OVAL Adoption > Questionnaires

Name of Your Organization:

SECURITY-DATABASE

Web Site:

http://www.security-database.com

Adopting Capability:

Security-Database OVAL Repository

Capability home page:

http://www.security-database.com/oval.php

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Evaluator — Planned

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

Security-Database is pleased to support this initiative by supplying OVAL information along with vulnerability information.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

Latest based on our Repository that is a mirror of the OVAL Repository. Version 5.10.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

http://www.security-database.com/about.php?type=contact

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

We answer by mail and before change anything investigate. If we found an error, check if it’s our problem or an OVAL repository problem. Based on result, we modify our internal classes and engine, or contact OVAL for reporting bugs.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

http://www.security-database.com/about.php?type=oval

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

All are supported:

  • aix-definitions-schema.xsd
  • apache-definitions-schema.xsd
  • catos-definitions-schema.xsd
  • esx-definitions-schema.xsd
  • freebsd-definitions-schema.xsd
  • hpux-definitions-schema.xsd
  • independent-definitions-schema.xsd
  • ios-definitions-schema.xsd
  • linux-definitions-schema.xsd
  • macos-definitions-schema.xsd
  • pixos-definitions-schema.xsd
  • sharepoint-definitions-schema.xsd
  • solaris-definitions-schema.xsd
  • windows-definitions-schema.xsd

Core constructs defined in the OVAL Language that are not supported.

  • None

Assessment Method <AR_3.3>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

None

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

http://www.security-database.com/about.php?type=contact

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

Before integrating OVAL Definitions into our database, we use schema to validate them.

Definition Repository Capability Questions

Unique IDs <AR_6.1> <AR_6.2> <AR_6.3>

Describe the process by which IDs are assigned and managed in the repository and how global uniqueness of IDs is ensured.

We ensure unicity by complex fingerprints.

Content Versioning <AR_6.4>

Describe the process by which the versions of Definitions, Tests, Objects, States, and Variables are managed in the repository.

Our Oval Repository http://www.security-database.com/oval.php ensures versioning.

Standard References <AR_6.6> <AR_6.7> <AR_6.8>

Indicate how and when CVE-IDs, CCE-IDs, and CPE-IDs are used as references on OVAL Definitions in the repository.

http://www.security-database.com/detail.php?alert=CVE-2004-0568

http://www.security-database.com/detail.php?alert=MS04-043

CCE are under investigation for integration soon.

Content Updates <AR_6.9>

Describe the process by which users can retrieve content updates.

Users can retrieve content update with these urls:

http://www.security-database.com/oval.php (Main Repository)

http://www.security-database.com/oval.php?version=5.4(for rep 5.4… and others)

http://www.security-database.com/oval.php?type=vulnerability&version=5.4 (for vulnerability on 5.4)

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Picuira Benjamin
TITLE: Security-Database Core Team Leader and CEO

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Picuira Benjamin
TITLE: Security-Database Core Team Leader and CEO

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Picuira Benjamin
TITLE: Security-Database Core Team Leader and CEO

Page Last Updated: February 28, 2014