Name of Your Organization:
NopSec, Inc.
Web Site:
Adopting Capability:
NopSec Unified Vulnerability Risk Management (VRM)
Capability home page:
Adoption Capabilities
If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.
OVAL Systems Characteristics Producer — Yes
OVAL Definition Evaluator — Yes
OVAL Results Consumer — Yes
Product Accessibility <AR_1.9>
Provide a short description of how and where your capability is made available to your customers and the public.
The capability is made available through the Vulnerability Risk Management (VRM) cloud instance.
Language Version Indication <AR_1.10>
Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.
The product supports OVAL versions 5.3 to 5.10.
Error Reporting <AR_2.1>
Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.
The error reporting can be performed directly through the built-in ticketing system or can be reported to the VRM Helpdesk. The email contact for the VRM helpdesk is support@nopsec.com.
Responding to Error Reports <AR_2.2>
Describe the approach to responding to the above error reports and how applicable fixes will be applied.
In case a defect was detected and fixed, the customers are notified of the fix which can then be fetched from the VRM cloud instance.
Adoption Documentation <AR_3.1>
Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.
Language Support <AR_3.2>
List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)
The product supports OVAL versions 5.3 to 5.10. Unified VRM supports all the schemas and the tests of OVAL Language version 5.10 listed on the OVAL Language website: https://oval.mitre.org/language/version5.10/index.html.
OVAL Content Error Reporting <AR_3.3>
Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.
Customers can contact the VRM Helpdesk for any form of OVAL content error reporting. The VRM helpdesk can be contacted at support@nopsec.com.
Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>
Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.
The syntax errors in the OVAL content are checked by the OVAL content validator module within the capability.
Type-Specific Capability Questions
Content Transparency <AR_8.1> <AR_8.2>
Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.
The product uses the latest OVAL Definitions downloaded from the OVAL Repository. The appropriate OVAL Definition for an asset is identified on the basis of the asset operating system, which is explicitly provided prior to the OVAL scan.
Content Import Process Explanation <AR_8.3>
If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.
N/A since the capability supports consuming OVAL content at runtime.
Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>
Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.
The capability allows users to view and generate detailed reports after scanning and testing process.
Full OVAL Results <AR_8.8>
Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.
The detailed report generated by a user also includes a URL for the full OVAL results.
Examine Imported Content <AR_9.1> <AR_9.2>
Indicate how users can review OVAL Results that are imported into the product and explain how users can determine which system a particular set of results applies to.
Users can review OVAL Results through VRM’s reports, or choose to view OVAL full results. In both reports, there is a system information section indicating which system the results apply to.
Content Import Process Explanation <AR_9.3>
If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.
The capability supports consuming OVAL content at runtime according to the selected platform to be evaluated. The product will display the results both in human-readable format and OVAL standard format.
Collecting System Data <AR_5.2> <AR_5.3>
Explain the criteria used to collect system data that is included in an OVAL System Characteristics document.
NopSec Unified VRM features a method for gathering the System Characteristics information for every object defined in the input definition file. The capability implements an agentless authenticated scan via WMI to generate the System Characteristics Document.
Content Export <AR_5.2> <AR_5.3>
Indicate how the product allows users to export OVAL System Characteristics documents.
The OVAL System Characteristics documents are generated internally and can be exported upon user requests.
Adoption Signature
Statement of Adoption <AR_1.2>
"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."
NAME: Michelangelo Sidagni
TITLE: Chief Technology Officer
Statement of Accuracy <AR_1.2>
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."
NAME: Michelangelo Sidagni
TITLE: Chief Technology Officer
Statement on Follow-On Correctness Testing Support <AR_1.7>
"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."
NAME: Michelangelo Sidagni
TITLE: Chief Technology Officer
Page Last Updated: June 17, 2013
