OVAL - News and Events - 2004 Archive

News and Events - 2004 Archive

December 29, 2004

PredatorWatch, Inc. Makes Three OVAL Compatibility Declarations

PredatorWatch, Inc. has declared that its vulnerability assessment appliance and update service for small to medium enterprises, PredatorWatch Auditor 16 and Update Service; its vulnerability assessment appliance and update service for small mobile networks, PredatorWatch Auditor 128 and Update Service; and its vulnerability assessment appliance and update service for large networks, PredatorWatch Auditor Enterprise and Update Service; will be OVAL-compatible. For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

Qualys Press Release Announces Appointment to OVAL Board and Declaration of OVAL Compatibility

Qualys, Inc. issued a press release on December 20, 2004 entitled "Qualys CTO Gerhard Eschelbeck Joins OVAL Board." The release notes that Eschelbeck is Qualys' CTO and VP of Engineering for Qualys, explains what OVAL is, and announces that Qualys will be making its products OVAL-compatible: "Qualys will be adding OVAL support to its QualysGuard vulnerability management solution in 2005, allowing customers to import existing OVAL definitions and rapidly develop custom vulnerability detection signatures through a standardized XML based language."

Also included is a quote by Eschelbeck, who states: "As an industry, we have made significant strides in standardization with CVE, and I am honored to join this community effort to extend the standardization of vulnerability definitions," said Gerhard Eschelbeck, CTO and VP of Engineering for Qualys. "Qualys values and is fully committed to supporting the OVAL effort, which will ease the burden on security administrators in identifying and eliminating security vulnerabilities."

Qualys is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP products are listed on the OVAL-Compatible Products and Services page.

Citadel Security Software Press Release Announces OVAL Compatibility

Citadel Security Software Inc. issued a press release on December 20, 2004 entitled "Citadel Security Software Announces OVAL Compatibility." In the release Citadel "announced its plan to be compatible with MITRE's OVAL (Open Vulnerability Assessment Language) Results Schema, a standardized format for presenting data from a system evaluated by OVAL, enabling customers to remediate vulnerabilities identified by OVAL-compatible scanning tools."

The release describes what OVAL is and explains how Citadel will be integrating OVAL into Hercules: "With Citadel integrating the ability to read results from the OVAL Results Schema, Hercules will import results from vulnerability scanners or other network tools that produce output in an OVAL Results Schema format to quickly remediate vulnerabilities. Additionally, Citadel will be integrating other aspects of OVAL such as OVAL Compliance Definitions, Patch Definitions, and Vulnerability Definitions."

Also included is a quote by OVAL Board member and CTO of Citadel Security Software Carl Banzhof, who states: "With OVAL positively impacting the global computing community, we are proud to contribute to its leadership efforts on providing security interoperability standards," said. "Through our work with DISA, we understand why federal agencies rely on OVAL vulnerability identification and reporting standards and are dedicated to providing the compatibility and integration that can greatly ease their vulnerability management burden."

Citadel Security Software is a member of the OVAL Board and its Hercules product is listed on the OVAL-Compatible Products and Services page.

nCircle Press Release Announces Appointment to OVAL Board

nCircle Network Security, Inc. issued a press release on December 15, 2004 entitled "nCircle's Mike Murray Appointed to Open Vulnerability Assessment Language (OVAL) Board." The release notes that Murray is nCircle's Director Of Vulnerability and Exposure Research, describes what OVAL is, and mentions that Murray will lead OVAL's working group "to adapt the OVAL standard to include remote vulnerability checks."

The release also includes a quote by Murray, who states: "As OVAL continues to make significant contributions to the security industry, I am pleased to have the opportunity to participate in helping to achieve their goals. Leading OVAL's first [unauthenticated remote scanning] working group is a great opportunity, and I look forward to working closely with such a dedicated and talented group in the security industry."

To join the working group, first subscribe to the OVAL Developer's Email List on the OVAL Community Forum sign-up page. After receiving a confirmation verifying your addition to the list, submit a message expressing your interest in addressing unauthenticated remote scanning to join the group.

December 17, 2004

Qualys, Inc. Makes Four OVAL Compatibility Declarations

Qualys, Inc. has declared that its network and application vulnerability assessment platform for professional services organizations, QualysGuard Consultant; network and application vulnerability assessment platform for large distributed organizations, QualysGuard Enterprise; network and application vulnerability assessment platform for small to medium-sized organizations, QualysGuard Express; and network and application vulnerability assessment platform for managed service providers, QualysGuard MSP; will be OVAL-compatible.

For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

eEye Digital Security Makes Two OVAL Compatibility Declarations

eEye Digital Security has declared that its automated vulnerability assessment tool, Retina Network Security Scanner, and its vulnerability management tool, REM Security Management Console, will be OVAL-compatible. For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

New OVAL Board Member

Gerhard Eschelbeck of Qualys, Inc., has joined the OVAL Board.

New OVAL Board Member

Dennis Moreau of Configuresoft, Inc., has joined the OVAL Board.

New OVAL Board Member

Michael Murray of nCircle Network Security, Inc., has joined the OVAL Board.

New OVAL Board Member

Pinkesh Shah of NetIQ Corporation has joined the OVAL Board.

OVAL Forms Working Group to Address Unauthenticated Remote Tests

OVAL is forming a new working group to look at handling unauthenticated remote tests in OVAL. The leader of the group will be new OVAL Board member Michael Murray of nCircle Network Security, Inc. Anyone with interest or expertise in unauthenticated scanning is welcome to participate.

OVAL Main Topic of Article in Information Security Magazine

OVAL was the main topic of an article entitled "'Big O' For Testing" in the December 2004 issue of Information Security Magazine. In the article the author describes OVAL and states: "The Open Vulnerability Assessment Language (OVAL) project, headed by nonprofit MITRE and funded by the Department of Homeland Security's U.S.-CERT, is being developed as a standardized process by which security tool creators, operating system vendors and security professionals test systems for exploitable vulnerabilities. XML-based OVAL leverages MITRE's Common Vulnerabilities and Exposures (CVE) initiative . . . [and] gives security managers the ability to test for a particular CVE vulnerability in OVAL-compliant applications and platforms. OVAL will tell testers whether vulnerable software is installed and, if so, whether it has a vulnerable configuration. OVAL provides a schema that describes the platforms and presents a query customized to each vulnerability that determines whether a machine is at risk."

The article describes OVAL definitions and the OVAL Schemas, including the System Characteristics Schema and Results Schema; discusses the OVAL Definition Interpreters; mentions the platforms currently supported by OVAL; notes the importance and participation of the OVAL Board; and advocates OVAL compatibility.

The author concludes the article with the following statement: "OVAL promises to improve the quality of our vulnerability assessment tests as the vendors analyze and critique them, and allow end users to create new tests. The best way to support this effort is to look at the language, try the vulnerability assessment tool and push your vendors towards OVAL compatibility."

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Monday, December 13, 2004, with sixteen Board members and others participating. Topics included OVAL status updates, changes to the schema acceptance process, review of the Version 4 Schema Drafts, and OVAL compatibility. You may also read the complete meeting minutes.

December 13, 2004

OVAL Adds Draft Schema for Debian Linux

A draft schema for Debian Linux has been posted for review and comment on the Proposed OVAL Schema Changes page in the Official OVAL Schema section. The new schema, Debian Linux Platform Schema, Version 4 (Draft), is part of the overall Version 4 update to the official OVAL Schemas.

The following schemas are also part of the Version 4 update: OVAL XML Parent Schema, Version 4 (Draft); Microsoft Windows Platform Schema, Version 4 (Draft); Sun Solaris Platform Schema, Version 4 (Draft); Red Hat Linux Platform Schema, Version 4 (Draft); and Cisco IOS Platform Schema, Version 4 (Draft). An ongoing log of status updates to the schemas is also available for review.

Comments and discussion about the new drafts are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org.

Online Sign-Up Available for Free OVAL e-Newsletters

Online sign-up is available for the free OVAL e-newsletters. Sent once per week or less, "OVAL-Announce" provides general news about OVAL, such as OVAL data and schema updates, new Web site features, upcoming conferences, references to OVAL in the news media, etc.; while "OVAL-Data-Updates" reports of new and modified OVAL vulnerability definitions, data file updates, OVAL schema updates, new Definition Interpreter versions, and other detailed technical information regarding OVAL.

You may sign-up for either or both lists by entering your email address (required) and other information (preferred) directly into the online form. View our Privacy Policy.

November 29, 2004

Three Example Procurement Documents Added to OVAL Web Site

Three example procurement documents have been added to the OVAL Documents page to assist government agencies and other organizations with including OVAL in the development of their request for proposals, statements of work, and other procurement requirements for the purchase of software applications as well for the acquisition of specific network and system assessment and remediation tools.

The following three example documents are available in Microsoft Word format:

OVAL-Relevant Software Supplier Requirements (SWSupplier)
This document is an extract of the statement of objectives used by the Department of Defense to explain the security relevant requirements they wanted met by software suppliers. Several areas of security issues are addressed as well as the use of OVAL definitions for indicating how to identify the vulnerability and its remediation (workarounds and patches) in security notifications.
OVAL-Relevant Vulnerability Assessment Tool Requirements (IAVMtool)
This document is an extract of the statement of work used by the Department of Defense to explain the security relevant requirements they wanted met by an enterprise-wide vulnerability assessment and reporting tool. Several areas of security issues are addressed as well as the use of OVAL definitions for checking for vulnerabilities and reporting results.
OVAL-Relevant Remediation Tool Requirements (IAremedtool)
This document is an extract of the statement of work used by the Department of Defense to explain the security relevant requirements they wanted met by an enterprise-wide remediation tool. Several areas of security issues are addressed as well as the use of OVAL for importing assessment results that list items to be remediated and reporting remediation status.

Please contact oval@mitre.org with any questions or for more information.

OVAL Presents Briefing at New England Information Security Group Meeting

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, presented a briefing about OVAL and CVE on November 18, 2004 entitled "Standards for Enabling Automation in Information Security" at the November Meeting of the New England Information Security Group in Boston, MA, USA. The presentation was successful and exposed OVAL and CVE to an audience of "individuals and organizations interested in securing their technical infrastructure." The group provides a venue to distribute information and educate the general membership on security products, techniques, and/or related issues.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

MITRE Hosts OVAL/CVE Booth at LISA 2004

MITRE hosted an OVAL/CVE exhibitor booth at LISA 2004, November 17-18, 2004, in Atlanta, Georgia, USA. The conference was successful and exposed OVAL and CVE to system and network administrators from industry, academia, and government.

Visit the OVAL Calendar page for information about this and other upcoming events.

November 19, 2004

OVAL Deprecates Use of SQL Format

OVAL will no longer support the SQL format. The decision to deprecate SQL, approved by the OVAL Board, enables the community and the OVAL Team to concentrate on generating OVAL content solely in XML format. A more detailed discussion on this topic is available in the Community Forum Discussion Archive.

Definitions Archive Page Added to OVAL Web Site

An OVAL Definitions Archive page has been added to the Get OVAL Definitions section of the OVAL Web site. All OVAL definitions will be archived on this page on a monthly basis. Archiving definitions by date allows OVAL users to track changes over time and tool developers to map the OVAL Compatibility of their product or service to a specific set of definitions.

MITRE Hosts OVAL/CVE Booth at the CSI Computer Security Conference

MITRE hosted an OVAL/CVE exhibitor booth at the Computer Security Institute's (CSI) 31st Annual Computer Security Conference and Exhibition, November 8 - 10, 2004 in Washington, D.C., USA. The conference was successful and exposed OVAL and CVE to information security and network professionals from industry, academia, and government. See photos below:

November 5, 2004

Citadel Security Software Inc. Makes OVAL Compatibility Declaration

Citadel Security Software Inc. has declared that its automated vulnerability remediation product, Hercules, will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

Conference Photos of OVAL Booth at the SANS Network Security 2004

MITRE hosted an OVAL/CVE exhibitor booth at SANS Network Security 2004, September 30 - October 1, 2004 in Las Vegas, Nevada, USA. See photos below.

October 29, 2004

Proposed OVAL Schema Changes Page Added to OVAL Web Site

A Proposed OVAL Schema Changes page has been added to the OVAL Web site to detail upcoming changes and/or new versions of the schemas. When a new schema version such as Version 4 is in development the schema modifications are listed on this page, as is a running log of status updates. Also described are the "Schema Review Process" and the four stages of OVAL schema development.

Comments and discussion about the new page and the proposed new Version 4 schemas are welcome on the OVAL Community Forum, OVAL Developer's List, or oval@mitre.org.

MITRE Hosts OVAL/CVE Booth at FIAC 2004

MITRE hosted an OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2004, October 26 - 27, 2004, at the University of Maryland University College, in Adelphi, Maryland, USA. The conference was successful and exposed OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

October 22, 2004

Revised OVAL Schemas Available for Review and Comment

Draft versions of the revised OVAL Schemas have been posted for public review and comment in the Official OVAL Schema section of the OVAL Web site. These new draft schemas are Version 4 and incorporate modifications and revisions that are a direct result of feedback from users.

Version 4 of the Official OVAL Schema represents a significant advancement in the evolution of the OVAL effort. Some of the updates to the Definition Schema include a test for text searches in files, the addition of a schema for Cisco IOS, and the reorganization of object and data information within a test to simplify analysis. The System Characteristics Schema and Results Schema have been completely overhauled in response to requests from the OVAL Community to make the information contained within them more useful. The most significant change is to bring the Official OVAL Schema under a single version number, "Version 4". The reason for this change is to simplify the task for all OVAL users (e.g., definition creators, tool developers, vulnerability researchers, etc.) in identifying the version against which a set of definitions/characteristics/results were generated. The previous schema versions also remain available during the review period.

The following schemas updated:

OVAL XML Parent Schema, Version 4 (Draft)
Microsoft Windows Platform Schema, Version 4 (Draft)
Sun Solaris Platform Schema, Version 4 (Draft)
Red Hat Linux Platform Schema, Version 4 (Draft)

The following schema has been added to the OVAL Web site:

Cisco IOS Platform Schema, Version 4 (Draft)

Comments and discussion about the new drafts are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org.

System Characteristics Schema Updated

The System Characteristics Schema has been updated to version 1.1 and the status has been moved from Accepted to Interim. This update changes only the Red Hat and Solaris portions of the schema. The "type" attribute was removed from the >component< element used in both file and permission tests. Version 1.1 will go to Accepted status in two weeks there are no further modifications.

We apologize for any inconvenience. Please send an oval@mitre.org with any comments or concerns.

OVAL Definition Interpreter Updated

The OVAL XML Definition Interpreters have been updated to version 3.4. This update addresses three issues that could occur while running the Interpreter:

(1) Invalid XML created on Red Hat systems when using the OVAL Definition Interpreter. If an error occurred while collecting the RPM Information the resulting error message was poorly formatted causing invalid XML to be written to the System Characteristics file. In such a case an error message would be generated by the Definition Interpreter indicating that the System Characteristics file specified with the "-I" command line parameter was invalid. The Definition Interpreter has been fixed to write properly formatted XML.

(2) Incorrect comparison of Microsoft Windows file versions when using the Definition Interpreter. The version comparison might produce incorrect results when an operator of "less than", "less than or equal", "greater than", or "greater than or equal" is specified. The Definition Interpreter has been fixed to properly compare all possible Microsoft Windows files versions for all allowed operators.

(3) Invalid XML created on Microsoft Windows systems when using the Definition Interpreter. In some circumstances when a file is not found on a system invalid XML might be written to the System Characteristics file. The Definition Interpreter has been fixed to ensure that valid XML will be written to the System Characteristics file when a file is not found on a system.

Use of the Definition Interpreter version 3.4 requires that you use updated OVAL Data Files. We apologize for any inconvenience. Please send an email to oval@mitre.org with any comments or concerns.

October 15, 2004

OVAL Developer List Archive Page Added to OVAL Web Site

An Archive of the OVAL Developer List has been added to the OVAL Web site. To date, 84 new members have joined the OVAL Developer List. List members are able to discuss and debate issues related to developing tools that use OVAL Definitions on the lightly moderated email list hosted on the OVAL Web site. This allows OVAL Schema modifications and enhancements to reflect the insights and combined expertise of the broadest possible collection of security tool development professionals.

We encourage members of the information security community interested in developing OVAL related tools to join the OVAL Developer Email List and participate in this facet of the growing industry initiative. Forum discussions are available for reference and review on the Developer Discussion Archive page.

Senior Advisory Council Holds Meeting

The CVE Senior Advisory Council, which also provides oversight for the OVAL effort, held a meeting on Wednesday, October 6, 2004. The discussion focused on the two major operational parts of security management; achieving and maintaining secure systems and responding to attacks on our systems and how the CVE and OVAL initiatives have enabled change in each of these processes. The DISA/STRATCOM IA Vulnerability Alert Management (IAVM) Strategy and Contracts were discussed as well as the new consolidated Air Force Microsoft Contract. The requirement for CVE and OVAL is present in each of these contract activities. The current status of the NSA XCCDF (Extensible Configuration Checklist Description Format) effort and the use of OVAL as an external checking method for XCCDF was discussed as well as the integration of OVAL and XCCDF into the CISecurity Tools. Finally, the new DHS/NCSD Common Malware Enumeration (CME) was presented.

The meeting included status updates on the OVAL effort, including a discussion of the working group to discuss modifications to the System Characteristics Schema and OVAL Results Schema; status updates on the CVE Initiative, including the recent release of a new version of CVE and upcoming compatible product certificate awards; and an overall discussion about the evolution and adoption of information security standards.

MITRE established the advisory council to help guide CVE and OVAL and to ensure the initiatives receive appropriate funding, and to help us all understand potential relationships with other ongoing activities, share information, and promote synergy across the security community. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems. Visit the CVE Web site to view a list of the advisory council members or to read a copy of the council charter.

MITRE to Host OVAL/CVE Booth at CSI's 31st Annual Computer Security Conference and Exhibition

MITRE is scheduled to host a OVAL/CVE exhibitor booth at the Computer Security Institute's (CSI) 31st Annual Computer Security Conference and Exhibition, November 8 - 10, 2004, at the Marriott Wardman Park Hotel, in Washington, D.C., USA. The conference will expose OVAL and CVE to information security and network professionals from industry, academia, and government.

October 8, 2004

MITRE to Host OVAL/CVE Booth at FIAC 2004

MITRE is scheduled to host a OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2004, October 26 - 27, 2004, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.

MITRE Hosts OVAL/CVE Booth at SANS Network Security 2004

MITRE hosted an OVAL/CVE exhibitor booth at SANS Network Security 2004, September 30 - October 1, 2004, at the Riviera Hotel in Las Vegas, Nevada, USA. The conference was successful and exposed OVAL and CVE to a diverse audience of network professionals and information security specialists from industry, academia, and government.

Visit the OVAL Calendar page for information about this and other upcoming events.

September 30, 2004

OVAL Board Working Group Holds Teleconference

The OVAL Board held a working group teleconference on Tuesday, September 21, 2004 to discuss modifications to the System Characteristics Schema and OVAL Results Schema, with ten Board members and others participating. Please read the complete meeting minutes for details.

September 23, 2004

New OVAL Board Member

Anton Chuvakin of netForensics, Inc., has joined the OVAL Board.

September 13, 2004

OVAL Mentioned in Article about CVE's 5-Year Anniversary on the CVE Web Site

OVAL was mentioned in a September 9, 2004 news article on the CVE Web site entitled "CVE Celebrates 5 Years!" The article discusses the growth of the CVE List from its inception in 1999 to its current total of 7,191 total CVE names; growth of community participation on the CVE Editorial Board; and the growth of CVE-Compatible Products and Services and the number of organizations including CVE names in their security advisories.

OVAL was mentioned in the CVE compatibility section in a discussion about services that are built upon CVE: "CVE has also been used as the basis for entirely new services . . . MITRE's Open Vulnerability Assessment Language (OVAL) is the common language for security experts to discuss the technical details of how to identify the presence of vulnerabilities on computer systems using XML definitions that are each based on a CVE name."

OVAL is listed on the CVE Web site as CVE-compatible (read our Statement of CVE Compatibility), and in February 2004 became one of only 14 information security products and services to be recognized as officially CVE-Compatible at an award ceremony at RSA Conference 2004 in San Francisco, California, USA. For more information about CVE and CVE compatibility, visit http://cve.mitre.org.

MITRE to Host OVAL/CVE Booth at SANS Network Security 2004

MITRE is scheduled to host an OVAL/CVE exhibitor booth at SANS Network Security 2004, September 30 - October 1, 2004, at the Riviera Hotel in Las Vegas, Nevada, USA. The conference will expose OVAL and CVE to a diverse audience of network professionals and information security specialists from industry, academia, and government.

September 3, 2004

OVAL Definition Interpreter Updated

The OVAL Definition Interpreters have been updated to version 3.3. This update addresses problems that could occur when the Interpreter evaluated certain complex regular expressions, resulting in unknown results for affected tests; to raise the default limit of regular expression matches allowed to populate the system characteristics file and/or the database, ensuring more accurate results are available when analyzing an OVAL definition; and, to modify the Windows file and registry probes to minimize the amount of non-matching tests, resulting from partial matches to a regular expression, that are written to the system characteristics file.

Use of the Definition Interpreter version 3.3 requires that you use updated OVAL Data Files. We apologize for any inconvenience. Please send an email to oval@mitre.org with any comments or concerns.

August 27, 2004

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, August 19, 2004, with thirteen Board members and others participating. Topics included OVAL status updates, proposed schema modifications, and a review of the OVAL compatibility process. You may also read the complete meeting minutes.

New OVAL Board Member

Kent Landfield of Citadel Security Software, Inc., has joined the OVAL Board.

Schemas for Collecting and Reporting OVAL Data Updated to "Accepted" Status

The schemas to assist users and tool developers in the process of analyzing OVAL definitions have been updated to "Accepted" status on the Official OVAL Schema page. Version 1.0 of the OVAL System Characteristics Schema defines a standard format for expressing the system and configuration parameters gathered from a specific computer. The purpose of this schema is to provide a tool with a snapshot of a system's configuration at a particular point in time. Version 1.0 of the OVAL Results Schema defines a standard format for expressing the outcome of performing an analysis using OVAL definitions. The purpose of this schema is to allow tools to exchange the OVAL analysis results in a standardized format.

Refer to the Official OVAL Schema page for all schemas supported by OVAL.

August 12, 2004

Secure Elements Press Release Announces Daniel Bezilla as New OVAL Board Member

A press release by Secure Elements on August 4, 2004 announced that Daniel Bezilla, chief technical officer and co-founder of Secure Elements, has joined the OVAL Board. The release describes what the OVAL effort is and isn't, the responsibilities of the Board, and includes a link to the OVAL Web site. The article includes a quote by Bezilla, who states: "I'm pleased to be able to contribute to the efforts to strengthen cyber security efforts through standards and industry-government initiatives. These initiatives serve our collective best interest, and deserve joint contributions by the public and private sector. I'm looking forward to contributing to the discussions that have been the foundation for OVAL's groundbreaking achievements."

The article also includes a quote by OVAL Board Moderator Matthew N. Wojcik, who states: "Complete vulnerability and configuration management is emerging as a required discipline for the security industry. OVAL is excited to have Dan on our Board, as he has demonstrated industry leadership, especially in the field of complete vulnerability management."

There are currently 29 OVAL Board Members from 21 organizations around the world.

August 5, 2004

Revised Format for OVAL Data Files Requires Download of Updated Definition Interpreter

All OVAL Data File downloads have been revised to adhere to the recent updates to the Official OVAL Schema. The new format will not work with older versions of the OVAL Definition Interpreters. You will need to download Definition Interpreter version 3.2 for current and future data file updates to work properly. We apologize for any inconvenience. Please send an oval@mitre.org with any comments or concerns.

Online Sign-Up Now Available for Free OVAL e-Newsletters

Online sign-up is now available for the free OVAL e-newsletters. Sent once per week or less, "OVAL-Announce" provides general news about OVAL, such as OVAL data and schema updates, new Web site features, upcoming conferences, references to OVAL in the news media, etc.; while "OVAL-Data-Updates" reports of new and modified OVAL vulnerability definitions, data file updates, OVAL schema updates, new Vulnerability Definition Interpreter versions, and other detailed technical information regarding OVAL.

You may sign-up for either or both lists by entering your email address (required) and other information (preferred) directly into the online form. View our Privacy Policy.

Online Sign-Up Now Available for OVAL Community Forum and OVAL Developer's Email List

Online sign-up is now available for the OVAL Community Forum and the OVAL Developer's Email List. The Community Forum Email List is a lightly moderated public forum for discussing the OVAL Schema; the Initial Submission, Draft, Interim, and Accepted OVAL vulnerability definitions posted on the OVAL Web site; and the information security vulnerabilities themselves that affect the writing of definitions. We also offer a separate OVAL Developer's Working Group Email List for developers geared to discussing general OVAL implementation issues and assisting other developers in incorporating OVAL vulnerability information into their tools.

You may sign-up for either or both lists by entering your email address (required) and other information (preferred) directly into the online form. View our Privacy Policy.

July 22, 2004

"OVAL-Compatible Products and Services" Section Added to OVAL Web site

An OVAL-Compatible Products and Services section has been added to the OVAL Web site that includes detailed information on What It Means to Be OVAL-Compatible, An Introduction to OVAL Compatibility, a graphical description of How OVAL Compatibility Improves Vulnerability Management, and the most-recent list of Declarations of OVAL Compatibility. Organizations may declare their intent to make their information security product or services OVAL-compatible and be listed on the declarations page.

"OVAL-compatible" means that a tool, service, Web site, database, or advisory/alert uses, includes, or references at least one of the following forms of OVAL data:

OVAL Vulnerability Definitions - tests that determine the presence of vulnerabilities on systems
OVAL Patch Definitions - tests that determine whether a particular patch is appropriate for a system
OVAL Compliance Definitions - tests that determine whether the configuration settings of a system meets a security policy
OVAL System Characteristics Schema - standardized format for collecting data about a system
OVAL Results Schema - standardized format for presenting data from a system evaluated by OVAL

To make a declaration of OVAL compatibility, send an email to oval@mitre.org with your company name and contact information, the type of product, the name of the product(s) or service(s), and the way in which your product is or will be OVAL-compatible.

Visit the OVAL-Compatible Products and Services section for more information and to review the latest declarations of OVAL compatibility.

ArcSight, Inc. Makes OVAL Compatibility Declaration

ArcSight, Inc. has declared that its real-time security awareness and incident response product, ArcSight 3.0, will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

July 16, 2004

Schemas for Collecting and Reporting OVAL Data Posted for Review and Comment

Two new schemas have been added to the OVAL Web site to assist users and tool developers in the process of analyzing OVAL definitions. Version 1.0 of the OVAL System Characteristics Schema defines a standard format for expressing the system and configuration parameters gathered from a specific computer. The purpose of this schema is to provide a tool with a snapshot of a system's configuration at a particular point in time. Version 1.0 of the OVAL Results Schema defines a standard format for expressing the outcome of performing an analysis using OVAL definitions. The purpose of this schema is to allow tools to exchange the OVAL analysis results in a standardized format.

Both new schemas are posted with "Draft" status and are available for review on the Official OVAL Schema page. Comments and discussion about these and all schemas are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org.

Four Official OVAL Schemas Updated to "Accepted" Status

Version 3 of the schemas for XML, and 3.1 of the SQL schema for Windows, have been updated to Accepted status on the Official OVAL Schema page. The following schemas have been updated: OVAL XML Parent Schema, Version 3 (Accepted); Microsoft Windows Platform XML Schema, Version 3.0 (Accepted); Sun Solaris Platform XML Schema, Version 3.0 (Accepted); Red Hat Linux Platform XML Schema, Version 3.0 (Accepted); and Windows Platform SQL Schema, Version 3.1 (Accepted).

These schema updates incorporate modifications and revisions that are a direct result of feedback from users. Comments and discussion about these and all schemas are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org.

New OVAL Board Member

Daniel Bezilla of Secure Elements, Inc., has joined the OVAL Board.

New OVAL Board Member

James C. Foster of Computer Sciences Corporation has joined the OVAL Board.

New OVAL Board Member

David Waltermire of the Center for Internet Security has joined the OVAL Board. He replaces Hal Pomeranz, who has left the Board.

July 2, 2004

OVAL Included as Requirement in U.S. Defense Information Systems Agency Task Order for Information Assurance Applications

OVAL was included as requirement in a recent U.S. Defense Information Systems Agency (DISA) task order to DigitalNet, Inc. for information assurance applications. An article about the task order was published on June 23, 2004 in Government Computer News, which stated: "For the task order, the team will provide the United States Strategic Command with a set of applications that will scan systems for potential vulnerabilities . . . [and] . . . flag incorrect system configurations."

According to the task order itself, the "specific CVE and OVAL requirements" are: (1) "Provide a tool for "The ENTERPRISE" to notify their organization of specific vulnerabilities using Common Vulnerability Exposure (CVE) [names] and Open Vulnerability Assessment Language (OVAL) [definitions]," and (2) "Accept configuration and vulnerability-related checking requirements provided by DoD expressed on OVAL eXtensible Markup Language (XML) when available."

In addition, OVAL was referenced in 6.2.3 Subtask 3 - IA Vulnerability Schemes and ODBC Compatibility, which states: "The contractor shall incorporate configuration and vulnerability-related checking requirements provided by DoD expressed in OVAL XML. Being compatible with OVAL means that each tool should be compliant with the "OVAL interface." That interface is described on the OVAL Web site at this URL: http//:oval.mitre.org/language/#XML_format." The subtask further states: "There are XML descriptions (schema) for the OVAL language itself and three platforms currently: Microsoft Windows, Solaris, and Red Hat Linux. These descriptions comprise the OVAL interface. In addition, there are over 500 OVAL definitions for testing vulnerabilities, and a handful of definitions for testing configuration items. It's the interface that's critical for the acquisition."

The Government Computer News article concludes with the following information that the "task order was issued from the I-ASSURE contract, a $1.5 billion DISA contract vehicle issued in 2000 for the procurement of security products and services for the Defense Department." You may also read the DigitalNet, Inc. news release or the DISA task order document.

MITRE Hosts OVAL/CVE Booth at NetSec 2004

MITRE hosted an OVAL/CVE exhibitor booth at NetSec 2004 Conference & Exhibition June 15th-16th in San Francisco, California, USA. The conference exposed OVAL and CVE to a diverse audience of information security professionals including information security managers and directors; security specialists; systems analysts; network engineers; CIOs and CSOs; network and systems managers and administrators; Web masters; and technical engineers.

Conference Photos of OVAL Booth at Sixth Annual International Techno-Security Conference

MITRE hosted an OVAL/CVE exhibitor booth at the Sixth Annual International Techno-Security Conference June 6th-9th in South Carolina, USA. See photos below.

Conference Photos of OVAL Booth at the 2004 Information Assurance Workshop

MITRE hosted an OVAL/CVE exhibitor booth at the 2004 Information Assurance (IA) Workshop February 2nd-4th in Georgia, USA. See photos below.

June 14, 2004

Revised OVAL Schemas Available for Review and Comment

Draft versions of the revised OVAL Schemas have been posted for public review and comment in the Official OVAL Schema section of the OVAL Web site. These new draft schemas, updated to Version 3 for XML and 3.1 for the SQL schema for Windows, incorporate modifications and revisions that are a direct result of feedback from users. The previous "Accepted" schema versions also remain available during the review period.

The following schemas have been updated:

OVAL XML Schema, Version 3 (Draft)
Windows XML Schema, Version 3.0 (Draft)
Solaris XML Schema, Version 3.0 (Draft)
Red Hat Linux XML Schema, Version 3.0 (Draft)

Updates and revisions include a schema for Windows Active Directory information, a type parameter for OVAL definitions, better versioning information within XML files, and a notes section for better commenting within a definition.

Comments and discussion about the new drafts are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org.

OVAL Presents Briefing at SecurE-Biz CxO Security Summit

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, presented a briefing about CVE and OVAL in a discussion session entitled "Standard Building Blocks for Secure Info-Structure" on June 11th at the SecurE-Biz CxO Security Summit in Washington, D.C., USA. The theme of the conference, held June 9th - 11th, was: "Roadmaps for Enabling Secure Information Infrastructure and Cyber Defense".

MITRE Hosts OVAL/CVE Booth at Sixth Annual International Techno-Security Conference

MITRE hosted an OVAL/CVE exhibitor booth at the Sixth Annual International Techno-Security Conference June 6th - 9th in Myrtle Beach, South Carolina, USA. The conference exposed CVE and OVAL to a diverse audience of information security professionals from law enforcement and industry. In addition, OVAL Team Member and CVE Compatibility Lead, Robert A. Martin presented a briefing entitled "Managing Vulnerabilities Through Standards" on June 6th.

Visit the OVAL Calendar page for information about this and other upcoming events.

May 27, 2004

'OVAL SQL Vulnerability Definition Interpreter' for Red Hat Linux Now Available for Download

An OVAL SQL Reference Vulnerability Definition Interpreter for Red Hat Linux 9 and Red Hat Enterprise Linux 3 is now available for download for free from the OVAL Web site. A version 3.0 Windows SQL Reference Interpreter that supports Windows NT 4.0, 2000, XP, and Server 2003 is also available.

The free download consists of the Interpreter and schemas for the platform. The most-recent data files (i.e., all "Accepted" and "Interim" definitions and the license agreement) for the Interpreters are available from the OVAL Data Files page. See the Download the Definition Interpreter page for more information and a copy of the GNU license agreement.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, May 13, 2003, with twelve Board members and others participating. Topics included OVAL status updates; proposed schema modifications; input (system characteristics) and output (OVAL results) schemas for the Vulnerability Definition Interpreter, and there other potential uses; OVAL for applications beyond vulnerability assessment; OVAL compatibility; and strategies for increasing community involvement in OVAL. You may also read the complete meeting minutes.

OVAL Main Topic of Article in Security Wire Perspectives Article

OVAL was the main topic of a May 17, 2004 article in Security Wire Perspectives published by Information Security, entitled "Security Patches Got You Running in Circles?" Written by OVAL Team Member Robert A. Martin, the article describes what OVAL is and how system administrators would have an easier time managing patches if their vendor's security advisories included OVAL definitions. This is important because OVAL definitions include "ways of testing for vulnerable software, patches and workarounds."

The article also addresses the question of why organizations should adopt OVAL: "Why recommend OVAL? It will save your system and security administrators time, and that translates to lower overhead for you. They can also secure your systems more quickly because they can apply the workarounds and won't have to wait to deploy a patch. Scanning tools will immediately report on successful mitigation, showing the success of any workarounds your system and security administrators have implemented whether or not they applied the patches."

The article also discussed the OVAL Board, CVE, and the benefits of participating in this development of OVAL vulnerability data as part of the OVAL Community Forum. The article also provided a link to the OVAL Web site.

Sponsors Page Added to OVAL Web Site

A Sponsors page has been added to the OVAL Web site that identifies US-CERT at the U.S. Department of Homeland Security as the sponsor of the OVAL effort. The new page also provides general information about US-CERT as well as about the relationship between OVAL and US-CERT.

May 13, 2004

OVAL to Present Briefing at SecurE-Biz CxO Security Summit

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, is scheduled to present a briefing about OVAL and CVE in a discussion session entitled "Standard Building Blocks for Secure Info-Structure" on June 11th at the SecurE-Biz CxO Security Summit at the Marriott Metro Center in Washington, D.C., USA. The theme of the conference, scheduled for June 9th - 11th, is: "Roadmaps for Enabling Secure Information Infrastructure and Cyber Defense."

OVAL and CVE Included as Chapter in Book on Software Quality Management

OVAL and CVE were included as a chapter of Proceedings of Software Quality Management XII - New Approaches to Software Quality, published in April 2004 by The British Computer Society. A chapter entitled "CVE and OVAL - International Security Standards That Are Making A Difference" was included in "Section 2 - Standards," and was written by OVAL Team Member and CVE Compatibility Lead Robert A. Martin.

May 7, 2004

MITRE to Host OVAL/CVE Booth at Sixth Annual International Techno-Security Conference

MITRE is scheduled to host an OVAL/CVE exhibitor booth at the Sixth Annual International Techno-Security Conference on June 6th - 9th at the Marriott Resort at Grande Dunes in Myrtle Beach, South Carolina, USA. The conference will expose CVE and OVAL to a diverse audience of information security professionals from law enforcement and industry. In addition, OVAL Team Member and CVE Compatibility Lead Robert A. Martin will present a briefing entitled "Managing Vulnerabilities Through Standards" on June 6th.

MITRE to Host OVAL/CVE Booth at NetSec 2004 Conference & Exhibition

MITRE is scheduled to host an OVAL/CVE exhibitor booth at NetSec 2004 Conference & Exhibition on June 15th - 16th at the Hyatt Regency Embarcadero in San Francisco, California, USA. The conference will expose CVE and OVAL to a diverse audience of information security professionals including information security managers and directors; security specialists; systems analysts; network engineers; CIOs and CSOs; network and systems managers and administrators; Web masters; and technical engineers. The conference covers "a broad array of topics, including awareness, privacy, policies, wireless security, VPNs, remote access, Internet security and more."

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL Presents Briefing at 16th Annual Systems & Software Technology Conference

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, presented a briefing entitled "Vulnerability Management with Industry Standards (CVE & OVAL)" on April 20th at the 16th Annual Systems & Software Technology Conference in Salt Lake City, Utah, USA. The conference, held April 19th - 20th, was co-sponsored by the United States Army, United States Marine Corps, United States Navy, Department of the Navy, United States Air Force, Defense Information Systems Agency (DISA), and Utah State University Extension.

April 22, 2004

OVAL XML Vulnerability Definition Interpreters for Microsoft Windows and Red Hat Linux Now Available for Download

The OVAL XML Reference Vulnerability Definition Interpreters for Microsoft Windows and Red Hat Linux are now available for download for free from the OVAL Web site. The Windows Interpreter supports Windows NT 4.0, 2000, XP, and Server 2003. The Red Hat Interpreter supports Red Hat Linux 9 and Red Hat Enterprise Linux 3. The Interpreter source code is also available for both platforms.

MITRE developed the Reference Definition Interpreters to demonstrate the usability of OVAL definitions, and for definition writers to use to ensure correct syntax and adherence to the OVAL Schema during the development of draft definitions. It is not a fully functional scanning tool and has a simplistic user interface, but running the Definition Interpreter will provide you with a list of the CVE names determined by OVAL to be present on the system. This list is in a format that can easily be incorporated into other information security tools.

The free download consists of the Interpreter and associated schemas for the platforms. The most-recent data files (i.e., all "Accepted" and "Interim" definitions and the license agreement) for the Interpreters are available from the OVAL Data Files page.

See the Download the Definition Interpreter page for more information and a copy of the license agreement.

April 16, 2004

OVAL to Present Briefing at 16th Annual Systems & Software Technology Conference

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, is scheduled to present a briefing entitled "Vulnerability Management with Industry Standards (CVE & OVAL)" on April 20th at the 16th Annual Systems & Software Technology Conference at the Salt Palace Convention Center, Salt Lake City, Utah, USA.

The conference, to be held April 19th - 20th, aims to "provide information and training on software engineering issues and technologies" to a wide range of software professionals from the military services, government agencies, defense contractors, industry, and academia. The event is co-sponsored by the United States Army, United States Marine Corps, United States Navy, Department of the Navy, United States Air Force, Defense Information Systems Agency (DISA), and Utah State University Extension.

Senior Advisory Council Holds Meeting

The CVE Senior Advisory Council, which also provides oversight for the OVAL effort, held a meeting on Tuesday, April 6, 2004. The meeting included status updates on the OVAL effort, including a discussion of the XML Reference Definition Interpreters; status updates on the CVE Initiative focusing on the recent milestone of 14 products and services from 10 organizations achieving official CVE-compatible status and the CVE compatibility awards ceremony held at RSA 2004; a discussion of the roles of CVE and OVAL in automating information assurance and vulnerability management; and a presentation by US CERT.

MITRE established the advisory council to help guide CVE and OVAL and to ensure the initiatives receive appropriate funding. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems. Visit the CVE Web site to view a list of the advisory council members or to read a copy of the council charter.

April 7, 2004

OVAL Introduces Free Newsletters

OVAL is now offering two free e-newsletters that you can receive directly in your email mailbox:

"OVAL-Announce" - provides general news about OVAL, such as OVAL data and schema updates, new Web site features, upcoming conferences, references to OVAL in the news media, etc.
"OVAL-Data-Updates" - reports of new and modified OVAL vulnerability definitions, data file updates, OVAL schema updates, new Vulnerability Definition Interpreter versions, and other detailed technical information regarding OVAL.

The newsletters are sent once per week or less, and you may sign-up for either or both lists. View our Privacy Policy.

OVAL Presents Briefing at 12th International British Computer Society Conference on Software Quality Management

Robert A. Martin, OVAL Team Member and CVE Compatibility Lead, presented a briefing entitled "CVE and OVAL˜International Security Standards that Are Making a Difference" at the 12th International British Computer Society Conference on Software Quality Management at Christ Church University College, Canterbury, Kent, UK. The conference, held April 5th - 7th, aimed to, aims to "promote cooperation and greater understanding [of software quality management] among practitioners and academics by providing an opportunity to share research and practical experience."

MITRE Hosts OVAL/CVE Booth at InfoSec World Conference and Expo/2004, March 22nd-24th

MITRE hosted an OVAL/CVE exhibitor booth at MISTI's InfoSec World Conference and Expo/2004 on February 22nd - 24th at the Rosen Centre Hotel in Orlando, Florida, USA. The conference was successful and exposed OVAL and CVE to a diverse audience of information security policy and decision makers from the banking, finance, real estate, insurance, and health care industries, among others.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

See photos below:

Conference Photos of OVAL Booth at RSA 2004

MITRE hosted an OVAL/CVE exhibitor booth at RSA Conference 2004 on February 23rd - 27th in San Francisco, California, USA. See photos below.

March 10, 2004

Three Official OVAL Schemas Updated to "Accepted" Status

The combined official OVAL Schema for Microsoft Windows, Version 3 has been updated from "Interim" to "Accepted" status. This new schema combines previously separate schemas for four Windows operating system (OS) platforms into a single, all-encompassing schema that supersedes all previous Microsoft schema versions. In addition, the OVAL Schemas for Sun Solaris 7, 8 and 9 and Red Hat Linux have been updated from "Interim" to "Accepted" status.

All OVAL vulnerability definitions use the common OVAL Schema to keep definitions consistent and standardized for each platform. Approved by the OVAL Board, each OVAL Schema is operating system-specific, specifies how to refer to configuration parameters in definitions, uses the operating system vendors' naming conventions, and defines what system data to collect and how to collect it.

Visit the Official OVAL Schema page for information on these and all supported platforms.

XML OVAL Schemas Updated to "Interim" Status

The core Official OVAL XML Schema, which describes the basics of the format, has been updated from "Draft" to "Interim" status. In addition, the three individual XML-format schemas for each of the OS platforms currently supported in XML have been updated from "Draft" to "Interim" status: Windows XML Schema, Solaris XML Schema, and Red Hat Linux XML Schema.

Visit the Official OVAL Schema page for information on these and all supported platforms.

Downloads Page Added to OVAL Web Site

A Downloads page has been added to the OVAL Web site that provides one-stop access to MITRE's free OVAL downloads including the OVAL Definition Interpreters, interpreter source code, OVAL data files, and the Official OVAL Schema. As always, the OVAL vulnerability definitions themselves are available on the Get OVAL Vulnerability Definitions page. MITRE offers this information free to the public to expand the usefulness of OVAL throughout the cyber security community as well to help enhance the overall state of computer security.

March 3, 2004

OVAL Web Site Enhanced to Support XML Specification for OVAL Data

The OVAL Web site has been updated to fully support XML as a specification for OVAL vulnerability data. All Draft, Interim, and Accepted vulnerability definitions posted on the Get OVAL Vulnerability Definitions page are now displayed in both Extensible Markup Language (XML) format and Structured Query Language (SQL) format for each OVAL-ID. Initial Submission definitions, which are not yet reviewed by the OVAL Editor and may be incomplete or awaiting outstanding information, will be posted in XML, SQL, or both formats, depending on the individual authors submitting the definitions.

Comments and discussion on vulnerability definitions or other previously posted OVAL content are welcome on the OVAL Community Forum Email List, or you may contact us directly at oval@mitre.org. Refer to the Official OVAL Schema page to learn more about the XML and SQL specifications for OVAL data.

OVAL Web Site Receives "Certificate of CVE Compatibility" in Awards Ceremony at RSA Conference 2004

The OVAL Web site has achieved the final stage of the formal Common Vulnerabilities and Exposures (CVE) Compatibility Process and was recognized as officially "CVE-compatible" in an awards ceremony on Tuesday, February 24th at RSA Conference 2004, in San Francisco, California, USA. OVAL was one of 14 information security products and services from 10 organizations that achieved the final phase of full CVE compatibility and are now recognized as officially CVE-compatible. Each organization was presented with a "Certificate of CVE Compatibility" for each product or service that achieved this accomplishment.

OVAL received a "Certificate of CVE Compatibility" at MITRE's compatibility awards ceremony at RSA 2004. Pictured from left to right are OVAL/CVE team members Bob Martin and Drew Buttner; John Payton, US-CERT/DHS; and OVAL/CVE team members Steve Christey, Margie Zuk, Pete Tasker, and Julie Connolly.

The OVAL Web site now displays the official CVE-Compatible logo on the Get OVAL Vulnerability Definitions page and on the Statement of CVE Compatibility page. Visit OVAL's Statement of CVE Compatibility page to learn more about OVAL's compatibility, and the CVE Web site to learn more about CVE and CVE compatibility.

MITRE to Host OVAL/CVE Booth at InfoSec World Conference and Expo/2004, March 22nd-24th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at MISTI's InfoSec World Conference and Expo/2004 on March 22nd - 24th at the Rosen Centre Hotel in Orlando, Florida, USA. The conference will expose OVAL and CVE to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals.

Visit the OVAL Calendar page for information on this and other upcoming events.

MITRE Hosts OVAL/CVE Booth at RSA Conference 2004, February 23rd-27th

MITRE hosted an OVAL/CVE exhibitor booth at RSA Conference 2004 on February 23rd - 27th in San Francisco, California, USA. The conference introduced OVAL and CVE to information technology professionals, developers, policy makers, industry leaders, and academics from organizations that deploy, develop, or investigate data security or cryptography products or initiatives. Visit the OVAL Calendar page for information on this and other upcoming events.

MITRE Hosts OVAL/CVE Booth at the 2004 Information Assurance Workshop, February 2nd-4th

MITRE hosted an OVAL/CVE exhibitor booth at the 2004 Information Assurance (IA) Workshop in Atlanta, Georgia, USA, February 2nd-4th. The purpose of the workshop, which was hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, was to provide a forum for the IA community on relevant IA topics that have been aligned with the goals of DOD IA strategy. The event was successful and introduced OVAL and CVE to representatives of the Department of Defense (DOD) and other Federal Government employees and their sponsored contractors. Visit the OVAL Calendar page for information on this and other upcoming events.

February 11, 2004

Combined OVAL Schema for Windows Updated to "Interim" Status

The combined official OVAL Schema for Microsoft Windows, Version 3 has been updated from "Draft" to "Interim" status. This new schema combines previously separate schemas for Microsoft Windows 2000, Microsoft Windows NT 4.0, Microsoft Windows XP, and Microsoft Windows Server 2003 into a single, all-encompassing schema. It supersedes all previous schema versions for the Microsoft operating systems.

All OVAL queries and vulnerability definitions use the common OVAL Schema to keep queries and definitions consistent and standardized for each platform. Approved by the OVAL Board, each OVAL Schema is operating system-specific, specifies how to refer to configuration parameters in queries and definitions, uses the operating system vendors' naming conventions, and defines what system data to collect and how to collect it.

Visit the Official OVAL Schema page for information on these and all supported platforms.

MITRE to Host OVAL/CVE Booth at the RSA Conference 2004, February 23rd-27th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at RSA Conference 2004 on February 23rd - 27th in San Francisco, California, USA. The conference will introduce OVAL and CVE to information technology professionals, developers, policy makers, industry leaders, and academics from organizations that deploy, develop, or investigate data security or cryptography products. Please stop by Booth 1530 and say hello.

January 23, 2004

OVAL Effort Surpasses 500+ Queries Milestone

OVAL has achieved a major milestone with 513 queries now posted on the OVAL Web site. As of this site update, there are 111 Accepted, 71 Interim, 102 Draft, and 229 Initial Submission queries available for users.

OVAL began in December 2002 with a total of 72 queries for three initially supported platforms—Windows NT 4.0, Windows 2000, and Sun Solaris 7/8. Since the launch of OVAL just over one year ago, we have increased the total number of queries by 444 to the current total of 513; added support for six additional operating systems: Windows XP, Windows Server 2003, Sun Solaris 9, Red Hat Linux, Debian Linux, and Hewlett-Packard UNIX; and registered 124 participants on the OVAL Community Forum Email List and 55 participants on the OVAL Developer's Email List.

As always, active participation is important to the success of the OVAL effort. See the Community Forum page to join the OVAL Community Forum Email List or OVAL Developer's Email List, then visit the How to Participate on the OVAL Community Forum page for the specific and detailed ways in which you may help the effort.

Five Official OVAL Schemas Updated to "Interim" Status

The following five OVAL Schemas have been updated from "Draft" to "Interim" status: Microsoft Windows 2000, Version 2; Microsoft Windows NT 4.0, Version 2; Microsoft Windows Server 2003; Sun Solaris 7, 8 and 9, Version 2; and Red Hat Linux.

All OVAL queries use the common OVAL Schema to keep queries consistent and standardized for each platform. Approved by the OVAL Board, each OVAL Schema is operating system-specific, specifies how to refer to configuration parameters in queries, uses the operating system vendors' naming conventions, and defines what system data to collect and how to collect it.

Visit the Official OVAL Schema page for information on these and all supported platforms.

January 16, 2004

OVAL Board Member Jay Beale to Present Briefing about OVAL at LinuxWorld

OVAL Board member Jay Beale of Bastille Linux is scheduled to present a briefing about OVAL at the LinuxWorld Conference & Expo on January 21st at the Javits Center, New York City, New York, USA. The talk, entitled "Host-based Vulnerability Assessment with OVAL," is targeted to system administrators of all ability levels and anyone who needs to discuss and track operating system vulnerabilities. The conference itself is scheduled from January 20th-23rd.

January 9, 2004

Search Feature Added to OVAL Web Site

A keyword search feature has been added to the OVAL Web site using Google Search. Users can now search the OVAL site—including technical vulnerability data, the discussion archives, and all other pages on the site—by typing in a specific term, or multiple keywords separated by a space.

Specifically, users may search the OVAL Web site for or by, any of the following:

Keyword - a specific term or multiple keywords
OVAL-ID - search for an individual OVAL query by its OVAL-ID (e.g., "OVAL733")
CVE Name - to see all OVAL queries for a specific CVE entry (e.g., CVE-1999-0067) or candidate number (e.g., CAN-1999-0067)
Software Application - search for all OVAL queries associated with a particular software application by entering the application name and version number as the keywords (e.g., "Microsoft Word 6.0")
Discussion Archives - any reference(s) to your keyword(s) in the Community Forum and OVAL Board discussion archives will be listed in the search results

Refer to the Search the OVAL Web Site page for more information, or to perform a search.

OVAL Statistics Page Added to OVAL Web Site

An OVAL Statistics page has been added to the OVAL Web site that provides an overview by operating system and query status of the number of queries currently posted on the site. The current grand total, and totals by operating system, are also provided.

MITRE to Host OVAL/CVE Booth at the 2004 Information Assurance Workshop, February 2nd-4th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at the 2004 Information Assurance (IA) Workshop in Atlanta, Georgia, USA, February 2nd - 4th. The purpose of the workshop—which is hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands—is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event will introduce OVAL and CVE to representatives of the DOD and other Federal Government employees and their sponsored contractors.

Page Last Updated: March 05, 2013

News & Events

Calendar

Industry News Coverage

Press Center

RSS Feeds

Free Newsletter

Items of Interest

News & Events Archive

Board Meetings

Developer Days

Open Vulnerability and Assessment Language

News and Events - 2004 Archive