News and Events - 2006 Archive

OVAL Version 5.2 in Planning Stage

Version 5.2 of the OVAL Language is currently in the Planning stage and is scheduled to be moved to the Official stage on January 31, 2007. Version 5.2 will be a minor version update to fix some minor bugs in the Windows Component Schemas and to update the documentation. As this is a minor version change Version 5.2 will not invalidate existing content that currently validates against Version 5.1, the current official version of OVAL. A complete list of changes for Version 5.2 is available on the Upcoming Minor Version page.

OVAL-Related Work Page Added to OVAL Web Site

An OVAL-Related Work page has been added to the OVAL Web site. The new page provides information of about work in the community that is related to or directly involves OVAL. The first item is OVAL Board member PatchLink Corporation's Service Oriented Architecture (SOA), which is built around OVAL and is intended to encourage cooperative development and interoperability between vendor products.

OVAL Presents Briefing at 22nd Annual Computer Security Applications Conference

OVAL presented a briefing that included OVAL entitled "Host Based Security Assessment: Standards to Implementations" at the 22nd Annual Computer Security Applications Conference at the Miami Beach Resort & Spa in Miami Beach, Florida, USA on December 11, 2006. The purpose of the conference itself was to provide "security professionals from government, academia, and the computer security industry the opportunity to exchange practical solutions to real world security problems."

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL/CVE/CCE/CWE/CME, and/or other vulnerability management topics at your event.

Configuresoft, Inc. Makes Declaration of OVAL Compatibility

Configuresoft, Inc. declared that its configuration discovery, management, compliance, and remediation product, Enterprise Configuration Manager, will be compatible with Version 5.1 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Scheduled to Present Briefing at 22nd Annual Computer Security Applications Conference

OVAL is scheduled to present a briefing that will include OVAL entitled "Host Based Security Assessment: Standards to Implementations" at the 22nd Annual Computer Security Applications Conference at the Miami Beach Resort & Spa in Miami Beach, FL on December 11, 2006. The purpose of the conference itself, which runs December 11th-15th, is to provide "security professionals from government, academia, and the computer security industry the opportunity to exchange practical solutions to real world security problems."

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL/CVE/CCE/CWE/CME, and/or other vulnerability management topics at your event.

OVAL Holds Compatibility Correctness Testing Session on November 16th

MITRE held an OVAL Compatibility Correctness Testing session on November 16, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.1 of OVAL. Organizations participating included MMG Security, Inc. for its Sussen vulnerability assessment and policy compliance product. Compatibility results will be posted on the OVAL–Compatible Products and Services page as they are available.

Organizations with compatibility declarations interested in participating in future sessions may register by contacting oval@mitre.org.

'Red Hat Network' Now Including Direct Links to OVAL Definitions

Red Hat, Inc. announced on November 8, 2006 that the security advisories on its public Red Hat Network will now contain direct links to relevant OVAL Definitions. The announcement references an example and includes a link to their Red Hat and OVAL Compatibility page.

Red Hat, Inc. is a founding member of the OVAL Board and its Red Hat Errata security advisories are listed on the Other Repositories and the OVAL-Compatible Products and Services pages.

OVAL Interpreter Updated

The OVAL Interpreter was updated to Version 5.1 on November 6, 2006. Specific updates to the OVAL Interpreter included: addition of support for Version 5.1 of the OVAL Language; fixed several minor issues reported by the OVAL Community; enabled the Interpreter to generate evaluation results in customizable html; improved the data collection processes to greatly reduce the number of error results generated during evaluation; repackaged Red Hat distributions to address installation errors reported by the OVAL Community; and cleaned up the Linux source distribution.

The list of updates and fixes is also available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

Version 5.1 of OVAL Now Available

Version 5.1 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files have also been updated.

Version 5.1 is a minor version change and includes the following: added an OVAL Variables Schema, FreeBSD portinfo_test, slackwarepkginfo_test, xinetd_test, new entities to the windows file state, REG_NONE to the registry type enumeration, <xsd:any> to system information, optional comments to individual objects and states, optional comments to individual collected objects, optional xml signature elements to the element, and optional xml signature to the test, object, state, and variable; fixed the type associated with <trustee_sid> and the type associated with <end> function; made the <interfaces>element of system info optional;and improved Schematron for full/thin results. This minor version change Version 5.1 will not invalidate existing content that currently validates against Version 5.0. See the Version 5.1 page for more information.

The following have been updated to Version 5.1:

• OVAL Definition schema
• OVAL System Characteristics schema
• OVAL Results schema

The following are also available for using Version 5.1:

• OVAL Interpreter
• Interpreter Source Code
• Data Files
• Bulk Content Download

The previous versions of the OVAL schemas, definitions, OVAL Interpreter, Interpreter source code, and data files have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.1.

OVAL to Hold Compatibility Correctness Testing Session on November 15th

MITRE will hold an OVAL Compatibility Correctness Testing session on November 15, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.1 of OVAL. Organizations with compatibility declarations interested in participating should register by contacting oval@mitre.org.

Top OVAL Repository Contributors Now Recognized on the OVAL Web Site

Active participation is important to the success of OVAL. Leading contributors to the OVAL Repository are now listed on the OVAL Repository Statistics page, including both individuals and organizations that have either created new definitions or modified existing definitions. The number of definitions for each person or organization is also included. Major contributors to the Repository, as well as to the Language, are listed on the Major Contributors page in the OVAL Community section.

RSS Feeds Now Available for Latest OVAL News Articles and OVAL Repository Updates

OVAL is now offering RSS Feeds of the latest OVAL News and of updates to the OVAL Repository. RSS (Really Simple Syndication) is an XML-based format for sharing and distributing Web content to RSS Readers (also called a News Reader or an RSS Aggregator). To subscribe to either feed, follow the directions on the RSS Feeds page or look for the orange graphic in the left main menu and copy the URL then paste it into your RSS Reader. Please also read our RSS FAQs and RSS Terms of Use.

OVAL Hosts Booth at FIAC 2006

MITRE hosted an OVAL/CVE/CCE/CWE/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25–26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference exposed OVAL, CVE, CCE, CWE, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

Visit the OVAL Calendar page for information about this and other upcoming events.

OVAL Presents Briefing at Tactical Information Assurance 2006

OVAL presented a briefing about OVAL/CVE/CWE entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference introduced OVAL, CVE, and CWE to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.

MMG Security, Inc. Makes Declaration of OVAL Compatibility

MMG Security, Inc. declared that its vulnerability assessment and policy compliance product, Sussen, is compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL to Present Briefing at Tactical Information Assurance 2006

OVAL is scheduled to present a briefing about OVAL/CVE/CWE entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference will introduce OVAL, CVE, and CWE to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.

OVAL Holds Compatibility Correctness Testing Session on October 4th

MITRE held an OVAL Compatibility Correctness Testing session on October 4, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.0 of OVAL. Organizations participating included BigFix, Inc. for its BigFix Enterprise Suite; PatchLink Corp. for its PatchLink OVAL Add-In (Special Edition), Version 6.3; and KACE Networks, Inc. for its KBOX 1000 Series Systems Management Appliances. Compatibility results will be posted on the OVAL–Compatible Products and Services page as they are available.

Another session is currently scheduled for November 15, 2006. Organizations with compatibility declarations interested in participating may register for either session by contacting oval@mitre.org.

OVAL to Host Booth at FIAC 2006

MITRE is scheduled to host an OVAL/CVE/CCE/CWE/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25–26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose OVAL, CVE, CCE, CWE, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

Visit the OVAL Calendar page for information about this and other upcoming events.

OVAL Included in News Release about ThreatGuard, Inc.'s Free FISMA Compliance Product

OVAL was included in a September 19, 2006 news release from ThreatGuard, Inc. entitled "ThreatGuard Releases FISMA Scout Compliance & Remediation System." The main focus of the release is ThreatGuard's FISMA Scout compliance and remediation system that consumes "… the automated checklist content from the National Institute of Standards and Technology (NIST) and perform[s] compliance assessments, remediation activities, and scoring." In addition to being included throughout the list of the product's features, OVAL is mentioned in a quote by ThreatGuard's Chief Technology Officer Randal Taylor, who states: "NISTs adoption of XCCDF and OVAL for their checklist content dramatically shifts the industry in a way that is good for the end-user. We are very excited to release FISMA Scout." ThreatGuard's FISMA Scout is free to download.

ThreatGuard, Inc. is a member of the OVAL Board and its ThreatGuard 4.5, ThreatGuard OEM Integration Kit 1.0, ThreatGuard On Demand 1.0, and ThreatGuard Traveler 4.5 products are listed in the OVAL-Compatible Products and Services section.

OVAL Included in News Release about Secure Elements' "Zero-Cost Public Service License" for Public Sector and Non-Profit Organizations

OVAL was included in a September 19, 2006 news release from Secure Elements, Inc. entitled "Secure Elements Announces Public Service License." The main focus of the release is Secure Elements' announcement that they now offer "a zero-cost Public Service License to approved organizations public sector and non-profit public service entities." OVAL is mentioned in a description of their C5 EVM product, which is "built upon several key XML Standards: Open Vulnerability Assessment Language (OVAL 5.0), and the eXtensible Configuration Checklist Description Format (XCCDF) as promoted by the Department of Homeland Security (DHS), the National Security Agency (NSA), the National Institute of Standards and Technology (NIST), the Defense Information Systems Agency (DISA), and others. In response to the Cyber Security Research and Development Act of 2002, NIST developed the Security Configuration Checklists Program for IT Products, for which they are now publishing checklists in the XCCDF format."

Secure Elements, Inc. is a member of the OVAL Board and its product C5 EVM product is listed in the OVAL-Compatible Products and Services section.

OVAL Hosts Booth at IT Security World 2006

MITRE hosted an OVAL/CVE/CCE/CWE/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference exposed CME, CVE, CCE, CWE, and OVAL to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.

OVAL to Hold Compatibility Correctness Testing Session on October 4th

MITRE will hold an OVAL Compatibility Correctness Testing session on October 4, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.0 of OVAL. For those unable to attend, another session is currently scheduled for November 15, 2006. Organizations with compatibility declarations interested in participating should register by contacting oval@mitre.org.

OVAL a Main Topic of NIST's National Security Content Automation Initiative Conference

OVAL was a main topic of the U.S. National Institute of Standards and Technology's (NIST) National Security Content Automation Initiative Conference on September 18-19, 2006 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, on September 19th MITRE participated in a Q&A panel discussion about OVAL, presented a briefing about OVAL, and participated in a briefing about XCCDF. OVAL was also included in Secure Elements, Inc.'s briefing about XCCDF and was the main topic of product presentations byThreatGuard, Inc. and Citadel Security Software, Inc.

The purpose of the workshop was to present "projects and integration efforts that proposes to automate certain technical aspects of security by converting English text contained in various publications (configuration guides, checklists, and the National Vulnerability Database) into machine readable format (XML/XCCDF and OVAL) such that the various audiences (scanning vendor, checklist/configuration guide, auditors, etc.) will be operating in the same semantic context. The end result will allow organizations to use COTS tools to automatically check their security and map to technical compliance requirements."

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.

nCircle Network Security, Inc. Makes Declaration of OVAL Compatibility

nCircle Network Security, Inc. declared that its vulnerability management system, IP360 Vulnerability Management System, and its real-time threat prioritization system, nTellect for Cisco Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), will be compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Interpreter Updated

The OVAL Interpreter has been updated to add support for data collection of several Windows objects to enable the Interpreter to properly process OVAL Vulnerability and Compliance Definitions for Windows. A list of updates and fixes is available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, August 31, 2006, with 16 Board members and others participating. Topics included an OVAL status update; NIST's upcoming "National Security Automation Conference & Workshop" and its OVAL and XCCDF focus, Board member roles and responsibilities, and OVAL cross-marketing opportunities. You may also read the complete meeting minutes.

OVAL a Main Topic of NIST's National Security Content Automation Initiative Conference, September 18th -19th

OVAL will be a main topic of the upcoming U.S. National Institute of Standards and Technology's (NIST) National Security Content Automation Initiative Conference on September 18-19, 2006 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, on September 19th MITRE will participate in a Q&A panel discussion about OVAL, present a briefing about OVAL, and participate in a briefing about XXCDF. OVAL will also be the main topic of product presentations by ThreatGuard, Inc. and Citadel Security Software, Inc.

The purpose of the workshop itself is to present "projects and integration efforts that proposes to automate certain technical aspects of security by converting English text contained in various publications (configuration guides, checklists, and the National Vulnerability Database) into machine readable format (XML/XCCDF and OVAL) such that the various audiences (scanning vendor, checklist/configuration guide, auditors, etc.) will be operating in the same semantic context. The end result will allow organizations to use COTS tools to automatically check their security and map to technical compliance requirements."

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.

Assuria Limited Makes Declaration of OVAL Compatibility

Assuria Limited declared that its vulnerability assessment and policy compliance product, Assuria Auditor, will be compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

PatchLink Corporation Makes Declaration of OVAL Compatibility

PatchLink Corporation declared that its enterprise patch management system, PatchLink Update, will be compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

NIST Releases Beta Version of OVAL/XCCDF Content

The U.S. National Institute of Standards and Technology's (NIST) has released a beta version of OVAL/Extensible Configuration Checklist Description Format (XCCDF) content for its Security Content Automation Project, which "integrates several currently independent government sponsored initiatives to standardize both format and data content with respect to vulnerability identification and remediation."

According to the NIST Web site, for the Beta version of the XML files, "... information that is programmatically ascertainable is confined to the OVAL XML file (i.e., Major patch level, architecture (32, 64, sparc, etc.) This academic separation was conscious so that OVAL compliant product vendors could use the content without adopting the XCCDF standard. Although the OVAL content is offered in this 'self-contained' format, the XCCDF counterpart provides the grouping of OVAL definitions into NIST Special Publication 800-53 technical controls." In addition, the "XCCDF XML only contains policy information (information that is not programmatically ascertainable) and follows the same template for all NIST produced documents. We will couple the environment as defined in the SP800-68 (Standalone, Enterprise, SSLF, and legacy) with the FIPS-199 impact rating of the system (Low, Moderate, or High) as defined in 800-53 to determine the applicability of settings, patches, add-on software, etc."

See NIST Security Content Automation Project on the NIST Web site for more information and to access the download.

OVAL to Host Booth at IT Security World 2006

We are scheduled to host an OVAL/CVE/CWE/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference will expose OVAL, CVE, CCE, CWE, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL Interpreter Updated

The OVAL Interpreter has been updated to add support for external variables, a type of variable commonly used in OVAL Compliance Definitions that allow values to be provided at run time from an external source. Some minor bug fixes have also been addressed. A list of updates and fixes is available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

Photos of OVAL Booth at Black Hat 2006

MITRE hosted an OVAL, CVE, CWE, CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 in Las Vegas, Nevada, USA. Photos from the event are included below:

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL Hosts Booth at Black Hat Briefings 2006

MITRE hosted an OVAL/CVE/CWE/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event exposed OVAL, CVE, CWE, and CME to a diverse audience of information security-focused attendees from around the world.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL/CVE/CWE/CME, and/or other vulnerability management topics at your event.

Meeting Minutes from OVAL Developer Days Now Available

Meeting minutes from the OVAL Developer Days conference on July 11-12, 2006 at MITRE Corporation in Bedford, Massachusetts, USA are now available. 33 members of the OVAL community from 15 organizations attended the event. The original briefing slides are also available.

ThreatGuard, Inc. Registers Two Additional Products as Officially "OVAL-Compatible"

ThreatGuard, Inc. declared that its on-demand auditing and compliance management product, ThreatGuard On Demand, and its libraries for building OVAL Compatibility into third-party systems product, ThreatGuard OEM Integration, are OVAL-compatible. ThreatGuard also posted an OVAL Compatibility Questionnaire for ThreatGuard On Demand and an OVAL Compatibility Questionnaire for ThreatGuard OEM Integration Kit for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing for both products. ThreatGuard On Demand and ThreatGuard OEM Integration are now registered as "Officially OVAL-Compatible." ThreatGuard’s ThreatGuard and ThreatGuard Traveler products were previously registered as compatible.

For additional information about these and other compatible products, visit OVAL–Compatible Products and Services and Declarations to Be OVAL–Compatible.

Secure Elements, Inc. Product Now Registered as Officially "OVAL-Compatible"

Secure Elements, Inc. has posted an OVAL Compatibility Questionnaire for C5 Enterprise Vulnerability Management (EVM) for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. C5 Enterprise Vulnerability Management (EVM) is now registered as "Officially OVAL-Compatible."

For additional information about this and other compatible products, visit OVAL–Compatible Products and Services and Declarations to Be OVAL–Compatible.

New OVAL Board Member

Scott Carpenter of Secure Elements, Inc. has joined the OVAL Board. Andrew Bove also represents Secure Elements.

New OVAL Board Member

N. Reddy Velagala of netForensics has joined the OVAL Board.

OVAL Interpreter Updated

The OVAL Interpreter has been updated to address some minor bug fixes. A list of the fixes is available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

OVAL Mentioned in Article about Information Security Standards Efforts in Healthcare Informatics Online

OVAL was mentioned in an article entitled “The 411 on CVE” in the July 2006 issue of Healthcare Informatics Online. The main focus of the article is the success of the Common Vulnerabilities and Exposures (CVE) standard and of the U.S. National Vulnerability Database (NVD) that is built upon CVE identifiers and includes OVAL-IDs as references.

OVAL is mentioned with regard to “automated compliance checking and configuration … [that] could be accomplished using OVAL (Open Vulnerability and Assessment Language) — also being developed by MITRE and XCCDF (Extensible Configuration Checklist Description Format) — the XML-based checklist technology developed by NIST and the National Security Agency.” OVAL is mentioned again when the author states: “the Department of Defense has taken the formal step of requiring that information assurance vendors supply CVE- and OVAL-capable products, and MITRE engineers have outlined the way these technologies would interact with XCCDF in automated machine-to-machine vulnerability mitigation operations.”

OVAL, CVE, and NVD are sponsored by the U.S Department of Homeland Security.

OVAL Hosts Second OVAL Developer Days, July 11th - 12th

OVAL hosted our second OVAL Developer Days (PDF, 141K) conference on July 11-12, 2006 at MITRE Corporation in Bedford, Massachusetts, USA. 33 members of the OVAL Community from 15 organizations attended the event.

Developer Days was a success and brought together numerous members of the OVAL Community to discuss, in technical detail, the more difficult issues facing the current and future versions of OVAL and to derive solutions that benefit all concerned parties and continue the development of the OVAL Language. Specific talks included: A look at Version 5, OVAL Repository Quality, XCCDF-P, OVAL Compatibility, and FISMA Turning Toward OVAL. Review the briefing slides.

The meeting minutes will be available soon. An announcement will be posted on this News page when they are available, or you may sign-up for OVAL's free e-Newsletters to receive this and other news about OVAL.

Photos from the event are included below:

OVAL Holds Compatibility Correctness Testing Session on July 13th

MITRE held an OVAL Compatibility Correctness Testing session on July 13, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.0 of OVAL. Organizations participating included ThreatGuard, Inc. for its ThreatGuard 3.0 and ThreatGuard Traveler products; Red Hat, Inc. for its Red Hat Errata; and Secure Elements, Inc. for its C5 Enterprise Vulnerability Management (EVM) system. All four passed and are now listed as "Officially OVAL-Compatible" with Version 5.0 on the OVAL–Compatible Products and Services page.

OVAL Mentioned in Product Review in InfoWorld Magazine

OVAL was mentioned in a product review entitled "Kace offers IT automation sized right for SMBs" in the July 7, 2006 issue of InfoWorld. OVAL is mentioned when the author states: "On the vulnerability testing front, KBOX supports OVAL (Open Vulnerability and Assessment Language), [an aspect of which is] a common vulnerability assessment infrastructure also found in offerings from the SEM heavyweights. This common description language for security events standardizes the assessment process, and it's nice to see it in an SMB appliance."

KACE Networks, Inc. and its KBOX IT Management Suite are listed on the OVAL–Compatible Products and Services page.

OVAL a Main Topic of NIST's National Security Content Automation Initiative Conference, September 18th-19th

OVAL will be a main topic of the upcoming U.S. National Institute of Standards and Technology's (NIST) National Security Content Automation Initiative Conference on September 18-19, 2006 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, MITRE will present a briefing about OVAL and will participate in a briefing about XXCDF on September 19th.

The purpose of the workshop itself is to present "projects and integration efforts that proposes to automate certain technical aspects of security by converting English text contained in various publications (configuration guides, checklists, and the National Vulnerability Database) into machine readable format (XML/XCCDF and OVAL) such that the various audiences (scanning vendor, checklist/configuration guide, auditors, etc.) will be operating in the same semantic context. The end result will allow organizations to use COTS tools to automatically check their security and map to technical compliance requirements."

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CWE, CME, and/or other vulnerability management topics at your event.

Scalable Software, LLC Makes Declaration of OVAL Compatibility

Scalable Software, LLC declared that its security configuration and policy compliance checker, Command Center (CC) Examiner, will be OVAL-compatible. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL to Host Booth at Black Hat Briefings 2006

MITRE is scheduled to host a OVAL/CVE/CWE/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event will expose OVAL, CVE, CWE, and CME to a diverse audience of information security-focused attendees from around the world.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CWE, CME, and/or other vulnerability management topics at your event.

OVAL Compatibility Main Topic of News Release by Red Hat, Inc.

Red Hat, Inc. issued a news release on June 21, 2006 entitled "Red Hat Announces OVAL Security Compatibility." The release announces that its Red Hat Enterprise Linux 3 and 4 security advisories are officially OVAL-Compatible and that "Red Hat will now produce and support OVAL patch definitions to provide a structured and machine-readable version of advisories, allowing OVAL-compatible tools to accurately test for the presence of vulnerabilities."

The release also includes a quote from OVAL Board member and Red Hat Security Response Team Lead Mark J. Cox, who states: "As a founding member of the OVAL Board, we've been working with the MITRE Corporation on OVAL for many years. Just as the MITRE CVE project has become common for dealing with vulnerability patches, we expect the same rapid adoption for the OVAL project. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards."

Red Hat is a founding member of the OVAL Board and its Red Hat Errata security advisories are listed on the Other Repositories and OVAL-Compatible Products and Services pages.

OVAL Mentioned in Article about Information Security Standards Efforts in IEEE Distributed Systems Online

OVAL was mentioned in an article about security standards efforts entitled "Functionality Meets Terminology to Address Network Security Vulnerabilities" in the June 2006 issue of IEEE Distributed Systems Online. The main focus of the article is the success of the Common Vulnerabilities and Exposures (CVE) standard and of the U.S. National Vulnerability Database (NVD), which is built upon CVE identifiers and includes OVAL-IDs as references.

OVAL is mentioned in a section entitled "New efforts round out the landscape" as a follow-on standards effort that "standardizes vulnerability queries in a three step XML-based process that eliminates the time-consuming and mistake-laden need for network administrators to interpret a panoply of text-based information from various vendors, public agencies, and consultants." The article concludes with a quote by OVAL Compatibility Program Lead Robert A. Martin who comments on the purpose behind these other information security standards efforts: "People are so used to selecting the vendor and that's kind of the core they build out from. What we want them to do is get married to enabling standards and then build around that."

OVAL, CVE, and NVD are sponsored by the U.S Department of Homeland Security.

Version 5 of OVAL Now Available

Version 5.0 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files have also been updated.

Version 5.0 is a major version change and includes the following: addition of a schema for Apache; addition of a common core schema that is used by the Definition, System Characteristic, and Results schema as it defines common types; use of Schematron to perform validation beyond schema validation; addition of a runlevel test for UNIX; addition of xsd:any tag in metadata to allow organization-specific information not found in OVAL; removal of the software and configuration sections of the criteria; allow nested logic inside a definition criteria; new object/state format broken out from the tests; completely new results format allowing results from multiple systems; addition of directives in results schema to control content; split the path element into path and filename elements in tests; changed the windows file version from a complex type with <major>, <minor>, <build>, <private> child elements to a delimited version string; addition of a level attribute to the message element in the System Characteristic schema; new family test part of the independent schema; addition of a var_check attribute to the base entity; and creation of a filemd5 test, among other changes. See the Version 5.0 page for a complete list.

The following have been updated to Version 5.0:

The following are also available for using Version 5.0:

The previous versions of the OVAL schemas, definitions, OVAL Interpreter, Interpreter source code, and data files have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.0.

Red Hat, Inc. Now Registered as Officially "OVAL-Compatible"

Red Hat, Inc. declared that its security update advisories, Red Hat Errata, are OVAL-compatible. In addition, Red Hat posted an OVAL Compatibility Questionnaire for Red Hat Errata for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. Red Hat Errata is now registered as "Officially OVAL-Compatible."

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

Secure Elements, Inc. Makes Declaration of OVAL Compatibility

Secure Elements, Inc. declared that its C5 Enterprise Vulnerability Management (EVM) solution is OVAL-compatible. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Web Site Updated for Version 5

The OVAL Web site has been updated to coincide with Version 5.0 of OVAL. The most significant change is dedicated sections for the OVAL Language and OVAL Repository. The OVAL Compatibility section has also been updated to coincide with Version 5.0.

The main changes to the site are outlined below:

OVAL Language section - includes a new Language Releases page with access to current, future, and archived versions of the OVAL Language. Also included are new supporting information such as Language Use Cases, Structure of the Language, Versioning, Validating an OVAL Document, and a Definition Tutorial.

OVAL Repository section - includes a new main page with access to Downloads, Basic Search, and an Advanced Search. New supporting information includes a new About the OVAL Repository page, an updated Latest Repository Updates page, and updated guidelines for community members to Submit an OVAL Definition.

OVAL Compatibility section - in addition to updating the Compatibility Program and Compatibility Requirements to adhere to Version 5.0, other changes include the addition of an OVAL Supporters page and discontinuation of OVAL-ID compatibility.

Community Participation section -includes a new Major Contributors page to recognize those organizations that have made significant contributions to the development of OVAL.

Many of these changes are a direct result of feedback from users and vendors. We welcome any comments about OVAL, or these revisions, at oval@mitre.org.

Release Candidate 3 of the Version 5 OVAL Schemas Now Available

Release Candidate 3 of the Version 5.0 OVAL Schemas are now available on the Upcoming OVAL Schema Changes - Version 5.0 page. This update includes changes to the schema documentation to clarify how pieces of the language should be interpreted and updates to how content is validated. The Beta 2 version of the reference OVAL Interpreter was also updated to the new release candidate. A complete list of updates is available in the Status Reports on the Version 5 Schema section.

The Version 5 Schemas are currently scheduled to move to the Official stage on June 16, 2006. Vendors should begin their migration now to the new version. Visit the Upcoming OVAL Schema Changes - Version 5.0 page to for the latest information on the Schemas, OVAL Interpreter, Interpreter Source Code, and Data Files for Version 5.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Friday, May 5, 2006 with representatives from eight member organizations and others participating. Topics included the upcoming transition to OVAL Version 5 in June, how the transition affects the OVAL Repository and compatibility, and the OVAL Developer Days Conference currently planned for this summer. You may also read the complete meeting minutes.

OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins

New OVAL definitions have been posted in the OVAL Definitions Repository to address the recent security bulletins issued by Microsoft Corporation on May 9, 2006.

All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.

Version 5.0 OVAL Interpreter Beta 2 Now Available

A second beta version of the reference OVAL Interpreter for the Version 5.0 Release Candidates is now available. This second beta adds support for Red Hat Linux, includes the addition of objects for Windows and UNIX, and restructures the source tree to better mirror the OVAL Schema. Data Files that include a partial sample of the definitions and schemas for Version 5.0 are also available for use with the Interpreter release candidate.

Visit the Upcoming OVAL Schema Changes - Version 5.0 page to download the Interpreter and Data Files and for the latest information on Version 5, which is scheduled to move to the Official stage on June 16, 2006.

OVAL Presents Briefing at GFIRST National Conference 2006

OVAL Technical Lead Matthew N. Wojcik and CME Program Manager Julie Connolly presented a briefing on May 3, 2006 entitled "Vulnerability, Secure Configuration, and Malware Information Exchange Using CVE, OVAL, and CME" at the Government Forum of Incident Responders and Security Teams (GFIRST) second annual "GFIRST National Conference 2006" in Orlando, Florida, USA.

The presentation examined MITRE's three DHS-sponsored security information exchange initiatives — Open Vulnerability and Assessment Language (OVAL), Common Malware Enumeration (CME), and Common Vulnerabilities and Exposures (CVE) — including the purpose of each effort, its goals, participants, future plans, and how each effort benefits the incident response community.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at DOD System and Software Technology Conference

OVAL Compatibility Lead Robert A. Martin presented a briefing on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" in Salt Lake City, Utah, USA.

The purpose of the conference was to help "government, industry, and academia [to] collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.

Visit the OVAL Calendar page for information on this and other upcoming events.

Version 5.0 Release Candidate Data Files Updated

The sample Data Files for the Version 5.0 OVAL Schema Release Candidates have been updated. These samples may be used with the beta version of the Version 5.0 reference OVAL Interpreter. They should also be reviewed and tested by vendors as part of their migration to the new version of OVAL scheduled for release on June 16, 2006.

The V5 Data File updates include the addition of three new sample files:

Visit the Upcoming OVAL Schema Changes - Version 5.0 page to download the Data File samples, Interpreter, and for the latest information on Version 5.

ThreatGuard, Inc. Contributes Its 500th OVAL Definition

To-date OVAL community member ThreatGuard, Inc. has contributed 536 OVAL Vulnerability Definitions to the initiative for various platforms, all of which are posted in the OVAL Definitions Repository. ThreatGuard continues to support OVAL by contributing definitions on a regular basis.

ThreatGuard also previously contributed the HP-UX Component Schema to Version 4.2 of OVAL released on December 2, 2005 (see "Two Organizations Contribute Component Schemas for Version 4.2"), as well as the first-ever OVAL definitions for HP-UX on December 22, 2005. OVAL community participation is important for the development of new definitions and new component schemas, and such contributions help the OVAL effort to further build the repository of OVAL definitions and to add support for more platforms.

Organizations and individuals are encouraged to participate in the OVAL Initiative. You may email us at oval@mitre.org for more information, or subscribe to our OVAL Community Forum for discussing and submitting definitions and our OVAL Developer's Email List for contributing to the development of the schemas. We welcome your participation.

OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins

New OVAL definitions have been posted in the OVAL Definitions Repository to address the recent security bulletins issued by Microsoft Corporation on April 11, 2006.

All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.

"OVAL Compatibility" Section Updated

The OVAL Compatibility section of the OVAL Web site has been reorganized and updated to place more emphasis on the products and services that are Officially OVAL-Compatible and to provide more information about how the community benefits from the compatibility program. In addition, we have modified the OVAL Compatibility Process by separating products or services that are compatible with OVAL technical data from those that only include OVAL-IDs. The changes are outlined below:

OVAL Compatibility Main Page - provides dashboard access to the section and an overview of current statistics including number of officially compatible products and services, products declaring that they will be compatible, organizations participating, and declarations to include OVAL-IDs.

Compatibility Process - updated to focus solely on compatibility with the OVAL schemas and OVAL definitions. Products that only include OVAL-IDs are no longer eligible for the compatibility program but can be listed on the new "Declarations to Include OVAL-IDs" page (see below).

Compatibility Requirements - updated to focus solely on compatibility with the OVAL schemas and/or OVAL definitions. A new subsection, "Section 9. Declarations to Include OVAL-IDs" provides instructions about how a capability can be listed on the new "Declarations to Include OVAL-IDs" page (see below).

Compatibility Benefits - a new page the explains how adopting OVAL-compatible products and services benefits those organizations working to secure their enterprises, and how providing compatible products benefits the vendors that help them do it.

Compatible Products and Services - a complete list of all products and services to date that have been certified "Officially OVAL-Compatible."

Declarations to Be OVAL-Compatible - a list of products and services from organizations in the process of working towards OVAL compatibility.

Declarations to Include OVAL-IDs - a new page focusing on products and services that are not compatible with OVAL technical data but do include OVAL-IDs. If a tool, Web site, database, archive, or security advisory includes OVAL-IDs as part of the information it conveys about a security issue, and provides for searching by OVAL-ID with potential linkage back to the source definition of the OVAL-ID, it can be listed with "Verified," "Available," or "Planned" status on this new page. (See Section 9. Declarations to Include OVAL-IDs of the OVAL Compatibility Requirements document for a detailed list of the requirements for being verified for including OVAL-IDs, and how to make a declaration.)

Make a Declaration - instructions on how vendors can begin the process for declaring their product or service OVAL-compatible.

Other pages in the section, including What it Means to Be OVAL-Compatible and the Introduction to OVAL Compatibility, have also been updated. Many of the changes are a direct result of feedback from vendors and users. We welcome any comments about OVAL, OVAL compatibility, or these revisions at oval@mitre.org.

Photos from OVAL Booth at InfoSec World 2006

MITRE hosted an OVAL/CVE/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th in Orlando, Florida, USA. Photos from the event are included below:

Visit the OVAL Calendar page for information on this and other upcoming events.

Release Candidate 2 of the Version 5 OVAL Schemas Now Available

Release Candidate 2 of the Version 5.0 OVAL Schemas are now available on the Upcoming OVAL Schema Changes - Version 5.0 page. This update includes the addition of a combined Linux Schema. A complete list of updates is available in the Status Reports on the Version 5 Schema section.

The Version 5 Schemas are currently scheduled to move to the Official stage on June 16, 2006. Vendors should begin their migration now to the new version. Visit the Upcoming OVAL Schema Changes - Version 5.0 page to for the latest information on the Schemas, OVAL Interpreter, Interpreter Source Code, and Data Files for Version 5.

New OVAL Board Member

Gary Miliefsky of NetClarity has joined the OVAL Board.

OVAL to Present Briefing at GFIRST National Conference 2006 on May 3rd

OVAL Technical Lead Matthew N. Wojcik and CME Program Manager Julie Connolly are scheduled to present a briefing on May 3, 2006 entitled "Vulnerability, Secure Configuration, and Malware Information Exchange Using CVE, OVAL, and CME" at the Government Forum of Incident Responders and Security Teams (GFIRST) second annual "GFIRST National Conference 2006" at the Doubletree Hotel in Orlando, Florida, USA.

The presentation will examine MITRE's three DHS-sponsored security information exchange initiatives: Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), and Common Malware Enumeration (CME). The presentation will start with the most established project, CVE, move to OVAL, the increasingly popular language for specifying system state information, and finish with the newest initiative for malware, CME. The purpose of each effort, its goals, participants, and future plans will be reviewed. How each effort benefits the incident response community will also be reviewed.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.

OVAL to Present Briefing at DOD System and Software Technology Conference on May 4th

OVAL Compatibility Lead Robert A. Martin is scheduled to present a briefing on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" at the Salt Palace Convention Center in Salt Lake City, Utah, USA.

The purpose of the conference is to help "government, industry, and academia [to] collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL Hosts Booth at MISTI's InfoSec World 2006

MITRE hosted an OVAL/CVE/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference exposed OVAL, CVE, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Organizations listed in the OVAL-Compatible Products and Services section also exhibited.

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins

New OVAL definitions have been posted in the OVAL Definitions Repository to address the recent security bulletins issued by Microsoft Corporation on March 17, 2006.

All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.

FrSIRT Includes OVAL-IDs in Security Advisories

French Security Incident Response Team (FrSIRT) issued a security advisory on February 2, 2006 that referenced OVAL670, OVAL677, OVAL1339, OVAL1493, OVAL1494, OVAL1514, OVAL1562, and OVAL1625. Numerous other FrSIRT security advisories also include OVAL-IDs.

Release Candidates of the Version 5.0 OVAL Schemas Now Available

Version 5.0 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema are now in the Release Candidate stage and are available for review on the Upcoming OVAL Schema Changes - Version 5.0 page. Vendors should begin their migration now to the new version in preparation for its move to the Official stage on June 16, 2006.

Version 5 is a major version change. For a complete list of changes, visit the Upcoming OVAL Schema Changes - Version 5.0 page.

OVAL Interpreter Updated for Version 5.0 Release Candidates

A beta version of the reference OVAL Interpreter is now available for the Version 5.0 OVAL Schema Release Candidates. Data Files that include a partial sample of the definitions and schemas for Version 5.0 are also available for use with the Interpreter release candidate.

Vi