Name of Your Organization:

Inverse Path S.r.l.

Web Site:

Adopting Capability:

TPOL - OVAL Security Compliance

Capability home page:

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Authoring Tool — Yes
OVAL Definition Evaluator — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

The TPOL Security Compliance product is available directly from Inverse Path by contacting <>.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

Within the documentation section of the web interface of TPOL and the shipped manual we clearly specify the language version we support as well as the last oval.xml file timestamp shipped by MITRE that has been tested against the tool.

Additionally, for maximum clarity, we provide an OVAL_COMPLIANCE document stating any incomplete and/or unsupported part of the standard that doesn’t have 100% support.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

The support team can be contacted at <> regarding any bug in the tool.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

A patch will be shipped as soon as possible to any affected customers.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

The entire TPOL - OVAL Security Compliance tool, as the name implies, is built around the OVAL standard; user manual and web interface clearly show this essential characteristic.

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

TPOL currently supports all platforms, excluding IOS, MacOS, and Microsoft Windows Schemas. We plan to support those in future releases.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

Our OVAL parser provide details about unknown/unsupported operations and/or syntax in imported files.

Type-Specific Capability Questions

Authoring Tool Capability Questions

Search by ID <AR_7.1>

Indicate how the user can search for Definitions, Tests, Objects, States, and Variables by ID.

Our Definition view page allows search by ID, version, class, title, platform, product and status.

Encourage Content Reuse <AR_7.2>

If the product attempts to encourage content reuse, indicate how the product encourages reuse of existing OVAL content.

We also allow export of policies defined within the product for later re-use.

User Invoked Validation <AR_7.3>

If the product supports user invoked content validation, indicate how the user can validate content against the OVAL Language W3C XML Schema and Schematron rules.

User invoked validation against OVAL Schema or Schematron rules is not currently supported, though we plan to do so in future releases.

Content Import <AR_7.4>

Indicate how users can import OVAL content into the product.

The definition web view allows upload and import of xml files. The OVAL content is immediately available after upload for usage.


Content Export <AR_7.5>

Indicate how the product allows users to export OVAL content from the product.

Individual OVAL definitions as well as policies (which group OVAL content together) can be exported as xml files through the ‘XML’ action shown in the web interface.



Duplicate Content Detection and Reporting <AR_7.6>

If the product detects and reports duplicate content, indicate how the product does this and how the product reports duplicates to the user.

Duplicate OVAL ids are overwritten, we provide no alert at this time. A warning describing this behaviour is shown in the import function.


Capability Value <AR_7.7>

Indicate how the product differs from a standard XML editor and provides additional capability tailored to authoring OVAL content.

The product provides drop down menus, selectors and nested dynamic dialogs for creating the policy visually withouth seeing the raw XML.


Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

OVAL definitions are grouped into policies, policies can be linked to single or multiple targets to be checked against.

The policy detail allows view and modification of linked definitions.


Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.


Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

Results are shown and/or searched) in a dedicated view.


Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

N/A (we provide a custom result format and not OVAL Results at this time)

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Andrea Barisani
TITLE: Chief Security Engineer

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Andrea Barisani
TITLE: Chief Security Engineer

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Andrea Barisani
TITLE: Chief Security Engineer

Page Last Updated: May 04, 2011