Industry News Coverage - 2009 Archive
Below is a comprehensive monthly review of the news and other media’s coverage of OVAL. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
Computerworld, May 11, 2009
OVAL was mentioned in an article entitled "How SCAP Brought Sanity to Vulnerability Management" in Computerworld on May 11, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).
OVAL is mentioned when the author explains that "SCAP is part of the Information Security Automation Program and is made up of a collection of existing standards. These standards include some that many of us are already familiar with, such as the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Additionally, it includes the Common Platform Enumeration (CPE), a standard to describe a specific hardware, OS and software configuration. This is helpful for enumerating assets, giving you your baseline information to apply all of this data; the Common Configuration Enumeration (CCE), very similar to CVE but dealing with misconfiguration issues; the Open Vulnerability and Assessment Language (OVAL) to provide schemas that describe the inventory of a computer, the configuration on that computer and a report of what vulnerabilities were found on that computer; and Extensible Configuration Checklist Description Format (XCCDF), a description language to help you apply your technical policies and standards to your scanning tools."
The author also provides an example of SCAP in action: "Let’s see how this helps me in building a real solution. As a head of a vulnerability management program as discussed earlier, I am sitting on data from application security assessment tools, host and network scanners, and database vulnerability and configuration scanners. In reality, this includes multiple products and services for application security, as well as multiple tools for host and network assessments. I set out by taking advantage of APIs when available from the assessment tool providers as well as XML data feeds. Utilizing the code I’ve just written to automate the movement of the data, I now need to map this information to a normalized schema, taking advantage of the SCAP standards. This is a big deal! I now have a common way to describe the vulnerabilities. I can eliminate duplicates that reference the same CVE on the same platforms."
The article was written by Ed Bellis.
Government Computer News, May 7, 2009
OVAL was mentioned in an article entitled "Draft guidelines issued for using SCAP to automate security validation" in Government Computer News on May 7, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Special Publication 800-117: Guide to Adopting and Using the Security Content Automation Protocol that specifies how enterprises can use its Security Content Automation Protocol (SCAP), and a revised version of its testing requirements that security products using SCAP must meet to achieve SCAP validation entitled Draft NIST Interagency Report 7511: Security Content Automation Protocol Validation Program Test Requirements, Revision 1.
OVAL is mentioned in the article as one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results: "Open Vulnerability and Assessment Language, an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues and patches." The other five standards are Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Extensible Configuration Checklist Description Format (XCCDF), and Common Vulnerability Scoring System (CVSS).
Comments on draft guidelines 800-117 are due to NIST by June 12, 2009 and should sent to 800-117comments@nist.gov and include "Comments SP 800-117" in the subject line.
MITRE Web Site, December 4, 2008
OVAL was mentioned in a December 1, 2008 MITRE news release entitled "MITRE Releases New Security Software" about its new, open source "Recommendation Tracker" software that "facilitates development of automated security benchmarks." "System administrators use benchmarks — essentially a set of recommendations — to securely configure an operating system or software application and then set up automatic testing to ensure proper configuration."
OVAL is mentioned when the release notes that Recommendation Tracker is "the latest tool developed by MITRE in the last 10 years to help the security community produce automated, standardized benchmarks" and that four MITRE-run information security data standards — OVAL, CCE, CPE, and CVE — are among the six existing standards used in the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to enable automated vulnerability management, measurement, and policy compliance evaluation.
Page Last Updated: February 01, 2011
