OVAL Official Adopters
OFFICIAL OVAL Adopters
Organizations Participating: 22
Products and Services: 30
The products and services listed below have achieved the final stage of MITRE’s formal OVAL Adoption Program Process and are now "Official OVAL Adopters." Each organization’s product is now eligible to use the OVAL Adopter Product/Service logo, and their completed and reviewed "Requirements and Recommendations for OVAL Adoption and Use" questionnaires based upon the "OVAL Technical Use Cases Guide" are posted here and on the OVAL Adoption Program Participants page as part of their product listings.
Products are listed alphabetically by organization.
| Altex-Soft | Date Declared: January 30, 2012 |
|---|
|
Web Sites: |
(Russian)
www.altx-soft.ru
(English)
www.altex-soft.com
|
|
Product Name: Altex-Soft Ovaldb |
||
|
Type: Web-Based OVAL Repository Database |
|
|
|
||
|
Product Name: RedCheck |
||
|
Type: Vulnerability, Patch, and Compliance Assessment |
|
|
|
||
Last Updated: Nov 3, 2014
| Beyond Trust | Date Declared: September 8, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Beyond Trust is an innovative leader in vulnerability and security research, providing security solutions that help businesses and users protect their systems and intellectual property from compromise. eEye enables secure computing through world-renowned research and innovative technology, supplying the world's largest businesses with an integrated and research-driven vulnerability assessment, intrusion prevention, and client security solution. eEye is pleased to support the CVE Initiative and will continue to promote the standardization of the CVE naming convention and vulnerability identification.
|
Product Name: Retina Network Security Scanner |
||
|
Type: Vulnerability Assessment |
|
|
|
||
Last Updated: Feb 25, 2014
| Center for Internet Security | Date Declared: Feb 26 2014 |
|---|
|
Web Site: |
Quote/Declaration: CIS-CAT is an SCAP-compliant, host-based configuration assessment tool primarily designed to perform compliance assessments against recommendations contained in CIS benchmarks. OVAL-based compliance content developed by third parties, such as DISA and NIST, is also supported by CIS-CAT for major Microsoft products, including Windows, Office, Internet Explorer, and SQL server, as well as Red Hat Enterprise Linux platforms. CIS-CAT's support for OVAL also affords users the ability to perform compliance, vulnerability, inventory, and patch assessments using content generated from numerous sources, including CIS, DISA, and NIST/USGCB, from a single tool.
|
Product Name: Center for Internet Security Configuration Assessment Tool (CIS-CAT) |
||
|
Type: Host-Based Configuration Assessment Tool |
|
|
|
||
Last Updated: Feb 27, 2014
| GCP Global | Date Declared: September 24, 2012 |
|---|
|
Web Site: |
Quote/Declaration: ORCA GRC is a web-based solution intended to aid organizations of all sizes in managing their security, risk, compliance, and governance efforts in a single software platform. ORCA uses OVAL Definitions to identify non-conformities in security and compliance in an automated manner simplifying the auditing workflow.
|
Product Name: ORCA |
||
|
Type: Governance, Risk, and Compliance (GRC) Solution |
|
|
|
||
Last Updated: Jun 20, 2013
| Greenbone Networks GmbH | Date Declared: March 30, 2010 |
|---|
|
Web Site: |
|
Product Name: Greenbone Security Manager |
||
|
Type: Vulnerability Management |
|
|
|
||
Last Updated:
| Information-technology Promotion Agency, Japan (IPA) | Date Declared: February 2, 2011 |
|---|
|
Web Site: |
Quote/Declaration: IPA offers three products for JVN Security Content Automation Framework. Version Checker is an OVAL-based free, easy-to-use scanner that allows people to easily check whether the software installed on their PC is the latest version. With just one mouse click, people can check the versions of multiple software. The results are easy to understand: a tick mark signifies the latest version and a cross mark signifies an obsolete version. If the software is not the latest version, users can easily access the vendor's download website with just a few clicks. Security Configuration Checker is an XCCDF and OVAL-based free, easy-to-use scanner that assesses Windows security configuration, including the USB autorun feature, password, and lockout policies of CCE. MyJVN API is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia. To enable application developers to use data through an open interface, JVN iPedia has adopted SCAP, a set of standards for describing vulnerability countermeasure information.
|
Product Name: MyJVN API |
||
|
Type: Vulnerability Assessment and Configuration Management |
|
|
|
||
|
Product Name: MyJVN Security Configuration Checker |
||
|
Type: Configuration Management |
|
|
|
||
|
Product Name: MyJVN Version Checker |
||
|
Type: Vulnerability Assessment |
|
|
|
||
Last Updated: Mar 3, 2014
| Institute for Information Industry - CyberTrust Technology Institute | Date Declared: December 12, 2012 |
|---|
|
Web Site: |
Quote/Declaration: CSK controller performs automatic compliance auditing to each CSK agent on enterprise endpoints. It can check security mis-configurations, scan systems and application vulnerabilities, evaluate enterprise threats through the baselines which is in the context of XCCDF based on enterprise demands or official compliance. CSK agent gathers all the security information including system configurations, application weakness, service status on each endpoint. Moreover, CSK agent also sends the security content according to the OVAL and CCE definitions to the controller for generating the human-readable reports evaluated by CVSS and specified baselines (USGCB, MS-baselines).
|
Product Name: Crystal Security Keeper (CSK) |
||
|
Type: Vulnerability Assessment, Configuration Management, Auditing and Centralized Audit Validation |
|
|
|
||
Last Updated: February 20, 2013
| Inverse Path S.r.l. | Date Declared: Mar 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Our compliance tool aims at allowing an easy and effective management of security policies. We've always looked at standardization efforts as a very effective approach for improving the state of security and/or known vulnerability checking, OVAL does just that and we are committed in supporting it for seamless integration and empowering users without reinventing the wheel.
|
Product Name: TPOL - OVAL Security Compliance |
||
|
Type: Vulnerability, Patch, and Compliance Assessment |
|
|
|
||
Last Updated: Mar 12, 2014
| jOVAL.org | Date Declared: June 30, 2011 |
|---|
|
Web Site: |
|
Product Name: jOVAL Definition Interpreter (jovaldi) |
||
|
Type: Open Source, Java-based OVAL Definition Interpreter |
|
|
|
||
Last Updated:
| McAfee, Inc. | Date Declared: March 8, 2011 |
|---|
|
Web Site: |
Quote/Declaration: McAfee has long understood the value of standards, actively participating on directional bodies such as the OVAL Board. McAfee was a very early adopter of OVAL and other security automation standards. McAfee has had OVAL Certified products in the past and continues to assure OVAL is used appropriately in a range of McAfee products. Today McAfee uses OVAL in three different security technologies, Policy Auditing, Vulnerability Management, and Network Access. We are using the same content in all three areas. Policy Auditor was the first enterprise class product to natively support SCAP. McAfee NAC was to first Network Access product to support SCAP. OVAL is a critical aspect of that support. Our OVAL support today includes Microsoft, AIX, HP-UX, Solaris, Mac OS X, and various Linux distributions across our product uses. In addition, McAfee is innovating SCAP by supplying and supporting localized SCAP/OVAL content in many different languages. It also provides a means to make XCCDF/OVAL results much more usable than just telling you if you are compliant or not against a specific benchmark. McAfee continues to develop innovative OVAL content for our customers' uses. McAfee has and will continue to invest in OVAL.
|
Product Name: McAfee Network Access Control |
||
|
Type: Network Connection Health Check, Auditing and Centralized Audit Validation, Configuration Management, Patch Management |
|
|
|
||
|
Product Name: McAfee Policy Auditor |
||
|
Type: Auditing and Centralized Audit Validation, Configuration Management, Patch Management |
|
|
|
||
|
Product Name: McAfee Vulnerability Manager |
||
|
Type: Vulnerability Assessment, Auditing and Centralized Audit Validation, Configuration Management, Patch Management |
|
|
|
||
Last Updated: Aug 7, 2013
| National Institute of Advanced Industrial Science and Technology (AIST) | Date Declared: January 14, 2011 |
|---|
|
Web Site: |
Quote/Declaration: SIX OVAL is a free and open-source Java class library to build enterprise compliance/vulnerability management applications. The main parts are OVAL domain model and object-XML/object-RDB data mapping. It also provides off-the-shelf server/client components including a repository of definitions and results at the central server, which can be searched from and posted to via a web service connection from any number of clients. The client is capable of getting definitions from the repository, evaluating the content on the local host, and reporting the results back to the central server.
|
Product Name: SIX OVAL |
||
|
Type: Enterprise Compliance/Vulnerability Management |
|
|
|
||
Last Updated:
| NopSec, Inc. | Date Declared: December 23, 2010 |
|---|
|
Web Site: |
Quote/Declaration: NopSec Vulnerability Risk Management (VRM) automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and charting, elimination of virtually all false positives, remediation tracking, and ticketing system according to business risk. NopSec VRM vulnerability scanning engine has planned support for OVAL Definitions evaluations. It is in beta phase for what concerns the OVAL Results Consumer and OVAL Systems Characteristics Producer Capabilities. NopSec has chosen to adopt the OVAL Standard in order to aid in integrations, perform SCAP validation, judge FDCC benchmarks, and extend third party application testing.
|
Product Name: NopSec Vulnerability Risk Management (VRM) |
||
|
Type: Vulnerability Risk Management |
|
|
|
||
Last Updated: Jun 27, 2013
| OpenVAS | Date Declared: July 6, 2012 |
|---|
|
Web Site: |
Quote/Declaration: OpenVAS is a vulnerability management and vulnerability scanning software framework. A feed service allows regular updates of Network Vulnerability tests (NVTs). The main security scan phase of the application collects security information about each host in the network being scanned. Subsequently, comprehensive OVAL-related processing is possible. his includes exporting system characteristics for the whole network, and applying the applications reporting framework according to OVAL Definitions.
|
Product Name: OpenVAS |
||
|
Type: Vulnerability Management |
|
|
|
||
Last Updated:
| Positive Technologies CJSC | Date Declared: May 11, 2012 |
|---|
|
Web Site: |
Quote/Declaration: Positive Technologies is a leading provider of vulnerability and compliance management, application security, SCADA security and penetration testing. As one of the development directions, we decided to use the SCAP technology in our products. We are implementing OVAL standards, supporting FDCC/USGCB, and maximizing integration with other open security standards in our products. We also provide an open OVAL repository containing vulnerability descriptions collected from various sources.
|
Product Name: Positive Technologies OVAL Repository |
||
|
Type: OVAL Definition Repository |
|
|
|
||
Last Updated: Apr 22, 2014
| Red Hat, Inc. | Date Declared: February 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Red Hat was a founding board member of the OVAL project and has been publishing OVAL Vulnerability Definitions for Red Hat Enterprise Linux Security Advisories since 2006. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards.
|
Product Name: Red Hat Security Advisories |
||
|
Type: Product Vulnerability Security Advisories |
|
|
|
||
Last Updated: October 24, 2012
| SAINT Corporation | Date Declared: March 5, 2010 |
|---|
|
Web Site: |
Quote/Declaration: SAINT Corporation's vulnerability scanning product is a Web-based application available as a software download, appliance, or Software as a Service (SaaS or "Cloud" technology). SAINT Vulnerability Scanner uncovers areas of weakness and recommends fixes via its extensive tutorials. SAINT is certified under NIST's SCAP specification as an Unauthenticated Vulnerability Scanner and Authenticated Vulnerability and Patch Scanner. SAINT supports OVAL by allowing users to import OVAL checks from the OVAL Repository, as well as importing user-developed XML files containing OVAL checks. SAINT provides view/download of OVAL result files via the GUI. SAINT also reports system characteristics of identified hosts for use in analysis, auditing, remediation and/or patch management.
|
Product Name: SAINT Vulnerability Scanner |
||
|
Type: Vulnerability Assessment |
|
|
|
||
Last Updated:
| SecPod Technologies | Date Declared: December 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: SecPod is an information security research and development company offering services in the area of threat detection and management. SecPod supports OVAL, an open standard to provide security automation. SecPod SCAP Feed is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE's for various operating systems, enterprise servers, and applications. The feed, also hosted as a repository, is backed with professional support, can be integrated into vendor products, and also consumed by end users. SecPod Saner is a light-weight, easy-to-use enterprise grade vulnerability mitigation software that proactively assesses and secures endpoint systems. SecPod Saner adopts OVAL natively consuming the SCAP feed from the SecPod SCAP Repo content repository.
|
Product Name: SecPod SCAP Feed |
||
|
Type: OVAL Repository |
|
|
|
||
|
Product Name: SecPod Saner |
||
|
Type: Vulnerability Management |
|
|
|
||
Last Updated: Feb 27, 2014
| Security-Database | Date Declared: April 7, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Security-Database is pleased to support this initiative by supplying OVAL information along with vulnerability information and to provide access to a full mirroring repository of OVAL XML and online OVAL Definitions.
|
Product Name: Security-Database OVAL Repository |
||
|
Type: Web-Based OVAL Repository Database |
|
|
|
||
Last Updated: Mar 3, 2014
| SPAWAR Systems Center Atlantic | Date Declared: Februry 25, 2010 |
|---|
|
Web Site: |
Quote/Declaration: The SCAP Compliance Checker has adopted OVAL as part of the FDCC Scanner capabilities of SCAP Validation Program. SCAP Compliance Checker is able to process all four of OVAL's schemas: the Definitions schema, the System Characteristics schema, the Results schema and the Variables schema. SCAP Compliance Checker processes the XCCDF content of a SCAP stream and extracts any variables that need to be imported into the OVAL engine. It then creates an XML file using the OVAL Variables schema that contains these variables. The OVAL engine later uses this file during OVAL processing. By using the industry standard OVAL schemas, SCAP Compliance Checker can share data with any tool that understands OVAL.
|
Product Name: SCAP Compliance Checker |
||
|
Type: OVAL Definition Evaluator |
|
|
|
||
Last Updated: Feb 27, 2014
| ThreatGuard, Inc. | Date Declared: February 24, 2010 |
|---|
|
Web Site: |
Quote/Declaration: ThreatGuard offers three products that fully integrate support for OVAL: S-CAT, Secutor Prime, and Secutor Magnus. From 2004 to present day, ThreatGuard has fulfilled OVAL definition consumer compatibility requirements with each major evolution of the language. The ThreatGuard OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. All three products automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. S-CAT has an option to bypass the XCCDF file and process OVAL vulnerability content files to perform vulnerability assessments. Secutor Prime includes an OVAL Notes tab that allows the user to see the decisions made by the interpreter as it processes the OVAL content and includes an option to display the OVAL-ID of vulnerability definitions in the tree as the title for each vulnerability definition. Secutor Magnus can automatically load OVAL-based vulnerability content to perform vulnerability assessments against a variety of operating systems.
|
Product Name: Secutor Compliance Automation Toolkit (S-CAT) |
||
|
Type: Universal, Integratable SCAP Assessment Module |
|
|
|
||
|
Product Name: Secutor Magnus |
||
|
Type: Enterprise SCAP Compliance/Vulnerability Management System |
|
|
|
||
|
Product Name: Secutor Prime |
||
|
Type: Desktop Compliance/Vulnerability Assessment Tool |
|
|
|
||
Last Updated:
| ToolsWatch | Date Declared: Jul 22 2015 |
|---|
|
Web Site: |
Quote/Declaration: SSA (Security System Analyzer) is free non-intrusive OVAL/XCCDF host-based security analyzer and compliance tool. It introduces a new simplified way to rely on open standards such OVAL and XCCDF to report compliance issues. SSA has adopted the OVAL standard as part of its vulnerability validation process. As a result, SSA consumes the Definitions and solely relies on the OVAL and XCCDF interpreters.
|
Product Name: SSA - Security System Analyzer |
||
|
Type: Security Scanner and Compliance Assessment Software |
|
|
|
||
Last Updated: Jul 22, 2015
| Tripwire, Inc. | Date Declared: October 19, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Tripwire provides a comprehensive suite of file integrity, policy compliance, and log and event management solutions. Tripwire Enterprise automates change detection and mis-configuration correction to reduce risk of exploits and breaches. Tripwire Enterprise provides SCAP functionality that includes the ability to process OVAL content.
|
Product Name: Tripwire Enterprise |
||
|
Type: Security Configuration Management |
|
|
|
||
Last Updated: Jun 18, 2014
