Total Participants
Organizations: 47
Products & Services: 65
OVAL Adoption Program Participants
All organizations participating in the OVAL Adoption Program are listed below, including those with products and services that have adopted OVAL and those with declarations of intent to adopt OVAL.
Products are listed alphabetically by organization.
| ADTsys Software | Date Declared: Jan 30 2014 |
|---|
|
Web Site: |
Quote/Declaration: ADTsys is leveraging OVAL for company's compliance and vulnerability assessment for web environments. Using analysis engines based on OWASP and CVE transforming security requirements from documents updated. This content uses the OVAL Language as a mechanism to determine the results.
|
Product Name: ADTsys Cloud Security |
||
|
Type: Cloud Security |
||
|
||
Last Updated: Feb 27, 2014
| Agiliance | Date Declared: Feb 26 2014 |
|---|
|
Web Site: |
Quote/Declaration: In order to promote open standards and leveraging existing tools already deployed as authoritative sources of risk, threat, security, governance, and compliance audit details, Agiliance's big data risk management software platform, Agiliance RiskVision, consumes OVAL Definitions, OVAL Results, and OVAL System Characteristics via its user interface or via data connectors. As a consumer of OVAL attributes, Agiliance RiskVision supports OVAL 5.10.1 and prior versions. In addition, Agiliance RiskVision accommodates SCAP in its 'XCCDF and OVAL' import tool.
|
Product Name: Agiliance RiskVision |
||
|
Type: Big Data Risk Management Software |
||
|
||
Last Updated: Feb 26, 2014
| Altex-Soft | Date Declared: January 30, 2012 |
|---|
|
Web Sites: |
(Russian)
www.altx-soft.ru
(English)
www.altex-soft.com
|
|
Product Name: Altex-Soft Ovaldb |
||
|
Type: Web-Based OVAL Repository Database |
|
|
|
||
|
Product Name: RedCheck |
||
|
Type: Vulnerability, Patch, and Compliance Assessment |
|
|
|
||
Last Updated: May 30, 2014
| Arellia Corporation | Date Declared: May 5, 2011 |
|---|
|
Web Site: |
Quote/Declaration: Arellia Security Analysis Solution embraces the OVAL standard to help firms manage security proactively, providing the ability to import OVAL content into the Symantec Management Platform's Configuration Management Database via SCAP data streams, which allows for the continuous monitoring and remediation of security configuration management issues that arise due to system vulnerability and misconfiguration on endpoints within an organization. Arellia Security Analysis Solution performs assessments of OVAL Definitions, generally in the context of XCCDF Benchmark Profiles, on managed computers through an agent-based plug-in to the Symantec Management Agent. OVAL content is delivered to the computers where the assessments are performed then OVAL Results are sent back to the Symantec Management Platform server and correlated into the Configuration Management Database.
|
Product Name: Arellia Security Analysis Solution |
||
|
Type: Security Configuration Management |
||
|
||
Last Updated:
| ATM Software sp. z o.o. | Date Declared: February 5, 2013 |
|---|
|
Web Site: |
Quote/Declaration: ATM Information Security Workflow is a application suited for IT assets lifecycle management. It contains Web-based OVAL repository and OVAL compatible vulnerability and compliance scanner.
|
Product Name: ATM Information Security Workflow |
||
|
Type: Workflow for server/software lifecycle management with OVAL repository and vulnerability assessment. |
||
|
||
Last Updated: February 14, 2013
| Beyond Security Ltd. | Date Declared: Aug 7, 2013 |
|---|
|
Web Site: |
Quote/Declaration: The AVDS family of network Vulnerability Assessment and Web Application Security testing solutions are the most accurate and easiest to use in the industry. AVDS uses OVAL to import benchmarks from the OVAL repository and user-developed XML files and to export assessment results files. AVDS is available as a network appliance or hosted solution and will deliver layer 3-7 scanning to businesses and government units of any size. It will find, prioritize and manage the repair of security weaknesses in your network and web applications with the fastest setup and the least maintenance possible.
|
Product Name: AVDS |
||
|
Type: Vulnerability and Configuration Assessment and Management |
||
|
||
Last Updated: Sep 23, 2013
| Beyond Trust | Date Declared: September 8, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Beyond Trust is an innovative leader in vulnerability and security research, providing security solutions that help businesses and users protect their systems and intellectual property from compromise. eEye enables secure computing through world-renowned research and innovative technology, supplying the world's largest businesses with an integrated and research-driven vulnerability assessment, intrusion prevention, and client security solution. eEye is pleased to support the CVE Initiative and will continue to promote the standardization of the CVE naming convention and vulnerability identification.
|
Product Name: Retina Network Security Scanner |
||
|
Type: Vulnerability Assessment |
|
|
|
||
Last Updated: Feb 25, 2014
| Catbird Networks, Inc. | Date Declared: September 22, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Catbird delivers a multifunction solution for continuous and measurable security and compliance for virtualized and cloud infrastructures. As a market leader in dynamic and elastic security, Catbird embraces open source and interoperable standards like OVAL. Catbird plans to deliver comprehensive OVAL support in all areas of its award winning product.
|
Product Name: Catbird vSecurity |
||
|
Type: Vulnerability Scanner, IDS/IPS, and Firewall |
||
|
||
Last Updated:
| Center for Internet Security | Date Declared: Feb 26 2014 |
|---|
|
Web Site: |
Quote/Declaration: CIS-CAT is an SCAP-compliant, host-based configuration assessment tool primarily designed to perform compliance assessments against recommendations contained in CIS benchmarks. OVAL-based compliance content developed by third parties, such as DISA and NIST, is also supported by CIS-CAT for major Microsoft products, including Windows, Office, Internet Explorer, and SQL server, as well as Red Hat Enterprise Linux platforms. CIS-CAT's support for OVAL also affords users the ability to perform compliance, vulnerability, inventory, and patch assessments using content generated from numerous sources, including CIS, DISA, and NIST/USGCB, from a single tool.
|
Product Name: Center for Internet Security Configuration Assessment Tool (CIS-CAT) |
||
|
Type: Host-Based Configuration Assessment Tool |
|
|
|
||
Last Updated: Feb 27, 2014
| Cisco Systems, Inc. | Date Declared: February 10, 2012 |
|---|
|
Web Site: |
Quote/Declaration: Traditionally, Cisco discloses information required for an end-user to assess the impact of a vulnerability and any potential steps needed to protect their environment. This information includes all the required technical information for customers to ascertain appropriate remedial action. OVAL provides a framework that allows vendors and their customer to determine if a software vulnerability or patch exists on a given system. Cisco is in the process of adopting OVAL for vulnerability disclosure. Cisco IOS security vulnerability OVAL content is currently supported. Additional products are being considered in the future.
|
Product Name: Cisco Product Security Incident Response Team (PSIRT) Security Advisories and Vulnerability Disclosures |
||
|
Type: Cisco Repository of OVAL Content |
||
|
||
Last Updated: Feb 28, 2014
| Critical Watch | Date Declared: November 23, 2010 |
|---|
|
Web Site: |
Quote/Declaration: FusionVM from Critical Watch is an award-winning, patented security risk management solution that automates Vulnerability Management and Configuration Auditing so that compliance is sustained and critical systems are secured. Critical Watch has chosen to adopt OVAL Standards in order to aid in integrations, perform SCAP validation, judge FDCC benchmarks, and extend third party application testing.
|
Product Name: FusionVM Enterprise Vulnerability Management System |
||
|
Type: Enterprise Vulnerability Management System |
||
|
||
Last Updated:
| Defense Information Systems Agency Field Security Operations (DISA FSO) | Date Declared: July 18, 2012 |
|---|
|
Web Site: |
Quote/Declaration: DISA is adopting OVAL for leveraging enterprise compliance and vulnerability assessment for the U.S. Department of Defense (DoD). Utilizing COTS-based scan engines, DISA is transforming security requirements from prose base documents to machine readable content. This content utilizes the OVAL Language as a mechanism to determine results for secure net worthiness in the DoD while supporting the war fighter.
|
Product Name: DoD SCAP Content Repository |
||
|
Type: SCAP Content Repository |
||
|
||
Last Updated:
| eIQnetworks, Inc. | Date Declared: July 2, 2012 |
|---|
|
Web Site: |
Quote/Declaration: eIQnetworks is fully committed to the OVAL standard in SecureVue, a unified situational awareness platform that provides next-generation SIEM, security configuration auditing, compliance automation and full-context forensic analysis all within a single console. SecureVue implements OVAL by providing the ability to import Security Content Automation Protocol (SCAP)-based content, including OVAL content, and comparing targeted systems in real-time.
|
Product Name: SecureVue |
||
|
Type: Unified Situational Awareness Platform |
||
|
||
Last Updated:
| G2, Inc. | Date Declared: March 30, 2010 |
|---|
|
Web Site: |
|
Product Name: eSCAPe - Enhanced SCAP Editor |
||
|
Type: OVAL Authoring Tool |
||
|
||
Last Updated:
| GCP Global | Date Declared: September 24, 2012 |
|---|
|
Web Site: |
Quote/Declaration: ORCA GRC is a web-based solution intended to aid organizations of all sizes in managing their security, risk, compliance, and governance efforts in a single software platform. ORCA uses OVAL Definitions to identify non-conformities in security and compliance in an automated manner simplifying the auditing workflow.
|
Product Name: ORCA |
||
|
Type: Governance, Risk, and Compliance (GRC) Solution |
|
|
|
||
Last Updated: Jun 20, 2013
| Greenbone Networks GmbH | Date Declared: March 30, 2010 |
|---|
|
Web Site: |
|
Product Name: Greenbone Security Manager |
||
|
Type: Vulnerability Management |
|
|
|
||
Last Updated:
| Hewlett-Packard Development Company, L.P. | Date Declared: March 9, 2010 |
|---|
|
Web Site: |
Quote/Declaration: HP supports the OVAL standard to assist IT organizations in reducing security risks through automated vulnerability disclosure. HP Sever Automation and Client Automation software suites provide real-time vulnerability detection based on OVAL Vulnerability Definitions. HP Live Network provides a repository and delivery portal of vulnerability and compliance content for HP Server Automation and Client Automation.
|
Product Name: HP Client Automation |
||
|
Type: Application Management |
||
|
||
|
Product Name: HP Live Network |
||
|
Type: Content Repository |
||
|
||
|
Product Name: HP Server Automation |
||
|
Type: Enterprise Server/Application Lifecycle Management |
||
|
||
Last Updated: Jul 29, 2014
| Information-technology Promotion Agency, Japan (IPA) | Date Declared: February 2, 2011 |
|---|
|
Web Site: |
Quote/Declaration: IPA offers three products for JVN Security Content Automation Framework. Version Checker is an OVAL-based free, easy-to-use scanner that allows people to easily check whether the software installed on their PC is the latest version. With just one mouse click, people can check the versions of multiple software. The results are easy to understand: a tick mark signifies the latest version and a cross mark signifies an obsolete version. If the software is not the latest version, users can easily access the vendor's download website with just a few clicks. Security Configuration Checker is an XCCDF and OVAL-based free, easy-to-use scanner that assesses Windows security configuration, including the USB autorun feature, password, and lockout policies of CCE. MyJVN API is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia. To enable application developers to use data through an open interface, JVN iPedia has adopted SCAP, a set of standards for describing vulnerability countermeasure information.
|
Product Name: MyJVN API |
||
|
Type: Vulnerability Assessment and Configuration Management |
|
|
|
||
|
Product Name: MyJVN Security Configuration Checker |
||
|
Type: Configuration Management |
|
|
|
||
|
Product Name: MyJVN Version Checker |
||
|
Type: Vulnerability Assessment |
|
|
|
||
Last Updated: Mar 3, 2014
| Institute for Information Industry - CyberTrust Technology Institute | Date Declared: December 12, 2012 |
|---|
|
Web Site: |
Quote/Declaration: CSK controller performs automatic compliance auditing to each CSK agent on enterprise endpoints. It can check security mis-configurations, scan systems and application vulnerabilities, evaluate enterprise threats through the baselines which is in the context of XCCDF based on enterprise demands or official compliance. CSK agent gathers all the security information including system configurations, application weakness, service status on each endpoint. Moreover, CSK agent also sends the security content according to the OVAL and CCE definitions to the controller for generating the human-readable reports evaluated by CVSS and specified baselines (USGCB, MS-baselines).
|
Product Name: Crystal Security Keeper (CSK) |
||
|
Type: Vulnerability Assessment, Configuration Management, Auditing and Centralized Audit Validation |
|
|
|
||
Last Updated: February 20, 2013
| Inverse Path S.r.l. | Date Declared: Mar 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Our compliance tool aims at allowing an easy and effective management of security policies. We've always looked at standardization efforts as a very effective approach for improving the state of security and/or known vulnerability checking, OVAL does just that and we are committed in supporting it for seamless integration and empowering users without reinventing the wheel.
|
Product Name: TPOL - OVAL Security Compliance |
||
|
Type: Vulnerability, Patch, and Compliance Assessment |
|
|
|
||
Last Updated: Mar 12, 2014
| jOVAL.org | Date Declared: June 30, 2011 |
|---|
|
Web Site: |
|
Product Name: jOVAL Definition Interpreter (jovaldi) |
||
|
Type: Open Source, Java-based OVAL Definition Interpreter |
|
|
|
||
Last Updated:
| Lunarline, Inc. | Date Declared: August 13, 2012 |
|---|
|
Web Site: |
Quote/Declaration: SCAP Sync is a centralized, publicly accessible repository for all types of SCAP Content. SCAP Sync crawls SCAP content publishing sites and keeps a complete version history for each individual piece of SCAP content. SCAP Sync includes a machine-readable REST API so that developers can effortlessly incorporate machine-readable SCAP content into their own programs, web sites, and technology solutions.
|
Product Name: SCAP Sync |
||
|
Type: SCAP Content Repository and API |
||
|
||
Last Updated: Feb 27, 2014
| McAfee, Inc. | Date Declared: March 8, 2011 |
|---|
|
Web Site: |
Quote/Declaration: McAfee has long understood the value of standards, actively participating on directional bodies such as the OVAL Board. McAfee was a very early adopter of OVAL and other security automation standards. McAfee has had OVAL Certified products in the past and continues to assure OVAL is used appropriately in a range of McAfee products. Today McAfee uses OVAL in three different security technologies, Policy Auditing, Vulnerability Management, and Network Access. We are using the same content in all three areas. Policy Auditor was the first enterprise class product to natively support SCAP. McAfee NAC was to first Network Access product to support SCAP. OVAL is a critical aspect of that support. Our OVAL support today includes Microsoft, AIX, HP-UX, Solaris, Mac OS X, and various Linux distributions across our product uses. In addition, McAfee is innovating SCAP by supplying and supporting localized SCAP/OVAL content in many different languages. It also provides a means to make XCCDF/OVAL results much more usable than just telling you if you are compliant or not against a specific benchmark. McAfee continues to develop innovative OVAL content for our customers' uses. McAfee has and will continue to invest in OVAL.
|
Product Name: McAfee Network Access Control |
||
|
Type: Network Connection Health Check, Auditing and Centralized Audit Validation, Configuration Management, Patch Management |
|
|
|
||
|
Product Name: McAfee Policy Auditor |
||
|
Type: Auditing and Centralized Audit Validation, Configuration Management, Patch Management |
|
|
|
||
|
Product Name: McAfee Vulnerability Manager |
||
|
Type: Vulnerability Assessment, Auditing and Centralized Audit Validation, Configuration Management, Patch Management |
|
|
|
||
Last Updated: Aug 7, 2013
| Microsoft Corporation | Date Declared: March 9, 2011 |
|---|
|
Web Site: |
Quote/Declaration: Microsoft has incorporated OVAL into two of its products, the Microsoft Security Compliance Manager and the SCAP Extension for System Center Configuration Manager 2007. The Microsoft Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization's ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies. The SCAP Extension for System Center Configuration Manager 2007 enables Configuration Manager 2007 to consume Security Content Automation Protocol (SCAP) data streams, assess systems for compliance, and generate report results in SCAP format by taking advantage of the compliance checking capabilities inherent in the desired configuration management (DCM) feature.
|
Product Name: Microsoft Security Compliance Manager |
||
|
Type: Security and Compliance Knowledge Management |
||
|
||
|
Product Name: SCAP Extension for System Center Configuration Manager 2007 |
||
|
Type: Enterprise Configuration Management |
||
|
||
Last Updated:
| Modulo Security Solutions | Date Declared: February 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Modulo Risk Manager is a Web-based system that provides large scalability and flexibility to technical control assessment. Assessment in complex environment with hundreds of assets is possible using OVAL to automate configuration analysis in common platforms like Microsoft Operating Systems, Windows-platform Applications and other upcoming technologies, using our definitions evaluator and system characteristics producer. Besides those capabilities, our definitions repository allows interchange with other entities so that Modulo Risk Manager and those entities can accomplish new systems assessments. The MODSIC Project (Modulo Open Distributed SCAP Intelligent Collector) provides an open framework for standardized SCAP distributed collectors using OVAL. It consists of a service that schedules and collects data remotely (agentless), allowing users to input assets and scheduling information and get OVAL System Characteristics and OVAL Results XML files for each asset analyzed through the network. MODSIC is a Modulo open-source initiative, licensed under new-BSD License.
|
Product Name: MODSIC Project |
||
|
Type: OVAL Collector Service |
||
|
||
|
Product Name: Modulo Risk Manager |
||
|
Type: Governance, Risk Management, and Compliance (GRC) Management |
||
|
||
Last Updated:
| National Institute of Advanced Industrial Science and Technology (AIST) | Date Declared: January 14, 2011 |
|---|
|
Web Site: |
Quote/Declaration: SIX OVAL is a free and open-source Java class library to build enterprise compliance/vulnerability management applications. The main parts are OVAL domain model and object-XML/object-RDB data mapping. It also provides off-the-shelf server/client components including a repository of definitions and results at the central server, which can be searched from and posted to via a web service connection from any number of clients. The client is capable of getting definitions from the repository, evaluating the content on the local host, and reporting the results back to the central server.
|
Product Name: SIX OVAL |
||
|
Type: Enterprise Compliance/Vulnerability Management |
|
|
|
||
Last Updated:
| NetIQ Corporation | Date Declared: February 9, 2011 |
|---|
|
Web Site: |
Quote/Declaration: As the rate of security threats increases, organizations must be enabled to fully leverage their security investments and rapidly adapt community-driven knowledge and best practices to address these threats. NetIQ Secure Configuration Manager is an award winning, enterprise security and compliance assessment solution and a foundational tool to achieving these objectives. The product's out-of-the-box best practices knowledge simplifies system configuration to proactively and efficiently manage current and emerging security threats. By leveraging both OVAL and XCCDF, NetIQ Secure Configuration Manager enables standards-based integration with other security solutions and helps reduce the cost of achieving security and compliance objectives.
|
Product Name: NetIQ Secure Configuration Manager |
||
|
Type: Enterprise Security Configuration Assessment |
||
|
||
Last Updated:
| New Net Technologies, Ltd. | Date Declared: May 30, 2014 |
|---|
|
Web Site: |
Quote/Declaration: NNT Change Tracker Enterprise provides continuous protection against known and emerging cyber security threats in an easy to use solution. NNT Change Tracker leverages OVAL Definitions to provide vulnerability and compliance assessments for a wide-range of platforms and devices. Options provided for both agent-based and agentless vulnerability scans of a wide range of database systems, operating systems, appliances and network devices. NNT Change Tracker is also a CIS Certified Vendor Product for CIS Benchmark Checklist validation.
|
Product Name: NNT Change Tracker Enterprise |
||
|
Type: Vulnerability and Compliance Assessment and Management, Host-Based Intrusion Detection |
||
|
||
Last Updated: Jun 9, 2014
| NopSec, Inc. | Date Declared: December 23, 2010 |
|---|
|
Web Site: |
Quote/Declaration: NopSec Vulnerability Risk Management (VRM) automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and charting, elimination of virtually all false positives, remediation tracking, and ticketing system according to business risk. NopSec VRM vulnerability scanning engine has planned support for OVAL Definitions evaluations. It is in beta phase for what concerns the OVAL Results Consumer and OVAL Systems Characteristics Producer Capabilities. NopSec has chosen to adopt the OVAL Standard in order to aid in integrations, perform SCAP validation, judge FDCC benchmarks, and extend third party application testing.
|
Product Name: NopSec Vulnerability Risk Management (VRM) |
||
|
Type: Vulnerability Risk Management |
|
|
|
||
Last Updated: Jun 27, 2013
| OpenVAS | Date Declared: July 6, 2012 |
|---|
|
Web Site: |
Quote/Declaration: OpenVAS is a vulnerability management and vulnerability scanning software framework. A feed service allows regular updates of Network Vulnerability tests (NVTs). The main security scan phase of the application collects security information about each host in the network being scanned. Subsequently, comprehensive OVAL-related processing is possible. his includes exporting system characteristics for the whole network, and applying the applications reporting framework according to OVAL Definitions.
|
Product Name: OpenVAS |
||
|
Type: Vulnerability Management |
|
|
|
||
Last Updated:
| Pivotal Security LLC | Date Declared: November 27, 2012 |
|---|
|
Web Site: |
Quote/Declaration: Pivotal Security's innovative technology combines the benefits of transient agent and network wide de-duplication to provide lightning fast scans while using minimal network resources. We recognize the need for standardization in security assessment, reporting and remediation and as such we've decided to support OVAL. We see OVAL as mature yet flexible standard supported by a vibrant community.
|
Product Name: Security Scanning SDK |
||
|
Type: OVAL Definition Evaluator |
||
|
||
Last Updated: November 28, 2012
| Positive Technologies CJSC | Date Declared: May 11, 2012 |
|---|
|
Web Site: |
Quote/Declaration: Positive Technologies is a leading provider of vulnerability and compliance management, application security, SCADA security and penetration testing. As one of the development directions, we decided to use the SCAP technology in our products. We are implementing OVAL standards, supporting FDCC/USGCB, and maximizing integration with other open security standards in our products. We also provide an open OVAL repository containing vulnerability descriptions collected from various sources.
|
Product Name: Positive Technologies OVAL Repository |
||
|
Type: OVAL Definition Repository |
|
|
|
||
Last Updated: Apr 22, 2014
| Red Hat, Inc. | Date Declared: February 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Red Hat was a founding board member of the OVAL project and has been publishing OVAL Vulnerability Definitions for Red Hat Enterprise Linux Security Advisories since 2006. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards.
|
Product Name: Red Hat Security Advisories |
||
|
Type: Product Vulnerability Security Advisories |
|
|
|
||
Last Updated: October 24, 2012
| SAINT Corporation | Date Declared: March 5, 2010 |
|---|
|
Web Site: |
Quote/Declaration: SAINT Corporation's vulnerability scanning product is a Web-based application available as a software download, appliance, or Software as a Service (SaaS or "Cloud" technology). SAINT Vulnerability Scanner uncovers areas of weakness and recommends fixes via its extensive tutorials. SAINT is certified under NIST's SCAP specification as an Unauthenticated Vulnerability Scanner and Authenticated Vulnerability and Patch Scanner. SAINT supports OVAL by allowing users to import OVAL checks from the OVAL Repository, as well as importing user-developed XML files containing OVAL checks. SAINT provides view/download of OVAL result files via the GUI. SAINT also reports system characteristics of identified hosts for use in analysis, auditing, remediation and/or patch management.
|
Product Name: SAINT Vulnerability Scanner |
||
|
Type: Vulnerability Assessment |
|
|
|
||
Last Updated:
| SecPod Technologies | Date Declared: December 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: SecPod is an information security research and development company offering services in the area of threat detection and management. SecPod supports OVAL, an open standard to provide security automation. SecPod SCAP Feed is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE's for various operating systems, enterprise servers, and applications. The feed, also hosted as a repository, is backed with professional support, can be integrated into vendor products, and also consumed by end users. SecPod Saner is a light-weight, easy-to-use enterprise grade vulnerability mitigation software that proactively assesses and secures endpoint systems. SecPod Saner adopts OVAL natively consuming the SCAP feed from the SecPod SCAP Repo content repository.
|
Product Name: SecPod SCAP Feed |
||
|
Type: OVAL Repository |
|
|
|
||
|
Product Name: SecPod Saner |
||
|
Type: Vulnerability Management |
|
|
|
||
Last Updated: Feb 27, 2014
| Secure Bytes Corporation | Date Declared: March 23, 2011 |
|---|
|
Web Site: |
Quote/Declaration: Secure Bytes is an information security software development company focusing on developing automated tools to strengthen information security management system. Secure Bytes' Secure Auditor product is a unified digital risk management solution for conducting automated audits on operating systems, databases, and network devices. Secure Auditor assists organizations in fulfilling requirements defined by regulatory compliance, framework, and standards. Secure Bytes has incorporated OVAL Vulnerability Definitions and the SCAP-based compliance framework into Secure Auditor.
|
Product Name: Secure Auditor |
||
|
Type: Automated Auditing Software |
||
|
||
Last Updated:
| Security-Database | Date Declared: April 7, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Security-Database is pleased to support this initiative by supplying OVAL information along with vulnerability information and to provide access to a full mirroring repository of OVAL XML and online OVAL Definitions.
|
Product Name: IT Dashboard |
||
|
Type: Web-Based IT Vulnerability and Threats Dashboard |
||
|
||
|
Product Name: Security-Database OVAL Repository |
||
|
Type: Web-Based OVAL Repository Database |
|
|
|
||
Last Updated: Mar 3, 2014
| ScriptRock | Date Declared: April 15, 2015 |
|---|
|
Web Site: |
Quote/Declaration: ScriptRock provides a system of record for complex environments, documenting the complete state of every node for change detection, release management, and compliance. By adopting OVAL as a source for vulnerability definitions, ScriptRock will be able to evaluate users' environments for security risks and generate resources for remediation via automation tools.
|
Product Name: Universal System Scanner |
||
|
Type: Cloud Security |
||
|
||
Last Updated: Apr 28, 2015
| SPAWAR Systems Center Atlantic | Date Declared: Februry 25, 2010 |
|---|
|
Web Site: |
Quote/Declaration: The SCAP Compliance Checker has adopted OVAL as part of the FDCC Scanner capabilities of SCAP Validation Program. SCAP Compliance Checker is able to process all four of OVAL's schemas: the Definitions schema, the System Characteristics schema, the Results schema and the Variables schema. SCAP Compliance Checker processes the XCCDF content of a SCAP stream and extracts any variables that need to be imported into the OVAL engine. It then creates an XML file using the OVAL Variables schema that contains these variables. The OVAL engine later uses this file during OVAL processing. By using the industry standard OVAL schemas, SCAP Compliance Checker can share data with any tool that understands OVAL.
|
Product Name: SCAP Compliance Checker |
||
|
Type: OVAL Definition Evaluator |
|
|
|
||
Last Updated: Feb 27, 2014
| SUSE | Date Declared: February 28, 2014 |
|---|
|
Web Site: |
Quote/Declaration: Our customers need an index of fixed security incidents indexed by product, RPM package name and version for use in their security compliance checking. As they are using a wide range of checking tools inventing a new format would have caused unnecessary work on all sides. We have chosen to use the OVAL format for publishing this data, which is in our eyes the accepted industry standard format for this purpose.
|
Product Name: SUSE Linux Enterprise OVAL Information |
||
|
Type: Database |
||
|
||
|
Product Name: SUSE Manager 1.7 |
||
|
Type: Linux Patch and Configuration Management |
||
|
||
Last Updated: Apr 22, 2014
| Symantec Corporation | Date Declared: May 2, 2011 |
|---|
|
Web Site: |
Quote/Declaration: OVAL is used by Symantec Risk Automation Suite (SRAS) to define and detect system vulnerabilities, patches, and miss-configurations. OVAL content is automatically imported into SRAS from our repository and included in the scanning processes. Leveraging the OVAL standard, SRAS automates vulnerability detection, configuration reporting, and policy compliance measurement in a single, easy to deploy, easy to manage solution. OVAL is used by the Symantec Control Compliance Suite (CCS) to define and detect system vulnerabilities, patches and miss-configuration. OVAL content is automatically imported into CCS from our repository and included in the scanning processes. Leveraging the OVAL standard, CCS automates vulnerability detection, configuration reporting, and policy compliance. CCS supports both OVAL as part of an SCAP v1.0 data stream and as stand-alone OVAL definition evaluations.
|
Product Name: Symantec Control Compliance Suite |
||
|
Type: Automated Risk and Policy Compliance Management |
||
|
||
|
Product Name: Symantec Risk Automation Suite |
||
|
Type: Enterprise Configuration, Vulnerability, Risk, and Compliance Management |
||
|
||
Last Updated:
| Telos Corporation | Date Declared: March 26, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Xacta IA Manager combines security compliance and risk assessment functionality with powerful business process automation to establish a centralized governance, risk, and compliance management platform that facilitates compliance assessment, continuous risk and sustained compliance management, and security process automation. Xacta IA Manager's Continuous Assessment and HostInfo have adopted OVAL as an assessment language in addition to the native javascript language. Users have the ability to import OVAL Definitions and scan their endpoints for vulnerabilities, patches, and compliance. Xacta IA Manager also serves as an FDCC scanner to automate the validation and compliance of systems against FDCC standards and supports the use of SCAP content to determine compliance with FDCC and other XCCDF checklists.
|
Product Name: Xacta IA Manager Assessment Engine |
||
|
Type: Certification and Accreditation Solution |
||
|
||
|
Product Name: Xacta IA Manager Continuous Assessment |
||
|
Type: Certification and Accreditation Solution |
||
|
||
|
Product Name: Xacta IA Manager HostInfo |
||
|
Type: Certification and Accreditation Solution |
||
|
||
Last Updated: Feb 25, 2014
| ThreatGuard, Inc. | Date Declared: February 24, 2010 |
|---|
|
Web Site: |
Quote/Declaration: ThreatGuard offers three products that fully integrate support for OVAL: S-CAT, Secutor Prime, and Secutor Magnus. From 2004 to present day, ThreatGuard has fulfilled OVAL definition consumer compatibility requirements with each major evolution of the language. The ThreatGuard OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. All three products automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. S-CAT has an option to bypass the XCCDF file and process OVAL vulnerability content files to perform vulnerability assessments. Secutor Prime includes an OVAL Notes tab that allows the user to see the decisions made by the interpreter as it processes the OVAL content and includes an option to display the OVAL-ID of vulnerability definitions in the tree as the title for each vulnerability definition. Secutor Magnus can automatically load OVAL-based vulnerability content to perform vulnerability assessments against a variety of operating systems.
|
Product Name: Secutor Compliance Automation Toolkit (S-CAT) |
||
|
Type: Universal, Integratable SCAP Assessment Module |
|
|
|
||
|
Product Name: Secutor Magnus |
||
|
Type: Enterprise SCAP Compliance/Vulnerability Management System |
|
|
|
||
|
Product Name: Secutor Prime |
||
|
Type: Desktop Compliance/Vulnerability Assessment Tool |
|
|
|
||
Last Updated:
| ToolsWatch | Date Declared: April 14, 2015 |
|---|
|
Web Site: |
Quote/Declaration: SSA (Security System Analyzer) is free non-intrusive OVAL/XCCDF host-based security analyzer and compliance tool. It introduces a new simplified way to rely on open standards such OVAL and XCCDF to report compliance issues. SSA has adopted the OVAL standard as part of its vulnerability validation process. As a result, SSA consumes the Definitions and solely relies on the OVAL and XCCDF interpreters. vFeed provides a full aggregated, cross-linked and standardized Vulnerability Database based on CVE and standards such as OVAL, CPE, CWE, CAPEC, CVSS etc. Therefore, it introduces a new simplified XML format that expands the vulnerability coverage and correlation around the CVE. vFeed has adopted the OVAL as part of its correlation and aggregation capability. As a result, vFeed consumes the OVAL XML definitions, extract and map variables to expand the CVEs data.
|
Product Name: SSA - Security System Analyzer |
||
|
Type: Security Scanner and Compliance Assessment Software |
||
|
||
|
Product Name: vFeed API and Vulnerability Database Community |
||
|
Type: Vulnerability and Threats Database |
|
|
|
||
|
|
||
Last Updated: October 29, 2015
| Tripwire, Inc. | Date Declared: October 19, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Tripwire provides a comprehensive suite of file integrity, policy compliance, and log and event management solutions. Tripwire Enterprise automates change detection and mis-configuration correction to reduce risk of exploits and breaches. Tripwire Enterprise provides SCAP functionality that includes the ability to process OVAL content.
|
Product Name: Tripwire Enterprise |
||
|
Type: Security Configuration Management |
|
|
|
||
Last Updated: Jun 18, 2014
| Triumfant, Inc. | Date Declared: September 9, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Triumfant Resolution Manager fully supports the use of OVAL to define the method for assessing a given configuration item. When the product imports an SCAP benchmark, it validates and imports the OVAL Definition files for the configuration items and patches referenced by that benchmark. OVAL files can be distributed to groups of computers automatically and can also be updated or deleted automatically. OVAL results are automatically collected each time an assessment is executed and are combined with the information in the appropriate XCCDF profile to produce detail and summary level reports for vulnerability issues, missing patches, and other compliance and policy violations. Resolution Manager is a NIST SCAP validated FDCC scanning tool and will report compliance with FDCC and other XCCDF checklists. The automated remediation capabilities of Resolution Manager can be used to remediate detected problems to continuously enforce configuration policies and eliminate vulnerabilities.
|
Product Name: Triumfant Resolution Manager |
||
|
Type: Vulnerability, Patch, and Compliance Assessment |
||
|
||
Last Updated:
| U.S. Army CERDEC | Date Declared: February 10, 2010 |
|---|
|
Web Site: |
Quote/Declaration: Armadillo developed by U.S. Army CERDEC, i.e., GOTS, is a configuration, vulnerability, patch, and software inventory network scanner (with plans to add remediation). It identifies misconfigurations by consuming SCAP bundles which contain XCCDF benchmarks (analogous to STIGs) which define the policy guidance and OVAL Definition files which define probes and expected values (analogous to SRRs). Armadillo produces XCCDF, OVAL and ARF results which allow it to interoperate with other SCAP tools. It works on LANs disconnected from the Internet and is able to probe multiple hosts concurrently over SSH from both Windows and Linux without the need to install any software on the target hosts.
|
Product Name: Armadillo |
||
|
Type: Vulnerability Assessment and Remediation |
||
|
||
Last Updated:
