|
DocumentsTransformational Vulnerability Management Through Standards This technical report on the MITRE Web site discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that are required to conform to the OVAL and CVE standards efforts. May 2005 - Robert A. Martin, OVAL Compatibility Lead. Security Patches Got You Running in Circles? Reprint of article from Security Wire Perspectives newsletter, Vol. 6, No. 39. Posted here with permission from Information Security Magazine and TechTarget. May 17, 2004 - Robert A. Martin, OVAL Compatibility Lead. Example Procurement Documents for Requiring OVAL:OVAL-Relevant Software Supplier Requirements (SWSupplier) This document is an extract of the statement of objectives used by the Department of Defense to explain the security relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of OVAL definitions for indicating how to identify the vulnerability and its remediation (workarounds and patches) in security notifications. Word (76K) OVAL-Relevant Vulnerability Assessment Tool Requirements (IAVMtool) This document is an extract of the statement of work used by the Department of Defense to explain the security relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of OVAL definitions for checking for vulnerabilities and reporting results. Word (60K) OVAL-Relevant Remediation Tool Requirements (IAremedtool) This document is an extract of the statement of work used by the Department of Defense to explain the security relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of OVAL for importing assessment results that list items to be remediated and reporting remediation status. Word (76K) Writing an OVAL Definition (draft) A detailed guide about how to write an OVAL Definition from scratch. June 11, 2007 PDF (162K) Introduction to the OVAL Language, Version 5.0 A complete introduction to the OVAL Language including discussions of how the OVAL Language works, use cases, structure of the language, the review process, versioning, and the importance of community participation in the ongoing development of OVAL. June 16, 2006 PDF (326K) OVAL Language Requirements, Version 5.0 Provides a set of requirements for establishing OVAL as the standard for expressing the configuration states of computer systems. June 16, 2006 PDF (148K) OVAL Design Document, Version 5.0 A detailed discussion of the design of the OVAL Language. Also explains how the language can be used, and how it can be incorporated into a security application. June 16, 2006 PDF (279K) Validating an OVAL Document, Version 5.0 Explains how to validate an XML document written in the OVAL Language, including W3C Schema (also known as XSD) Validation and Schematron Validation. June 16, 2006 Structure of an OVAL Definition, Version 5.0 A brief tutorial to help users understand the structure of an OVAL Definition. June 16, 2006 Describes the purpose of the repository, defines OVAL definitions, and describes how the community is involved. June 16, 2006 This document describes the several stages for the process of creating release versions of OVAL definitions, from "Draft," "Interim," and "Approved" status. October 27, 2005 Guidelines for Submitting OVAL Definitions Describes how OVAL Community Forum members can write and submit new definitions. Also details how to modify existing definitions. Statement of CVE Compatibility The Open Vulnerability and Assessment Language (OVAL) Web site is "CVE-compatible." This document includes detailed descriptions of the CVE (Common Vulnerabilities and Exposures) Initiative, CVE compatibility, and how the OVAL Web site is CVE-compatible. April 13, 2006 Introduction to OVAL Compatibility, Version 5.0 A complete introduction to OVAL Compatibility including what compatibility is, a discussion of OVAL "Producers" and "Consumers," benefits of compatibility, examples, and a complete description of the formal OVAL Compatibility Program. June 16, 2006 PDF (135K) Requirements and Recommendations for OVAL Compatibility Provides the detailed requirements against which an information product or service may become OVAL-compatible. June 16, 2006 OVAL Compatibility Correctness Testing This document gives an overview of how correctness testing will be performed and what participating organizations should expect. October 12, 2006 PDF (100K) Reference OVAL Interpreter License The Reference OVAL Interpreter and its source code are subject to the terms of the Berkeley Software Distribution License (BSD). Page Last Updated: May 12, 2008 |
|
|||||||||||
 |
||
