OVAL - News and Events

Subscribe to the OVAL News feed to get notifications of our latest headlines.

May 15, 2008

Secure Elements Issues News Release Announcing Receipt of Q1-2008 OVAL Repository Top Contributor Award

OVAL was the main topic of an April 30, 2008 news release by Secure Elements, Inc. entitled "Secure Elements Receives OVAL Repository Top Contributor Award for Advancing Open Information Security Content Standard."

The release explains OVAL and the OVAL Repository and includes a quote by OVAL Program Lead Jon Baker, who states: "The OVAL Repository Top Contributor Award is reserved for organizations that assist in making the OVAL Repository a gold standard for open information security content. Secure Elements is recognized today for their invaluable content submissions of new definitions and enhancements to existing Repository content."

The release also includes a quote by Secure Elements’ Chief Security Architect Scott Carpenter, who states: "Secure Elements is proud to support the OVAL community by offering our expertise to accelerate availability of vulnerability checks during the monthly Patch Tuesday exercise. This recognition reflects our commitment to author and contribute to industry leading, publicly available security content initiatives such as the OVAL Repository and for the NIST Information Security Automation Program (ISAP), where we have contributed content for auditing the Federal Desktop Core Configuration (FDCC) for Microsoft Windows XP and Windows Vista. As the first and only vendor that has become NIST SCAP Validated for providing a Vulnerability Database, Secure Elements is recognized as the authoritative "go to" source for content, products, and services during this time of critical federal cyber-initiatives."

Secure Elements, Inc. is a member of the OVAL Board and its C5 Compliance Platform Version 3.0 is listed on the OVAL Web site as "Officially OVAL-Compatible."

OVAL Developer Days 2008 Slides Now Available

Briefing slides from this year’s OVAL Developer Days conference held on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA are now available on the OVAL Developer Days page.

MITRE Scheduled to Present "Making Security Measurable" Briefing and a Full-Day Tutorial at AusCERT 2008 on May 18-23

CVE Compatibility Lead/CWE Project Manager Robert A. Martin and CVE Technical Lead/CWE CVE Technical Lead Steven M. Christey are scheduled to present a Making Security Measurable briefing and host a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia.

The conference exposed the OVAL, CRF, CVE, CCE, CEE, CPE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

MITRE Scheduled to Present "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4

CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.

Visit the OVAL Calendar for information on this and other events.

MITRE Scheduled to Host "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19

MITRE is scheduled to host a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the OVAL Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13

CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the OVAL Calendar for information on this and other events.

May 1, 2008

MITRE Hosts OVAL Developer Days 2008 on April 28-29

The OVAL Team hosted this year’s OVAL Developer Days conference on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA. The event included 36 participants from 12 organizations and focused on the development of Version 6 of the OVAL Language.

Specific talks included What Goes Into a Major Version, Merging the <affected> Element into the Criteria Section for Version 6, Definitions as the Focal Point, Reusing Content Across External Repositories, Supporting Network Devices, Repository and Reference Implementation Transition, Status of Stand-Alone Objects, Choice Structure, Agility in the OVAL Language, Future of OVAL Compatibility, Regular Expression Syntax, OVAL’s XML Footprint, and What Is Needed in a Remediation Language.

Meeting minutes and slides will be posted on the OVAL Developer Days page once they are available.

TMC y Cia Makes Declaration of OVAL Compatibility

TMC y Cia declared that its vulnerability analysis service, FAV - Falcon Análisis de Vulnerabilidades, is OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24

CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the OVAL Calendar for information on this and other events.

MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

Visit the OVAL Calendar for information on this and other events.

April 10, 2008

Version 5.4 of OVAL Now Available

Version 5.4 OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files on the SourceForge.net Web site at http://sourceforge.net/projects/ovaldi/ have also been updated.

Version 5.4 is a minor version change and includes the following: added sql test to the independent schema; changed the datatype of the comment attribute to not accept empty strings; added include_group and resolve_group behaviors to the windows accesstoken_object; modified the schematron of the rpminfo_state to allow ‘version’ as a valid datatype for the <release> and <version> entities; added new privileges to the windows accesstoken_test; added an optional mask attribute; fixed a schema error that had a_time, c_time, and m_time defined as strings, changed to ints; added the audit event policy subcategories test to the windows schema; added a schematron rule in certain places to validate that an int value was supplied when a datatype of int was declared; added a share permission test to the windows schema; added a printer effective rights test; changed the trustee_name entity to trustee_sid for existing effective rights and audit permission tests, deprecated the original tests; added a check_existence attribute to and OVAL Test; added the ‘none satisfy’ value to the existing check attribute of an OVAL Test; added a ONE operator to the criterion element; added a user access control test; modified the hp-ux patch test; and updated the documentation. This minor version change Version 5.4 will not invalidate existing content that currently validates against Version 5.3. See the OVAL Language Releases page for more information.

The following have been updated to Version 5.4:

The following are also available for using Version 5.4:

The previous versions of the OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.4.

OVAL Interpreter Updated for Version 5.4

The OVAL Interpreter has been updated to Version 5.4. Specific updates to the OVAL Interpreter included: addition of support for Version 5.4 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

March 27, 2008

MITRE Scheduled to Host "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference will expose the OVAL, CRF, CVE, CCE, CME, CEE, CPE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

Draft Agenda for OVAL Developer Days 2008 Now Available

A draft agenda has been posted on the OVAL Developer Days page. MITRE is scheduled to host our OVAL Developer Days conference on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA. This two-day conference will be technical in nature and focus on the development of OVAL Version 6.

March 24, 2008

OVAL Interpreter — 5.3 Build 68 Released

The OVAL Interpreter has been updated to address several bugs found by Lumension Security, Inc. and others. A complete list of updates and fixes is available in the various downloads. This should be the final release to support version 5.3 of the OVAL Language. The next release will support version 5.4 of the OVAL Language when it becomes the official version.

March 7, 2008

OVAL Version 5.4 in Release Candidate Stage

Version 5.4 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on March 28, 2008. Version 5.4 will be a minor version update to add new community-requested tests, fix some errors found in the Windows component schemas, and to update the documentation. As this is a minor version change Version 5.4 will not invalidate existing content that currently validates against Version 5.3, the current official version of OVAL. A complete list of changes for Version 5.4 is available on the Upcoming Minor Version page.

OVAL Mentioned in Government Computer News Article about SCAP

OVAL was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements."

OVAL is mentioned as one of the "more mature standards" of the six SCAP includes: "Open Vulnerability and Assessment Language, also from Mitre, a standard Extensible Markup Language for security testing procedures and reporting."

Three of the other standards the author references as mature are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The author also notes the two "less mature" standards SCAP uses: Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming.

SCAP is an expansion of NIST’s U.S. National Vulnerability Database (NVD) that is based upon the CVE List, and NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

February 21, 2008

MITRE to Host OVAL Developer Days 2008 on April 28-29

MITRE is scheduled to host our OVAL Developer Days conference on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA. This two-day conference will be technical in nature and focus on the development of OVAL Version 6.

The OVAL Community has identified a number of areas in the current version of the OVAL Language that need improvement. By bringing together the lead proponents within the OVAL Community, we hope to foster a rich and technical environment that will help kick start development of the new major version.

All members of the OVAL Community are welcome to attend. Please let us know by April 14th about your intention to attend by sending email to oval@mitre.org.

See the OVAL Developer Days page for conference details.

Lieberman Software Corporation Makes Declaration of OVAL Compatibility

Lieberman Software Corporation declared that its system security reporting, management, and remediation product, User Manager Pro, will be OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the OVAL, CRF, CVE, CCE, CPE, CME, CEE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

February 1, 2008

OVAL Interpreter Moved to SourceForge.net

The OVAL Interpreter and data files will now be hosted on the SourceForge.net Web site at http://sourceforge.net/projects/ovaldi/. The transition was made to provide better access to the OVAL Interpreter, its source code, and related documentation.

In particular, the move provides for the first time public access to bug tracking and feature request tracking for the Interpreter. There will also now be better support for community code contributions, increased accessibility to the Interpreter source and binaries, better maintenance of past versions of the Interpreter and its source code, and better Interpreter documentation.

The OVAL Interpreter Page on SourceForge includes the following:

Bug and Feature Request Tracking - replaces our internal MITRE-run SourceForge project.
File Distribution - replaces the downloads section of the OVAL Interpreter Download Page on the OVAL Web site.
SVN Repository - replaces our internal MITRE-run SourceForge project’s SVN Repository. External users will now be allowed anonymous read-only access to the repository.
Wiki - a primary source for information about the OVAL Interpreter.
Help Forum - the target for all Interpreter -related email help requests.

The OVAL Interpreter page on the OVAL Web site will now point visitors to the new location. Please send any comments or concerns to oval@mitre.org.

OVAL Mentioned in eWeek Article about the Federal Desktop Core Configuration

OVAL was mentioned in a January 13, 2008 article entitled "PC Lockdown in the Government and Beyond" in eWeek Magazine. The main topic of the article is the U.S. Office of Management and Budget (OMB)-mandated Federal Desktop Core Configuration (FDCC) for Windows XP and Vista.

OVAL is mentioned when the author states: "The [U.S. National Institute of Standards and Technology (NIST)]-developed [Security Content Automation Program (SCAP)] is the technical glue holding the FDCC effort together. SCAP content is security checklist data that is communicated in XML formats and provides data about vulnerability, configuration, compliance and asset information in Extensible Configuration Checklist Description Format and Open Vulnerability and Assessment Language."

MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference exposed the OVAL, CRF, CVE, CCE, CPE, CME, CEE, CAPEC, CWE, and/or Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events

OVAL Board Teleconference Minutes Posted

Meeting minutes for the OVAL Board teleconference held on Monday, January 14, 2008 have been posted on the Discussion Archives page.

January 17, 2008

OVAL Repository Announces Top Contributors Awards for Q4-2007

Hewlett-Packard and Maitreya Security Ltd. Co. received the "OVAL Repository Top Contributors Awards" for Q4-2007. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL Interpreter Updated

The OVAL Interpreter has been updated to incorporate several bug fixes and community code contributions, including updating linux makefile to better support building in various Linux environments, adding support for the textfilecontent_test, and adding support for the dpkginfo_test.

The list of updates and fixes is also available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Monday, January 14, 2007 with 20 members participating. Topics of discussion included status updates on OVAL Version 5.4, the updated OVAL Interpreter, guidelines for external repositories, and planning for RSA Conference 2008 and OVAL Developer Days 2008.

January 3, 2008

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2008

MITRE has announced its initial Making Security Measurable calendar of events for the first half of 2008. Details regarding MITRE’s scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

2008 Information Assurance Workshop, January 28-February 1, 2008
InfoSec World Conference & Expo 2008, March 10-11, 2008
RSA 2008, April 7-11, 2008
AusCERT 2008, May 18-23, 2008

Other events will be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CRF, CVE, CCE, CPE, CME, CEE, CAPEC, CWE, and/or Making Security Measurable at your event.

Page Last Updated: May 15, 2008

Section Contents
News and Events
Calendar of Events
Industry News Coverage
Press Center
Free Newsletter

News Archive
2007 News and Events
2006 News and Events
2005 News and Events
2004 News and Events
2003 News and Events
2002 News and Events


	OVAL is sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security. The OVAL Web site is hosted by The MITRE Corporation. Copyright 2002-2008, The MITRE Corporation. All rights reserved. OVAL and the OVAL logo are registered trademarks of The MITRE Corporation. Contact oval@mitre.org for more information.	Privacy policy Terms of use