OVAL Board Minutes

Teleconference 2005-03-17, 13:00 - 14:30 EST (GMT -0500)

Attendees

Raffael Marty - ArcSight
Jay Beale - Bastille Linux
Chip Lawson - Bindview
David Waltermire - Center for Internet Security
Kent Landfield - Citadel
Dennis Moreau - Configuresoft
Eric Voskuil - DesktopStandard
Terry Sherald - DISA
Robert Stull - eEye
Jonathan Baker - MITRE
Andrew Buttner - MITRE
Robert Martin - MITRE
David Proulx - MITRE
Todd Wittbold - MITRE
Matthew Wojcik - MITRE
Margie Zuk - MITRE
Anton Chuvakin - netForensics
Chris Andrew - Patchlink
Mark Cox - Red Hat

Agenda

  • OVAL Status update
  • Compatibility program
  • Proposal: OVAL Developer Days
  • Reference Interpreter licensing
  • Content ownership
  • Future direction after OVAL Version 4

Welcome to new and prospective Board members

  • Nils Pulhman - Adobe [unable to attend]
  • Eric Voskuil - DesktopStandard
  • Robert Stull - eEye
  • Jim Alderson - GuardedNet [unable to attend]
  • Chris Andrew - Patchlink

Meeting Summary

OVAL Status update

  • Just under 1200 definitions (up from 993 in December)
  • Version 4 Release Candidate 3 posted March 3
    • No new comments received on RC3
    • Mac OSX schema added
    • Will become Official March 31
      • All content on site in Version 4 at that time
      • All SQL content to be archived
  • Name change update

    At December's Board meeting, MITRE announced plans to change the name of the effort from "Open Vulnerability Assessment Language (OVAL)" to "Open Validation and Assessment Language (OVAL)." The intent was to better reflect the expanded scope of the effort (e.g. policy compliance and patch definitions).

    At that meeting and subsequently on the Board mailing list, concerns were raised that "Validation and Assessment" would be too generic and potentially confusing. Web searches for "OVAL vulnerability" also demonstrated that "vulnerability" is a very effective keyword for the effort.

    On reflection, MITRE decided to change the name to "Open Vulnerability and Assessment Language (OVAL)" as a compromise. The web site and OVAL literature have already been updated.

  • Working Group on Unauthenticated Tests
    • Held first teleconference 2005-02-10
    • Minutes on web site (under Board Meetings Archive)
    • Discussion to be hosted on Developer List
  • Patch definitions / remediation work to commence
    • Substantial interest shown recently in fleshing out patch definitions and formalizing remediation options
    • Any necessary schema modifications will be made in future versions of the language (i.e. post-Version 4)
    • Some initial discussions have already begun. The Board and the larger OVAL community will be kept up to date. A public working group will likely be formed once there are more concrete proposals.
    • Contact oval@mitre.org if interested in getting involved
  • Internal content review
    • MITRE has spread its content creation efforts across a larger team
    • Some inconsistencies in testing approach and starting assumptions have been identified
    • Internal review process started to lead to more consistent definitions
    • One goal: Document how to write definitions, standard approaches to common problems, better test comments
  • More external review lately
    • Increased feedback on definitions recently
    • Seems systematic, as if people are examining all content, platform by platform
    • Most has been to oval@mitre.org address; email to the discussion list is also welcomed
    • Content review always strongly encouraged!
  • RSA conference report
    • Always a good conference for OVAL
    • As usual, extremely useful opportunity to talk to other vendors, both new to OVAL and established participants
  • MISTI InfoSec World next upcoming show
    • OVAL/CVE booth, April 4-6.
  • Board members: remember to promote OVAL where appropriate
    • MITRE can assist with introductory slides, materials

A Board member asked for an update on other standards initiatives
MITRE's OVAL team is following. These include:

  • EVDL, Enterprise Vulnerability Description Language (formerly WAS, Web Application Security): MITRE has been asked to participate in bi-weekly phone calls to provide an OVAL perspective, and help avoid duplicated effort.
  • XCCDF, eXtensible Configuration Checklist Description Format: OVAL is tightly integrated into XCCDF as the testing mechanism for machine-measurable policy compliance. Drew Buttner in particular has been involved in XCCDF calls and meetings, and in helping extend the OVAL schema to meet requirements for policy compliance. The Center for Internet Security is in the process of converting their configuration guides and benchmarking tools to XCCDF and OVAL; CIS's David Waltermire is leading that effort and is also an OVAL Board member.
  • CVSS, Common Vulnerability Scoring System: Employees of MITRE have had some involvement in CVSS, but members of the OVAL team have not been directly involved. Wojcik's initial opinion is that OVAL definitions do not need to reference the CVSS information for a vulnerability directly, since the CVE-ID provides the necessary link.
    Some specific concerns about the CVSS approach were raised by Cox; since MITRE has had some involvement in CVSS in the past, Wojcik offered to try to identify the appropriate people to make aware of those issues. While not directly OVAL-related, it seems well within OVAL's goals to facilitate this kind of communication in the security community.
  • AVDL, Application Vulnerability Description Language: OVAL team members have participated in conference calls frequently in the past. AVDL activity has been light for a number of months. The Version 1 specification seems to be somewhat specialized for a niche purpose.
  • Board members are encouraged to bring other efforts to the attention of the OVAL Board and community as appropriate.

Compatibility program

  • Bob Martin has created a short form to aid in making OVALCompatibility Declarations, available on request to oval@mitre.org
  • Work started on a requirements document
  • Input to requirements desired; drafts will be sent to the Board list as available
  • Brainstorming co-promotion ideas
    • Similar intent to the yellow "We Speak CVE" signs distributed to compatible vendors at conference expos
    • Ideas welcome

Proposal: OVAL Developer Days

With the growth in OVAL adoption, it's been suggested we have a face-to-face gathering once or perhaps twice a year for focused discussions around OVAL. The Board was asked whether there was sufficient interest to have one or two days devoted to OVAL, either in conjunction with a quarterly Board meeting or as a separate event.

A number of Board members expressed interest and willingness to travel. Majority opinion was that obvious topics would be around the growth and development of the OVAL language itself, similar to an extended Board meeting with more opportunity for dialogue. Less interest was shown in focusing on implementation issues; approaching SANS about possible OVAL tutorials was suggested.

Relative advantages of scheduling to coincide with RSA or another major conference were discussed. Pro: Many interested parties would be at the con already; could be simple to extend travel by a day before or after; potential to get convention-related PR. Con: we're all already very busy at shows; could be hard to concentrate on OVAL with other distractions / show burnout.

MITRE will consider further and contact the Board and the broader OVAL community about scheduling and possible topics.

Reference Interpreter licensing

  • Current GPL license for Reference Interpreter source code has been suggested to be too restrictive for some uses. Switching to a different open source license (perhaps Mozilla or BSD) might speed adoption of the standard through wider use of the interpreter's code base.
  • Pros and cons of the current license have been discussed on the Board list
  • MITRE is still considering, but a move to the BSD or Mozilla license seems likely

Content ownership

  • Definitions hosted on oval.mitre.org are presented to the community as free-to-use
  • As groups other than MITRE producer more OVAL definitions, content ownership will become of an issue
  • Who is ultimately responsible for content that has been submitted to the OVAL web site?
  • How will we deal with outside repositories? Copyright issues could come up, particularly once OS and application vendors include OVAL definitions in their advisories. Some licensing structure allowing derivative works should likely be encouraged.
  • The Creative Commons licenses were suggested as worth considering

Future direction after OVAL Version 4

With Version 4 about to become official, MITRE has already started planning for the next versions of OVAL. At the Schema Working Group meeting in September 2004 (minutes available online), consensus was that changes should be rolled up into more significant versions less often to ease development. In keeping with that, MITRE had been planning that the next version would be targeted for early 2006.

The next version release may need to happen sooner; the driving issue is that CIS will need many new families to convert the rest of their configuration guides. Because the valid families are enumerated in the core schemas, and valid platforms listed in the individual family schemas, adding a family or even a platform currently means a schema modification, and hence a new version.

The likely consequence is a new OVAL version in the summer, with new families added, possibly minor (test-level) changes to existing schemas, but no major structural changes. This should allow OVAL developers to work with Version 4 with little disruption. Any major changes will be delayed until early 2006, if at all possible.

It is also clear that we need to rethink our versioning system and whether families and platforms are enumerated directly in the schemas. It would be good to be able to add families without requiring a new version, since they should require new development (if supported) and not break existing implementations.

Back to top

Page Last Updated: February 07, 2008