVAL Compatibility page.

For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

MITRE to Host OVAL/CVE Booth at 32nd Annual CSI Conference

MITRE is scheduled to host an OVAL/CVE exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, at the Marriott Wardman Hotel in Washington, D.C., USA. The conference will expose OVAL and CVE to information security and network professionals from industry, academia, and government. Organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

MITRE Hosts OVAL/CVE Booth at FIAC 2005

MITRE hosted an OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25-26, 2005, at the University of Maryland University College in Adelphi, Maryland, USA. The conference exposed OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations listed in the OVAL-Compatible Products and Services section also exhibited.

Visit the OVAL Calendar page for information about this and other upcoming events.

Version 5.0 Draft OVAL Schemas Now Available

Version 5.0 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.1. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

Version 4.2 Draft OVAL Schemas Now Available

Version 4.2 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 4.2 page. A complete list of the updates is available in the Status Reports on the Version 4.2 Schema section.

Version 4.2 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.1. Comments on the draft Version 4.2 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

Version 4.3 Definition Interpreter Released

The Version 4.3 OVAL Definition Interpreters have been released to correct known issues and improve functionality. This update corrects several issues that could occur while running the Interpreter: an upgraded version of PCRE to 6.3 due to a known vulnerability in earlier versions of PCRE; the software and configuration result values were not properly being combined when computing the overall result for a definition; and the Windows Active Directory probe was not properly authenticating with the Active Directory Server. This update also adds support for the wmi_test. The Interpreter Source Code has also been updated.

Use of the updated Definition Interpreters requires that you use the newest OVAL Data Files. We apologize for any inconvenience. Visit the Downloads page to download the latest Interpreters, Interpreter Source Code, and Data Files.

MITRE to Host OVAL/CVE Booth at FIAC 2005

MITRE is scheduled to host an OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25-26, 2005, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

MITRE Hosts OVAL/CVE Booth at IT Security World 2005, September 28th-29th

MITRE hosted an OVAL/CVE exhibitor booth at MISTI's IT Security World 2005 on September 28-29, 2005 in San Francisco, California, USA. The conference exposed OVAL and CVE to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs. Organizations listed in the OVAL-Compatible Products and Services section also exhibited.

See booth photos below:

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

OVAL Compatibility Requirements Document Added to OVAL Web Site

Version 1.0 of the Requirements and Recommendations for OVAL and OVAL-ID Compatibility document has been posted in the Compatible Products and Services section of the OVAL Web site. The document details the specific ways in which an organization can make its information security tool, service, Web site, database, archive, or advisory/alert "OVAL-compatible" and/or "OVAL-ID compatible."

You also review the most current Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility from those organizations already participating.

"Upcoming Schema Changes" Section Updated with Version 4.2 OVAL Schema Information

An overview of the modifications currently planned for Version 4.2 of the OVAL Schema has been posted in the Upcoming OVAL Schema Changes section. Planned modifications to the OVAL Definition Schema, OVAL System Characteristics Schema, and OVAL Results Schema will include the addition of a component schema for HP-UX and a modification to the OVAL-ID format.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, September 15, 2005, with 17 Board members and others participating. Topics included OVAL status updates, proposed major and minor OVAL Schema version changes, an intellectual property agreement proposal, and the OVAL and OVAL-ID Compatibility Program. You may also read the complete meeting minutes.

OVAL Announces "Calendar of Events" for Autumn 2005

The OVAL Initiative has announced its initial calendar of events for autumn 2005. Details regarding MITRE's scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the OVAL Calendar page for information about these and other upcoming events.

KACE Networks, Inc. Makes Declaration of OVAL Compatibility

KACE Networks, Inc. has declared that its information technology management appliance, KBOX IT Management Suite 2.0, is OVAL-compatible. For additional information about this and other OVAL-compatible products and services, visit the Declarations of OVAL Compatibility page.

Compatibility with "OVAL-IDs" Added to OVAL Compatibility Program

"OVAL-ID Compatibility" has been added to the OVAL Compatibility Program as a second, distinct type of compatibility. Being compatible with OVAL-IDs means that a Web site, database, archive, or security advisory includes OVAL-IDs as references as part of the information it conveys about a security issue, and provides for searching by OVAL-ID. This is different from a product or services being "OVAL-compatible," in which a tool, service, Web site, database, or advisory/alert uses OVAL technical data such as schemas or definitions for communicating details of vulnerabilities, patches, or security policies. As part of this update, a "Declarations of OVAL-ID Compatibility" page has been added to the Compatible Products and Services section.

Sintelli Makes 3 Declarations of OVAL-ID Compatibility

Sintelli has declared that its vulnerability alert/notification service, Sintelli Alert; vulnerability alerting service, Sintelli SME; and its Sintelli Vulnerability Database, are OVAL-ID compatible. For additional information about these and other OVAL-ID compatible products and services, visit the Declarations of OVAL-ID Compatibility page.

KACE Networks, Inc. Makes Declaration of OVAL-ID Compatibility

KACE Networks, Inc. has declared that its information technology management appliance, KBOX IT Management Suite 2.0, is OVAL-ID compatible. For additional information about this and other OVAL-ID compatible products and services, visit the Declarations of OVAL-ID Compatibility page.

MITRE Corporation Makes Declaration of OVAL-ID Compatibility

MITRE Corporation has declared that its list of standardized names for information security vulnerabilities on the CVE Web site, the CVE List, is OVAL-ID compatible. For additional information about this and other OVAL-ID compatible products and services, visit the Declarations of OVAL-ID Compatibility page.

OVAL Mentioned in KACE Networks, Inc. Press Release

OVAL was mentioned briefly in a September 12, 2005 press release from KACE Networks, Inc. entitled "KACE's KBOX Automates IT Management for Mid-Market Customers with Easy-to-Use, Unthinkably Comprehensive, Affordable Appliance." OVAL was mentioned as a feature of KACE's KBOX IT Management Suite 2.0: "Security Vulnerability Audit: Scans and reports on known security vulnerabilities based on the OVAL standard (covering almost 1000 vulnerabilities) endorsed by US Computer Emergency Readiness Team (US-CERT) and the [U.S.] Department of Homeland Security."

In addition, KACE Networks, Inc. and its KBOX IT Management Suite 2.0 are listed on the Declarations of OVAL Compatibility and the Declarations of OVAL-ID Compatibility pages in the Compatible Products and Services section of the OVAL Web site.

BigFix, Inc. Makes Declaration of OVAL Compatibility

BigFix, Inc. has declared that its real-time security configuration management system, BigFix Enterprise Suite, will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services section.

MITRE to Host OVAL/CVE Booth at IT Security World 2005, September 28th-29th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at MISTI's IT Security World 2005 on September 28th - 29th at the Hyatt Regency in San Francisco, California, USA. The conference will expose OVAL and CVE to security professionals from industry, government, and academia charged with developing and running their organizations" information security programs. Please stop by Booth 415 and say hello. In addition, organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Slovenian CERT References OVAL-IDs in Security Advisory

The Slovenian Computer Emergency Response Team (SI-CERT) issued a security advisory for CVE name CAN-2004-0549 that included the following OVAL-IDs as references: OVAL1133, OVAL207, OVAL241, and OVAL519.

OVAL-IDs are also used as references for security items in the U.S. National Vulnerability Database (NVD); Open Source Vulnerability Database (OSVDB); E-Soft, Inc.'s SecuritySpace.com vulnerability Web site; and the CVE List on the Common Vulnerabilities and Exposures (CVE) Web site. All OVAL Vulnerability Definitions are based upon CVE names.

OVAL Mentioned in Article about U.S. National Vulnerability Database on SecurityFocus.com

OVAL was mentioned a August 12, 2005 article entitled "NIST, DHS add national vulnerability database to mix" on SecurityFocus.com. The main topic of the article is the U.S. National Vulnerability Database (NVD), which "scans the Common Vulnerability and Exposures (CVE), a listing of serious vulnerabilities ..." OVAL is mentioned in a quote by Peter Mell, a senior computer scientist at NIST, who states: "[CVE names] are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language."

According to the article, "this reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases," including Gerhard Eschelbeck, chief technology officer of vulnerability assessment service for Qualys, Inc., who states: "We believe there is a need in the market for an aggregator to bring together all the information from all the different sources. But we want the organizations to use all the open standards."

NVD, CVE, and OVAL are sponsored by the U.S Department of Homeland Security. In addition, Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section.

OVAL Launches New Web Site

OVAL has upgraded its Web site with new information and new functionality to better serve our users. New functionality includes a centralized "OVAL Content" page for viewing or downloading the three classes of OVAL definitions, while new information includes the addition of a special "Focus On" column and the latest news headlines on the homepage, a new section about the reference OVAL Definition Interpreter in the FAQs, and a new centralized archive of the OVAL Board and Community Participation email list discussions, among other improvements.

• Improved Access to OVAL Content
  Access to OVAL Definitions has been centralized on an OVAL Content page, from which you can view or download definitions. Definitions are also now separated by classification so that users can easily locate Vulnerability Definitions, Compliance Definitions, and/or Patch Definitions for a particular operating system or platform.
• News Headlines on the Homepage
  Headlines for the latest breaking news for and about OVAL are now available directly from the OVAL Web site homepage. These headlines will link directly to the full text of the articles on the OVAL News and Events page, or to the Calendar of Events page if the headline refers to an upcoming event.
• Focus On Column Added to the Homepage
  A new feature on the homepage is a new "Focus On" column that will highlight a different feature and/or aspect of the OVAL project every one or two weeks. This week's inaugural column focuses on the topic of OVAL Compatibility.
• FAQs about the OVAL Definition Interpreter
  A new section, Section F. OVAL Definition Interpreter, has been added to the Frequently Asked Questions section that specifically addresses the reference OVAL Definition Interpreter including what the Interpreter is, how to use it, how to read and use the results of an OVAL analysis, terms of use, and availability of the Interpreter source code.
• Centralized Archive of Email Discussion Lists
  The new Discussion Archive page provides a centralized location for all OVAL Community and OVAL Board discussions about OVAL. The page includes four sections: OVAL Board Email List, OVAL Board Meetings, OVAL Community Forum Email List, and OVAL Developer Email List. Archives to discussions from past years are also located here.
• Other Improvements
  In addition to an improved look and feel to the site design, Section Contents have been added in the far-right column of most pages to assist users in navigating the site and a new section has been added with information about the Senior Advisory Council.

Official OVAL Schemas Updated to Version 4.1

Version 4.1 of the OVAL Schemas are now available on the Official OVAL Schemas page. The OVAL Definition Interpreters, Interpreter Source Code, and Data Files have also been updated.

Version 4.1 of the OVAL Schema includes the following: addition of the Independent Schema; Addition of the UNIX Schema; addition of the "Red Hat Enterprise Linux 4" platform to the Red Hat Schema; addition of the "Sun Solaris 10" platform to the Solaris Schema; addition of the version attribute with a value of "4.1" to the xsd:schema root element of all Schema files; expanding the <schema_version> element of all the three core schemas (definition, result, system_characteristics) to accept decimals instead of just integers; possible extension of the Windows passwordpolicy_test; addition of optional XML signatures at the document level; addition of the Fedora platform name; and the addition of an optional aggregated result attribute on the criteria element. All of the updates incorporate modifications and revisions that are a direct result of feedback from users.

The following schemas have been updated to Version 4.1 for the OVAL Core schemas and the component (Independent, Apple Macintosh, Cisco IOS, Debian Linux, Microsoft Windows, Red Hat Linux, Sun Solaris, and UNIX) schemas:

• OVAL Definition Schema
• OVAL System Characteristics Schema
• OVAL Results Schema

The following are also available for using Version 4.1 of OVAL:

• OVAL Definition Interpreters
• Interpreter Source Code
• Data Files
• Bulk Content Download

The previous versions of the OVAL schemas, definitions, Definition Interpreters, Interpreter source code, and data files have been archived. Visit the Official OVAL Schemas page for the latest information on Version 4.1.

Assuria Limited Makes Declaration of OVAL Compatibility

Assuria Limited has declared that its host-based vulnerability assessment tool, Assuria Auditor, will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

New OVAL Board Member

Andrew Bove of Secure Elements, Inc. has joined the OVAL Board.

New OVAL Board Member

Nick Connor of Assuria Limited has joined the OVAL Board.

Release Candidates of the Version 4.1 OVAL Schemas Now Available

Version 4.1 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema are now in the Release Candidate stage and are available for review on the Upcoming OVAL Schema Changes - Version 4.1 page. The Version 4.1 Schemas are currently scheduled to move to the Official stage on August 12, 2005.

Meeting Minutes from OVAL Developer Days Now Available

Meeting minutes from the OVAL Developer Days meeting on July 18th-19th at MITRE Corporation in Bedford, Massachusetts are now available on the OVAL Documents page. 35 members of the OVAL Community from 14 organizations attended the event. The original briefing slides are also available.

U.S. National Vulnerability Database Includes OVAL-IDs as References

OVAL-IDs are included as references in the U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD). NVD is searchable by OVAL-ID, as well as by CVE Name, US-CERT Technical Alerts and/or US-CERT Vulnerability Notes.

According to the NVD Web site, "NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard." All OVAL Vulnerability Definitions are based upon CVE names.

NVD and OVAL are both sponsored by the U.S Department of Homeland Security.

MITRE Hosts OVAL Developer Days, July 18th - 19th

The OVAL Initiative hosted our first-ever OVAL Developer Days meeting on July 18th and July 19th at MITRE Corporation in Bedford, Massachusetts. 35 members of the OVAL Community from 14 organizations attended the event.

Developer Days was a success and brought together numerous members of the OVAL Community to discuss, in technical detail, the more difficult issues facing the current and future versions of the OVAL Schema and to derive solutions that benefit all concerned parties and continue the development of the language. Review the briefing slides.

The meeting minutes will be available soon. An announcement will be posted on this News page when they are available, or you may sign-up for OVAL's free e-Newsletters to receive this and other news about OVAL.

See photos below:

Revised Drafts of the Version 4.1 OVAL Schemas Now Available

Revised drafts of the Version 4.1 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 4.1 page. The Timeline for Version 4.1 has been revised to reflect these revisions.

Version 4.1 is posted with "Draft" status; the current "Official" version of OVAL is Version 4. Comments on the draft Version 4.1 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

OVAL Presents Briefing at the New England Electronic Crimes Task Force Meeting on July 26th

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL/CVE at the New England Electronic Crimes Task Force Meeting on July 26th, 2005 in Wellesley, Massachusetts, USA. The Electronic Crimes Task Force includes members from industry as well as local, state, and federal law enforcement and was created to "help prevent and when necessary, prosecute these new kinds of [electronic and computer] crimes."

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Version 4.1 OVAL Schemas Now Available

Version 4.1 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 4.1 page. A complete list of the updates is available in the Status Reports on the Version 4.1 Schema section, or you may read the "Introduction to OVAL Schema, Version 4.1" white paper.

Version 4.1 is posted with "Draft" status; the current "Official" version of OVAL is Version 4. Comments on the draft Version 4.1 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

OVAL Introductory White Paper Updated

The OVAL introductory white paper, "Introduction to OVAL: A Language to Determine the Presence of Computer Vulnerabilities and Configuration Issues," has been updated to correspond with the most recent information about OVAL. The document is posted in the "Articles/Briefings/Papers/etc." section on the OVAL Documents page.

Updated OVAL Brochure Now Available

The OVAL Brochure has been updated. The brochure provides a complete overview of the OVAL initiative, including a graphical representation of how OVAL works, and is posted on the OVAL Documents page.

MITRE to Host OVAL Developer Days, July 18th & 19th

The OVAL Initiative will host our first-ever OVAL Developer Days meeting on Monday, July 18th and Tuesday, July 19th at MITRE Corporation in Bedford, Massachusetts. Though direct invitations have been issued to OVAL Board Members, organizations with OVAL-Compatible Products/Services, and other experts, all members of the OVAL Community are welcome to attend.

The purpose of the meeting is for the OVAL Community to discuss, in technical detail, the more difficult issues facing the current version of the OVAL Schema, Version 4, and to drive development of Version 5. By bringing together the leading proponents of the OVAL Community, we hope to derive solutions that will benefit all parties and continue the development of the language.

Visit the OVAL Developer Days page and Meeting Q&A for more information about this event. You may also review the Meeting Agenda. We look forward to seeing you.

Conference Photos of OVAL Booth at the NetSec 2005

MITRE hosted an OVAL/CVE exhibitor booth at NetSec 2005 Conference & Exhibition, June 13 - 15th, 2005 in Scottsdale, Arizona, USA. See photos below.

netForensics, Inc. Makes Declaration of OVAL Compatibility

netForensics, Inc. has declared that its security information management system, netForensics nFX Open Security Platform, will be OVAL-compatible.

For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, June 16, 2005, with 15 Board members and others participating. Topics included OVAL status updates, the proposed minor version change to the Version 4.1 of the OVAL Schema, the new "Introduction to OVAL Schema, Version 4.1" white paper, and OVAL Compatibility. You may also read the complete meeting minutes.

Preventsys, Inc. Press Release Announces OVAL Compatibility and Appointment to OVAL Board

Preventsys, Inc. issued a press release on June 14, 2005 entitled "Preventsys to Support OVAL Standard to Further Broaden Support for Common Vulnerability Definitions." The release announces that the "Preventsys Enterprise Security Management (ESM) System is now compatible with the Open Vulnerability and Assessment Language (OVAL™) standard" and "To complement Preventsys" support for OVAL, Preventsys has also announced that senior vice president of engineering and operations J. Patrick Ravenel has been appointed to the OVAL Board, a select group of security experts chosen to oversee the development of this "emerging standard."

The release describes what the OVAL effort is and isn't, the makeup and purpose of the OVAL Board, and includes a link to the OVAL Web site. The release also includes a quote from Ravenel, who states: "Preventsys supports and encourages the adoption of common standards, such as OVAL, because they allow our customers to get more accurate views of their enterprise-wide security posture, without product customization. The adoption of standards like OVAL are an important step in gaining a better understanding of IT security risk and compliance with policies and regulations, especially when multiple-integrated tools must be supported."

Preventsys is a member of the OVAL Board and its Preventsys ESM System is listed in the OVAL-Compatible Products and Services section.

Two New OVAL Board Members

John Wilson and Varugis Kurien of Microsoft Corporation have joined the OVAL Board.

MITRE Hosts CVE/OVAL Booth at NetSec 2005

MITRE hosted an OVAL/CVE exhibitor at NetSec 2005 Conference & Exhibition, June 13 -15, 2005 in Scottsdale, Arizona, USA. The conference was successful and introduced OVAL and CVE to information security managers and directors, CIOs, CSOs, systems analysts, network engineers, network and systems managers and administrators, Webmasters, and other information security professionals.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

"Introduction to OVAL Schema, Version 4.1" Document Now Available

A new white paper entitled "Introduction to OVAL Schema, Version 4.1" has been posted on the OVAL Documents page. The document describes what the OVAL Schema is; how it has changed; how it is versioned, including minor and major versions; and the Schema review process. It also introduces modifications for OVAL Version 4.1, currently scheduled for release in July.

Technical aspects of the OVAL Schemas, such as the descriptions of valid elements and attributes, are documented in the OVAL Elements Dictionaries. Comments about the document are welcome on the OVAL Community Forum, or you may contact us directly at oval@mitre.org.

Upcoming Schema Changes Section Updated with Version 4.1 OVAL Schema Information

An overview of the modifications planned for Version 4.1 of the OVAL Schema has been posted in the Upcoming OVAL Schema Changes section. A more thorough discussion of the changes is included in "Introduction to OVAL Schema, Version 4.1."

New OVAL Board Member

Patrick Ravenel of Preventsys, Inc. has joined the OVAL Board.

New OVAL Board Member

Robert Hollis of ThreatGuard, Inc. has joined the OVAL Board.

1,000+ Definitions Now Have "Accepted" Status

Of the 1,079 OVAL Definitions now available to the public on the OVAL Web site, 976 have Accepted status, 88 Interim status, and 15 Draft status. Of these, 748 definitions are for Microsoft Windows, 203 definitions for Red Hat Linux, and 128 definitions for Sun Solaris. A complete breakdown of definitions by operating system family, and by individual platforms, is available on the OVAL Statistics page.

nCircle Network Security, Inc. Makes Two Declarations of OVAL Compatibility

nCircle Network Security, Inc. has declared that its IP360 Vulnerability Management System, and its real-time threat prioritization intrusion detection system (IDS), nTellect for Cisco IDS, will be OVAL-compatible.

For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

OVAL/CVE Booth Number Changed for NetSec 2005

MITRE's OVAL/CVE exhibitor booth number for NetSec 2005 Conference & Exhibition, June 13 15, 2005 in Scottsdale, Arizona, USA, has been changed from E13 to D7. Organizations listed on the OVAL Board and OVAL-Compatible Products and Services pages will also be exhibiting. Please stop by any of these booths and say hello.

Visit the OVAL Calendar page for information on this and other upcoming events.

DesktopStandard Corporation Makes Four Declarations of OVAL Compatibility

DesktopStandard Corporation has declared that its patch vulnerability assessment and remediation product, PolicyMaker Software Update, its configuration vulnerability assessment and remediation product, PolicyMaker Standard Edition, its application/task privilege vulnerability assessment and remediation product, PolicyMaker Application Security, and its registry-based vulnerability assessment and remediation product, PolicyMaker Registry Extension, will be OVAL-compatible.

For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

"How OVAL Works" Illustration Added to OVAL Web Site

A graphical representation of How OVAL Works has been added to the About OVAL section of the OVAL Web site. The illustration shows how OVAL and information security tools and services compatible with OVAL Definitions, the OVAL System Characteristics Schema, and/or the OVAL Results Schema improve the vulnerability management process.

MITRE to Host OVAL/CVE Booth at NetSec 2005, June 13th - 15th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at NetSec 2005 Conference & Exhibition, June 13 - 15, 2005 in Scottsdale, Arizona, USA. The conference is targeted to information security managers and directors, CIOs, CSOs, systems analysts, network engineers, network and systems managers and administrators, Webmasters, and other information security professionals. Please stop by Booth E13 and say hello. In addition, organizations listed on the OVAL-Compatible Products and Services page will also be exhibiting.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Senior Advisory Council Holds Meeting

The CVE Senior Advisory Council, which also provides oversight for the OVAL effort, held a meeting on Monday, April 25, 2005. Topics included U.S. Department of Defense (DOD) vulnerability management using (Extensible Markup Language Configuration Checklist Data Format) XCCDF, OVAL, and CVE; the U.S. Department of Energy's (DOE) enterprise-wide Microsoft license and contract; an update on Center for Internet Security (CIS) information security benchmarks and tools; and status updates on CME, CVE, and OVAL.

MITRE established the advisory council to help guide CVE and OVAL and to ensure the initiatives receive appropriate funding, and to help us all understand potential relationships with other ongoing activities, share information, and promote synergy across the security community. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems. Visit the CVE Web site to view a list of the advisory council members or to read a copy of the council charter.

OVAL Standards Effort a Main Topic of Article in CrossTalk

OVAL was a main topic in an article by OVAL Compatibility Lead Robert A. Martin entitled "Transformational Vulnerability Management Through Standards" in the May 2005 issue of CrossTalk, The Journal of Defense Engineering. The article discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the OVAL and CVE standards efforts. The author states: "In combination with procedural changes, the adoption of these and other standards such as the National Security Agency's Extensible Markup Language Configuration Checklist Data Format, are making it possible to radically improve the accuracy and timeliness of the DOD's remediation and measurement activities, which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities."

OVAL is mentioned throughout this article in which the author describes what OVAL is and isn't, mentions that there are organizations that have made declarations of OVAL Compatibility, and describes OVAL definitions and the Official OVAL Schemas and their potential uses. How OVAL improves vulnerability assessment is also described in the caption to an illustration entitled "Standard-Based IAVA Process" in which the author notes that the new Information Assurance Vulnerability Alert (IAVA) requirements call for the use of "OVAL definitions on how to identify the new issue. Assessment tools are capable of using the OVAL definitions; they report their findings per the OVAL results XML standard. These same standard-based results are fed into the reporting process and the remediation process. Various procurements have started requiring support for the standards that will enable the transition to this new IAVA process. Work in transforming current checklists and checking guidelines into these standards is also under way, which will set the stage for the formal process to be changed."

The author concludes the article as follows: "DoD is moving to its new process by requiring the inclusion of CVE names and standardized OVAL XML vulnerability and configuration tests in software supplier's alerts and advisories, and by acquiring tools that can import new and future OVAL XML test definitions and export their findings as standardized OVAL XML results. By also obtaining capabilities that can import the OVAL XML results for remediation, organizational status reporting, and generating certification and accreditation reports, the DoD will have created a focused, efficient, timely, and effective enterprise incident management and remediation process by adopting information security products, services, and methodologies that support the CVE naming standard and use OVAL test definitions and results schemas." "Collectively these changes will dramatically improve the insight and oversight of the security and integrity of the systems and networks underlying tomorrow's network- centric warfare capabilities."

OVAL Mentioned in Article about Software Vulnerabilities in InfoSecurity Magazine

OVAL was mentioned in a May 15, 2005 article about software vulnerabilities entitled "CA exposure provokes disclosure debate" in InfoSecurity Magazine. OVAL is mentioned in a section about vulnerability assessment in which the author states: "The aim of the Open Vulnerability [and] Assessment Language initiative . . . [is] to provide a standardised way for the industry to define vulnerabilities and their seriousness and widespread industry adoption is expected to follow over the coming year."

The article also includes a discussion with OVAL Board Member Gerhard Eschelbeck of Qualys, Inc., in which the author of the article states: "The next stage after vulnerability assessment is to ensure that patching activities are automated as much as possible and are up-to-date and verified. While Eschelbeck acknowledges that patching everything constantly is impossible, he says that [the new universal Common Vulnerability Scoring System (CVSS)], which was released to vendors a few weeks ago at the RSA conference, should make prioritisation easier."

Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section. MITRE created and manages the OVAL and CVE projects, both of which are sponsored by the US-CERT at the Department of Homeland Security.

OVAL Participates on Panel Discussion at DOE Cyber Security Group Training Conference on April 21st

OVAL Compatibility Lead Robert A. Martin participated on a panel discussion entitled "Building Security into the Enterprise" in which OVAL and CVE were topics of discussion at the 27th Department of Energy (DOE) Cyber Security Group (CSG) Training Conference on April 21, 2005 in Denver, Colorado, USA.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at DOE Cyber Security Chiefs Council Meeting on April 20th

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL and CVE to the Department of Energy (DOE) Cyber Security Chiefs Council Meeting on April 20, 2005 in Denver, Colorado, USA. Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL Working Group Holds Teleconference

OVAL's Unauthenticated Remote Tests Working Group held a teleconference meeting on Thursday, April 7, 2005, with nine members participating. Those interested may read the complete meeting minutes. To join the working group, first subscribe to the "OVAL Developer's Email List" on the OVAL Community Forum sign-up page. After receiving a confirmation verifying your addition to the list, submit a message expressing your interest in addressing unauthenticated remote scanning to join the group. We welcome your participation.

OVAL Main Topic of Article about Vulnerability Assessment on SecurityPark.net

OVAL was the main topic of an April 15, 2005 article entitled "From SATAN to OVAL: The Evolution of Vulnerability Assessment" on SecurityPark.net. In this article, written by OVAL Board Member Gerhard Eschelbeck of Qualys, Inc., the author describes what OVAL is and isn't, mentions that OVAL is a community effort, notes the platforms supported by OVAL, mentions that there are declarations of OVAL Compatibility, and describes the OVAL Definition Schema, OVAL System Characteristics Schema, and OVAL Results Schema and their potential uses.

The author further states: "OVAL aims to standardize and define a structured process for identifying and communicating vulnerability and configuration information from the point of knowledge of a vulnerability to the point of action. Vulnerability Assessment has