About OVAL Compatibility — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

Introduction

OVAL Compatibility is a program established to develop consistency within the security community regarding the use and implementation of OVAL. The main goal of the compatibility program is to create a set of guidelines that will help enforce a standard implementation. An offshoot of this is that users are able to distinguish between, and have confidence in, compatible products knowing that the implementation of OVAL coincides with the standard set forth.

For a product or service to gain official OVAL Compatibility, it must adhere to the "Requirements and Recommendations for OVAL Compatibility" and complete the formal OVAL Compatibility Process.

Back to top

What is OVAL Compatibility

OVAL Compatibility means that a tool, service, Web site, database, or advisory/alert incorporates OVAL in a pre-defined and standard way. A product or service is considered OVAL-Compatible if it uses OVAL as appropriate for communicating details of vulnerabilities, patches, security configuration settings, and other machine states.

When considering a capability for OVAL Compatibility it must be determined to which OVAL schema(s) it complies (System Characteristics, Definition, and/or Results), and whether the capability is a "Producer" that generates data that conforms to a specific schema, a "Consumer" that utilizes an existing data set for some purpose, or both.

Some examples of Producers are a software inventory tool that gathers OVAL Systems Characteristics information, a software vendor who creates draft OVAL definitions in their security bulletins, or a vulnerability assessment tool that outputs its test findings in accordance to the OVAL Results schema. Examples of Consumers are a vulnerability assessment tool that draws in the OVAL System Characteristics file and then runs OVAL Definitions against the information, rather than directly gathering the information at run-time; a remediation tool that imports the OVAL Results; or an organizational status reporting tool that uses the OVAL Results to provide information on conformance with policy.

Back to top

Examples of Compatibility

The following are some examples of entities that would meet the initial requirements of OVAL Compatibility:

A tool that relies upon OVAL Definitions to conduct a vulnerability assessment of a system is called an OVAL-Compatible scanning tool. OVAL Definitions follow one of the component-centric OVAL schemas; these schemas describe the structure and vocabulary of the OVAL definitions for each supported platform (i.e., Microsoft Windows, Red Hat Linux, Sun Solaris, Debian Linux, etc.). In addition to using OVAL Definitions for defining its tests, an OVAL-Compatible scanning tool is able to store its test results following the OVAL Results schema structure.

Another area of OVAL Compatibility covers the collection of the information that is used to evaluate the OVAL definition tests. An OVAL-Compatible scanning tool can collect or read the various file system information and settings as it scans systems, or the information can be collected ahead of time and stored in a file that follows the OVAL Systems Characteristics schema. Then the OVAL-Compatible scanner can read in the data from the OVAL Systems Characteristics file and evaluate the OVAL Definitions against the stored data. Tools that collect and export OVAL Systems Characteristics files are part of another category of OVAL Compatibility.

Similarly, applications that can ingest OVAL Results files are part of third type of OVAL-Compatible tools. For example, a tool that uses OVAL Results files to construct an enterprise report on vulnerability status, or recommends remediation approaches, would be in this third type of OVAL Compatibility. Likewise, a certification and accreditation report creation tool that uses OVAL Results files would also be in this category.

The fourth type of OVAL Compatibility is for organizations that create and publish OVAL Definitions in advisories and bulletins, including the software suppliers, security research organizations, or security vendors that create OVAL Definitions of how to test for the presence of the vulnerability they are describing in their advisory/bulletin.

Back to top

Additional Information

For any additional information please read the "Requirements and Recommendations for OVAL Compatibility", or send an email to oval@mitre.org. You may also review the most-recent Compatible Products and Services and Declarations to Be OVAL-Compatible, or Make a Declaration.

Back to top

Page Last Updated: December 17, 2009