News and Events - 2005 Archive

December 30, 2005

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, December 15, 2005, with 18 Board members and others participating. Topics included OVAL status updates on Version 5; a progress report on Patch Definitions; OVAL and OVAL-ID Compatibility Program updates, particularly compatibility testing; and OVAL at RSA 2006 in February. You may also read the complete meeting minutes.

OVAL1433 Addresses 0-Day Vulnerability

OVAL1433 addresses "Microsoft Security Advisory (912840): Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution," originally issued on December 28, 2005, that involves a flaw in how Windows XP and Windows Server 2003 handle corrupt WMF/EMF image files. All Windows XP and Server 2003 installations are vulnerable, including those that are fully patched.

The user must take action to open the image file, but these files can be sent via email or instant message, or downloaded by an unsuspecting Web surfer. Reports say the vulnerability can allow the attacker to take full control of the affected system. There is no patch or Hotfix currently available, but Microsoft encourages users to keep their anti-virus and anti-spyware software up-to-date and to employ a firewall.

OVAL Vulnerability Definition OVAL1433—submitted by ThreatGuard, Inc.—tests for this "0-day vulnerability" (i.e., a known vulnerability for which there is currently no patch available).

Back to top
December 22, 2005

OVAL Celebrates 3 Years

OVAL began three years ago this month as a new community baseline standard for how vulnerabilities could be identified on local computers. Since that time the initiative has grown significantly and is now a developing international, information security community standard for how to check for the presence of vulnerabilities and configuration issues on computer systems. Highlights of our progress are noted below.

OVAL Schemas

When OVAL began we used Structured Query Language (SQL) for the official OVAL Schema and OVAL queries in SQL to perform the tests. In late 2003, at the request of the community and because of the limits of SQL, we adopted Extensible Markup Language (XML) as the official format for writing OVAL schemas and the XML definitions that perform the tests. OVAL has also grown from a single schema for writing the tests into three separate schemas, one for each step of the overall process: an OVAL System Characteristics Schema for collecting the information, OVAL Definition Schema for writing the tests, and OVAL Results Schema for presenting the results of the tests. The individual tests are standardized, machine-readable XML Vulnerability, Compliance, and Patch Definitions that are hosted in our OVAL Repository. We also created a free OVAL Reference Definition Interpreter to demonstrate the usability of the OVAL Schemas and to carry out OVAL definitions for the Microsoft Windows and Red Hat Linux platforms. We are now on Version 4.2 of the Official OVAL Schemas, and are working on Version 5.

OVAL Repository

In the beginning, OVAL focused only on tests for vulnerabilities, each of which was based on a CVE Name from Common Vulnerabilities and Exposures. When we moved from SQL to XML we expanded the OVAL Repository to include OVAL Vulnerability Definitions, Compliance Definitions, and Patch Definitions. These community-developed tests definitively determine whether the specified vulnerability, configuration issue, or patch is present on a system. Currently, there are 1,010 definitions for Microsoft Windows, 253 definitions for Red Hat Linux, 138 definitions for Sun Solaris, and 17 definitions for HP-UX for a grand total of 1,418 definitions now available to the public for incorporation into information security products and services. More definitions are being added each week.

Community Participation

Since the beginning the OVAL effort has been industry-endorsed via the OVAL Board and through community participation on the OVAL Community Forum and OVAL Developer's List, ensuring that the OVAL schemas and definitions reflect the combined expertise of the broadest possible group of security and system administration professionals worldwide. Community endorsement is further emphasized by the numerous organizations that are listed on the Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility pages stating that their information security products and services are, or will be, compatible with OVAL.

In addition, recent significant participation by the OVAL community include the contribution of component schemas by the Center for Internet Security for Apple Macintosh beginning with Version 4.0 and ThreatGuard, Inc. for HP-UX (Hewlett Packard UNIX) with Version 4.2. ThreatGuard has also contributed numerous OVAL definitions to the OVAL Repository, including the first-ever HP-UX vulnerability definitions in December 2005. Visit the Community Participation page to see the specific ways in which you or your organization can contribute.

OVAL Board

The OVAL Board, which approves the Official OVAL Schemas and evaluates and comments on OVAL Definitions, includes members from major operating system vendors, commercial information security tool vendors, academia, government agencies, and research institutions from around the world. The Board began with 17 members from 13 organizations and has since grown to 39 members from 36 organizations.

Compatible Products and Services

In July 2004 we added an OVAL-Compatible Products and Services program and in November 2005 launched an official "OVAL and OVAL-ID Compatibility Process" for organizations wishing to make their products or services OVAL-compatible and/or OVAL-ID compatible. The formal process includes compatibility evaluations, the posting of questionnaires citing how the organizations have satisfied the Requirements and Recommendations for OVAL and OVAL-ID Compatibility document, and a "branding program" with an official compatibility logo for vendors to include with their products. This process, which ultimately includes publication of the organization's statement on the OVAL Web site along with the use of the Official OVAL and OVAL-ID Compatible logo, allows end users and prospective customers of OVAL and OVAL-ID Compatible Products and Services to compare how the products satisfy the compatibility requirements and to more easily determine which specific implementations are best for their networks and systems.

There are now OVAL Compatibility Declarations for 24 products and services from 13 organizations around the world and OVAL-ID Compatibility Declarations for 12 products and services from 9 organizations around the world.

Our Three-Year Anniversary

We thank all of you who have in any way promoted the OVAL effort, used the OVAL schemas and definitions, and/or adopted OVAL or OVAL-ID compatible products or services for your enterprise. We would also like to thank our sponsors throughout these three years, US-CERT at the U.S. Department of Homeland Security, for their past and current funding and support. We welcome any comments or feedback about OVAL or the OVAL Repository at oval@mitre.org.

ThreatGuard, Inc. Contributes 17 HP-UX OVAL Definitions

OVAL community member ThreatGuard, Inc. has contributed the first-ever OVAL vulnerability definitions for the HP-UX (Hewlett Packard UNIX) platform. These 17 new definitions are posted on the OVAL Definitions page, and are in addition to the many definitions for other platforms previously submitted by ThreatGuard. ThreatGuard also contributed the HP-UX Component Schema to Version 4.2 of OVAL released on December 2, 2005 (see "Two Organizations Contribute Component Schemas for Version 4.2"). OVAL community participation is important for the development of new definitions and new component schemas, and such contributions help the OVAL effort to further build the repository of OVAL definitions and to add support for more platforms.

To participate in the OVAL effort, first subscribe to the OVAL Community Forum or OVAL Developer's Email List. After receiving a confirmation verifying your addition to the list, submit a message expressing your area(s) of interest and/or ways you would like to contribute. Alternatively, you may send an email to oval@mitre.org. We welcome your participation.

Back to top
December 16, 2005

OVAL to Host Booth at Homeland Security for Networked Industries 2006 Conference & Expo in January

MITRE is scheduled to host an OVAL/CVE/CME exhibitor booth at Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. The conference is "the first of its kind to encourage cross-industry collaboration on network security issues pertinent to America's critical infrastructures [or those] networks which serve as the backbone for daily life for the American public." It is "an opportunity to listen and network with IT decision makers from a variety of networked industries including utilities, telecom and transportation as well as government."

Organizations listed in the Compatible Products and Services section will also be exhibiting. Please stop by Booth 117, or any of these booths, and say hello.

Updated Version 5.0 Draft OVAL Schemas Now Available

Fourth drafts of the Version 5.0 OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.2. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

Back to top
December 8, 2005

Two Organizations Contribute Component Schemas for Version 4.2

Two members of the OVAL community—ThreatGuard, Inc. and the Center for Internet Security—contributed Component Schemas to Version 4.2 of OVAL released on December 2, 2005. ThreatGuard developed the component schema for HP-UX (Hewlett Packard UNIX), and the Center for Internet Security developed the component schema for Apple Macintosh (MacOS was originally developed for Version 4.0). OVAL community participation is important for the development of new component schemas, and such contributions help keep the OVAL effort growing and supporting more platforms.

Component schemas are used to define the specific tests necessary to determine the presence of vulnerabilities, configuration issues, and patches on a specific platform. Other component schemas include Microsoft Windows, Sun Solaris, Red Hat Linux, Debian Linux, UNIX, and Cisco IOS. Working with these component schemas is a core or "parent" schema that provides the general format for an OVAL Definition and a place for expressing platform-independent metadata (e.g., the CVE identifier). See the Official OVAL Schemas page for details.

To participate in the OVAL initiative, first subscribe to the OVAL Community Forum or OVAL Developer's Email List. After receiving a confirmation verifying your addition to the list, submit a message expressing your area(s) of interest and/or ways you would like to contribute. Alternatively, you may send an email to oval@mitre.org. We welcome your participation.

New OVAL Board Member

Nils Puhlmann of Mindjet Corporation has joined the OVAL Board.

New OVAL Board Member

Gregory Toto of BigFix, Inc. has joined the OVAL Board.

OVAL Mentioned in Article about National Vulnerability Database on SecurityFocus.com

OVAL was mentioned in a December 2, 2005 article about the U.S. National Vulnerability Database (NVD) entitled "Federal flaw database commits to grading system" on SecurityFocus.com. OVAL is mentioned as follows: "NVD piggybacks on the Common Vulnerability and Exposures (CVE) [Initiative] ... [and] CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language ... " NVD, OVAL, and CVE are sponsored by the U.S. Department of Homeland Security.

Back to top
December 2, 2005

Official OVAL Schemas Updated to Version 4.2

Version 4.2 of the OVAL Schemas are now available on the Official OVAL Schemas page. The OVAL Definition Interpreters, Interpreter Source Code, and Data Files have also been updated.

Version 4.2 of the OVAL Schema includes the following: addition of a component schema for HP-UX (submitted by ThreatGuard, Inc.); modification to the OVAL-ID format; deprecated the rpmversioncompare_test of the redhat schema; added the evr_version element to the rpminfo_test of the redhat schema; added the signature_keyid to the rpminfo_test of the redhat schema; and added the rpmversion datatype; and added the ability to include more than one reference.All of the updates incorporate modifications and revisions that are a direct result of feedback from users.

The following schemas have been updated to Version 4.2 for the OVAL Core schemas and the component (Independent, Apple Macintosh, Cisco IOS, Debian Linux, HP-UX, Microsoft Windows, Red Hat Linux, Sun Solaris, and UNIX) schemas:

The following are also available for using Version 4.2 of OVAL:

The previous versions of the OVAL schemas, definitions, Definition Interpreters, Interpreter source code, and data files have been archived. Visit the Official OVAL Schemas page for the latest information on Version 4.2.

Updated Version 5.0 Draft OVAL Schemas Now Available

Third drafts of the Version 5.0 OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.2. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

PatchLink Corporation Makes Declaration of OVAL and OVAL-ID Compatibility

PatchLink Corporation declared that its enterprise patch management system, PatchLink Update, will be OVAL-compatible and OVAL-ID compatible. For additional information about this and other OVAL and OVAL-ID compatible products and services, visit Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility.

ThreatGuard, Inc. Issues Press Release Announcing Receipt of Two Certificates of OVAL and OVAL-ID Compatibility

OVAL and OVAL-ID compatibility was the main topic of a November 14, 2005 press release by ThreatGuard, Inc. entitled "Threatguard Receives First OVAL Compatibility Awards from MITRE." In the release ThreatGuard announces that its ThreatGuard and ThreatGuard Traveler products both received Official Certificates of OVAL and OVAL-ID Compatibility on November 14, 2005 in a award ceremony at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA.

The release, which also describes OVAL and OVAL compatibility, includes a quote by Rob Hollis, ThreatGuard's Director of Product Development and an OVAL Board Member, who states: "We are quickly approaching our first anniversary of fielding OVAL in our operational products. That should give a clear indication of how dedicated we are to the project. We're not waiting around to see what the industry will do with OVAL. We believe it's the right direction for the industry so we're doing what we can to help drive the effort."

November 2005 OVAL Compatibility Awards
Rob Hollis, ThreatGuard's Director of Product Development (right), and Robert Martin, OVAL Compatibility Lead, at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

Citadel Security Software Inc. Issues Press Release Announcing Receipt of Certificate of OVAL and OVAL-ID Compatibility

OVAL and OVAL-ID compatibility was the main topic of a November 15, 2005 press release by Citadel Security Software Inc. entitled "Citadel Security Software Awarded Certificate of OVAL Compatibility." In the release Citadel announces that its Hercules product has been "certified as fully compliant and compatible with MITRE's Open Vulnerability [and] Assessment Language OVAL-ID[s] and OVAL Results Schema, a standardized format for presenting data from a system evaluated by OVAL, enabling customers to remediate vulnerabilities identified by OVAL-compatible scanning tools." Citadel received the Official Certificate of OVAL and OVAL-ID Compatibility on November 14, 2005 in an award ceremony at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA.

The release, which also describes the goals of OVAL and OVAL compatibility, includes a quote by Carl Banzhof, CTO of Citadel Security Software and an OVAL Board Member, who states: "We are proud to contribute to the leadership efforts on providing interoperability standards for the global security community with OVAL compatibility. Through our work with DISA we understand why federal agencies rely on OVAL vulnerability identification and reporting standards and are dedicated to providing the compatibility and integration that can greatly ease their vulnerability management burden."

November 2005 OVAL Compatibility Awards
Kent Landfield, Citadel's Security Group Director (right), and Robert Martin, OVAL Compatibility Lead, at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

Certificate of OVAL and OVAL-ID Compatibility Awarded to ArcSight, Inc.

ArcSight, Inc. was recently presented with a "Certificate of OVAL and OVAL-ID Compatibility" for its ArcSight ESM product. MITRE held an awards ceremony November 14, 2005 at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C. USA to award compatibility certificates.

November 2005 OVAL Compatibility Awards
Mike Boehm, of ArcSight's Public Sector Group (right), and Robert Martin, OVAL Compatibility Lead, at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

Photo of First-Ever OVAL Compatibility Awards Ceremony

Four information security products and services from three organizations received "Certificates of OVAL and OVAL-ID Compatibility" at MITRE Corporation's awards ceremony held November 14, 2005 at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA, and are now officially "OVAL and OVAL-ID Compatible." All three organizations participated in the ceremony, including ArcSight, Inc., Citadel Security Software Inc., and ThreatGuard, Inc. See photo below.

November 2005 OVAL Compatibility Awards
Mike Boehm, of ArcSight's Public Sector Group; Robert Martin, OVAL Compatibility Lead; Kent Landfield, Citadel's Security Group Director; and Rob Hollis, ThreatGuard's Director of Product Development; at MITRE's compatibility awards ceremony at CSI Conference & Exhibition.

OVAL Working Group Holds Teleconference

OVAL's Patch Definition Working Group held a teleconference meeting on Tuesday, November 1, 2005, with eight members participating. Those interested may read the complete meeting minutes. Minutes from other working groups are also available on the Discussion Archives page.

To participate in the OVAL initiative or on an OVAL working group, first subscribe to the OVAL Community Forum or OVAL Developer's Email List. After receiving a confirmation verifying your addition to the list, submit a message expressing your area(s) of interest. We welcome your participation.

Back to top
November 17, 2005

Updated Version 5.0 Draft OVAL Schemas Now Available

Version 5.0 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been updated and posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.1. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

OVAL Hosts Booth at 32nd Annual CSI Conference

MITRE hosted an OVAL/CVE/CME exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, in Washington, D.C., USA. The conference exposed OVAL, CVE, and CME to information security and network professionals from industry, academia, and government.

Organizations listed in the OVAL-Compatible Products and Services section also exhibited and "Certificates of OVAL and OVAL-ID Compatibility" were presented in an awards ceremony to three organizations for four products and services that are now considered officially OVAL and OVAL-ID Compatible. See "4 Information Security Products/Services Are Now Registered as Officially 'OVAL and OVAL-ID Compatible'" for more information.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at FIRST Technical Colloquium

OVAL Team Member Drew Buttner presented a briefing about OVAL entitled "OVAL Schema" at the FIRST Technical Colloquium on November 16, 2005, in Redwood Shores, California, USA. The event, which ran November 14th-16th, provided a "discussion forum for FIRST [Forum of Incident Response and Security Teams] member teams to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams."

Visit the OVAL Calendar page for information about this and other upcoming events.

Back to top
November 14, 2005

4 Information Security Products/Services Are Now Registered as Officially "OVAL and OVAL-ID Compatible"

Four information security products and services from three organizations have achieved the final stage of MITRE's formal OVAL and OVAL-ID Compatibility Process and are now officially "OVAL and OVAL-ID compatible." Each product is now eligible to use the OVAL and OVAL-ID Compatible Product/Service logo, and their completed and reviewed "OVAL/OVAL-ID Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings in the Compatible Products as Services section on the OVAL Web site.

The following products are now registered as officially "OVAL and OVAL-ID Compatible":

ArcSight, Inc. - ArcSight ESM
Citadel Security Software Inc. - Hercules
ThreatGuard, Inc. - ThreatGuard
    - ThreatGuard Traveler

Use of the official OVAL and OVAL-ID Compatible Product/Service logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the OVAL and OVAL-ID compatibility requirements, and therefore which specific implementations are best for their networks and systems.

An awards ceremony was held today at the 32nd annual CSI Computer Security Conference & Exhibition in Washington, D.C., USA, to present Certificates of OVAL and OVAL-ID Compatibility to the organizations that have achieved this final phase. All three organizations participated in the ceremony, including ArcSight, Inc., Citadel Security Software Inc., and ThreatGuard, Inc.

For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL and OVAL-ID Compatibility Process, Declarations of OVAL Compatibility, and Declarations of OVAL-ID Compatibility.

BigFix, Inc. Makes Declaration of OVAL-ID Compatibility

BigFix, Inc. declared that its real-time security configuration management suite, BigFix Enterprise Suite, will be OVAL-ID compatible. BigFix Enterprise Suite is also declared OVAL-compatible and is listed on the Declarations of OVAL Compatibility page. For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

OVAL to Present Briefing at FIRST Technical Colloquium

OVAL Team Member Drew Buttner is scheduled to present a briefing about OVAL entitled "OVAL Schema" at the FIRST Technical Colloquium on November 16, 2005, in Redwood Shores, California, USA. The event, which runs November 14th-16th, provides a "discussion forum for FIRST [Forum of Incident Response and Security Teams] member teams to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams."

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at VISION 2005

OVAL Editor Matthew N. Wojcik presented a briefing about OVAL and CVE entitled Enablers to Cybersecurity Transformation in the "Protection of Information" track at The Shepard Group's VISION 2005 on November 8, 2005, at Ibis London Earl's Court, UK. The conference itself ran November 7th - 9th.

Visit the OVAL Calendar page for information about this and other upcoming events.

Back to top
November 4, 2005

Release Candidates of the Version 4.2 OVAL Schemas Now Available

Version 4.2 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema are now in the Release Candidate stage and are available for review on the Upcoming OVAL Schema Changes - Version 4.2 page. The Version 4.2 Schemas are currently scheduled to move to the Official stage on December 2, 2005.

OVAL Initiative Announces OVAL Compatibility Process and New Compatibility Logo

MITRE has created an "OVAL and OVAL-ID Compatibility Process" for organizations wishing to make their products or services OVAL-compatible and or OVAL-ID compatible. The new process includes formal compatibility evaluations, the posting of questionnaires citing how the organizations have satisfied the OVAL and OVAL-ID compatibility requirements, and a "branding program" with an official OVAL and OVAL-ID compatibility logo for vendors to include with their products and for system administrators and other security professionals to look for when adopting vulnerability management products and services for their enterprise.

Specifically, the expanded OVAL and OVAL-ID Compatibility Process involves two phases:

(1) Declaration Phase-The organization declares its intent to make its product(s) and/or service(s) OVAL and/or OVAL-ID compatible by providing MITRE with such basic information as company name and contact information, the type of product, and the name of the product or service. Once the declaration is reviewed, the organization will be listed on the Declarations of OVAL Compatibility page and/or Declarations of OVAL-ID Compatibility page of the OVAL Web site, provided the products or services are commercially available when we post the declaration.

(2) Evaluation Phase-The organization completes an "OVAL and OVAL-ID Compatibility Requirements Evaluation" questionnaire that specifically states the details of how the organization has satisfied the "Requirements and Recommendations for OVAL and OVAL-ID Compatibility" document. While the second phase takes more effort than the first, it has been designed to minimize the expense for both the submitting organization and MITRE. This approach avoids an evaluation process that would make it too expensive for freeware or smaller software vendors to obtain compatibility. By using the questionnaire and statement of compatibility the level of effort is kept reasonable, while making a good effort to verify that the submitting organization properly understands and correctly implements the OVAL and OVAL-ID compatibility requirements. (An organization must complete phase 1 before starting phase 2.)

This new compatibility process, which ultimately includes publication of the organization's statement on the OVAL Web site and an OVAL and OVAL-ID compatibility logo for use on their products or services, allows end users and prospective customers of OVAL and OVAL-ID compatible products and services to compare how different products satisfy the compatibility requirements and which specific implementations are best for their networks and systems.

ThreatGuard, Inc. Makes Declaration of OVAL and OVAL-ID Compatibility

ThreatGuard, Inc. declared that its threat management product, ThreatGuard Traveler, is OVAL-compatible and OVAL-ID compatible. The ThreatGuard Vulnerability Management System is also declared OVAL-compatible and OVAL-ID compatible and is listed on the declarations pages. For additional information about these and other compatible products and services, visit the Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility pages.

ArcSight, Inc. Makes Declaration of OVAL-ID Compatibility

ArcSight, Inc. declared that its real-time security awareness/incident response solution, ArcSight ESM, is OVAL-ID compatible. ArcSight ESM is also declared OVAL-compatible and is listed on the Declarations of OVAL Compatibility page. For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

Citadel Security Software Inc. Makes Declaration of OVAL-ID Compatibility

Citadel Security Software Inc. declared that its Automated Vulnerability Remediation product, Hercules, is OVAL-ID compatible. Hercules is also declared OVAL-compatible and is listed on the Declarations of OVAL Compatibility page. For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

ArcSight, Inc. Posts OVAL and OVAL-ID Compatibility Questionnaire

ArcSight, Inc. has achieved the second phase of the OVAL and OVAL-ID Compatibility Process by posting an OVAL and OVAL-ID Compatibility Questionnaire for ArcSight ESM . In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible" and/or "Officially OVAL-ID Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page, Declarations of OVAL Compatibility, and the Declarations of OVAL-ID-Compatibility.

Citadel Security Software Inc. Posts OVAL and OVAL-ID Compatibility Questionnaire

Citadel Security Software Inc. has achieved the second phase of the OVAL and OVAL-ID Compatibility Process by posting an OVAL and OVAL-ID Compatibility Questionnaire for Hercules. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible" and/or "Officially OVAL-ID Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page, Declarations of OVAL Compatibility, and the Declarations of OVAL-ID-Compatibility.

ThreatGuard, Inc. Posts OVAL and OVAL-ID Compatibility Questionnaires

ThreatGuard, Inc. has achieved the second phase of the OVAL and OVAL-ID Compatibility Process by posting an OVAL Compatibility Questionnaire for ThreatGuard Vulnerability Management System and an OVAL Compatibility Questionnaire for ThreatGuard Traveler. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible" and/or "Officially OVAL-ID Compatible."

For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page, Declarations of OVAL Compatibility, and the Declarations of OVAL-ID-Compatibility.

OVAL Compatibility Requirements Document Updated

The Requirements and Recommendations for OVAL and OVAL-ID Compatibility document has been updated to Version 1.01 and posted in the Compatible Products and Services section of the OVAL Web site. The document, which details the specific ways in which an organization can make its information security tool, service, Web site, database, archive, or advisory/alert "OVAL-compatible" and/or "OVAL-ID compatible," was updated to comply with the new formal "OVAL and OVAL-ID Compatibility Process."

OVAL to Present Briefing at VISION 2005

OVAL Editor Matthew N. Wojcik is scheduled to present a briefing about OVAL and CVE entitled Enablers to Cybersecurity Transformation in the "Protection of Information" track at The Shepard Group's VISION 2005 on November 8, 2005, at Ibis London Earl's Court, UK. The conference itself runs November 7th - 9th.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at FIAC 2005

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL, CVE, and CME entitled Managing to Make Secure Systems in the Vulnerability Management portion of the "Leveraging Technology to Bridge the Security Gap" track at Federal Information Assurance Conference (FIAC) 2005 on October 26, 2005, at the University of Maryland University College in Adelphi, Maryland, USA.

Visit the OVAL Calendar page for information about this and other upcoming events.

Back to top
October 28, 2005

DesktopStandard Corporation Makes Declaration of OVAL-ID Compatibility

DesktopStandard Corporation declared that its group policy-based patch management product, PolicyMaker Software Update, is OVAL-ID compatible. PolicyMaker Software Update and three other DesktopStandard products are also declared OVAL-compatible and are listed on the Declarations of OVAL Compatibility page.

For additional information about this and other OVAL-ID compatible products and services, visit Declarations of OVAL-ID Compatibility.

MITRE to Host OVAL/CVE Booth at 32nd Annual CSI Conference

MITRE is scheduled to host an OVAL/CVE exhibitor booth at the 32nd annual CSI Computer Security Conference & Exhibition, November 13-15, 2005, at the Marriott Wardman Hotel in Washington, D.C., USA. The conference will expose OVAL and CVE to information security and network professionals from industry, academia, and government. Organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

MITRE Hosts OVAL/CVE Booth at FIAC 2005

MITRE hosted an OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25-26, 2005, at the University of Maryland University College in Adelphi, Maryland, USA. The conference exposed OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations listed in the OVAL-Compatible Products and Services section also exhibited.

Visit the OVAL Calendar page for information about this and other upcoming events.

Back to top
October 21, 2005

Version 5.0 Draft OVAL Schemas Now Available

Version 5.0 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.

Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.1. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

Back to top
October 13, 2005

Version 4.2 Draft OVAL Schemas Now Available

Version 4.2 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 4.2 page. A complete list of the updates is available in the Status Reports on the Version 4.2 Schema section.

Version 4.2 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.1. Comments on the draft Version 4.2 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

Version 4.3 Definition Interpreter Released

The Version 4.3 OVAL Definition Interpreters have been released to correct known issues and improve functionality. This update corrects several issues that could occur while running the Interpreter: an upgraded version of PCRE to 6.3 due to a known vulnerability in earlier versions of PCRE; the software and configuration result values were not properly being combined when computing the overall result for a definition; and the Windows Active Directory probe was not properly authenticating with the Active Directory Server. This update also adds support for the wmi_test. The Interpreter Source Code has also been updated.

Use of the updated Definition Interpreters requires that you use the newest OVAL Data Files. We apologize for any inconvenience. Visit the Downloads page to download the latest Interpreters, Interpreter Source Code, and Data Files.

MITRE to Host OVAL/CVE Booth at FIAC 2005

MITRE is scheduled to host an OVAL/CVE exhibitor booth at Federal Information Assurance Conference (FIAC) 2005, October 25-26, 2005, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose OVAL and CVE to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government. In addition, organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
October 6, 2005

MITRE Hosts OVAL/CVE Booth at IT Security World 2005, September 28th-29th

MITRE hosted an OVAL/CVE exhibitor booth at MISTI's IT Security World 2005 on September 28-29, 2005 in San Francisco, California, USA. The conference exposed OVAL and CVE to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs. Organizations listed in the OVAL-Compatible Products and Services section also exhibited.

See booth photos below:


2005 IT Security World 2005 IT Security World

Visit the OVAL Calendar page for information about this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
September 29, 2005

OVAL Compatibility Requirements Document Added to OVAL Web Site

Version 1.0 of the Requirements and Recommendations for OVAL and OVAL-ID Compatibility document has been posted in the Compatible Products and Services section of the OVAL Web site. The document details the specific ways in which an organization can make its information security tool, service, Web site, database, archive, or advisory/alert "OVAL-compatible" and/or "OVAL-ID compatible."

You also review the most current Declarations of OVAL Compatibility and Declarations of OVAL-ID Compatibility from those organizations already participating.

"Upcoming Schema Changes" Section Updated with Version 4.2 OVAL Schema Information

An overview of the modifications currently planned for Version 4.2 of the OVAL Schema has been posted in the Upcoming OVAL Schema Changes section. Planned modifications to the OVAL Definition Schema, OVAL System Characteristics Schema, and OVAL Results Schema will include the addition of a component schema for HP-UX and a modification to the OVAL-ID format.

Back to top
September 22, 2005

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, September 15, 2005, with 17 Board members and others participating. Topics included OVAL status updates, proposed major and minor OVAL Schema version changes, an intellectual property agreement proposal, and the OVAL and OVAL-ID Compatibility Program. You may also read the complete meeting minutes.

OVAL Announces "Calendar of Events" for Autumn 2005

The OVAL Initiative has announced its initial calendar of events for autumn 2005. Details regarding MITRE's scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the OVAL Calendar page for information about these and other upcoming events.

Back to top
September 16, 2005

KACE Networks, Inc. Makes Declaration of OVAL Compatibility

KACE Networks, Inc. has declared that its information technology management appliance, KBOX IT Management Suite 2.0, is OVAL-compatible. For additional information about this and other OVAL-compatible products and services, visit the Declarations of OVAL Compatibility page.

Compatibility with "OVAL-IDs" Added to OVAL Compatibility Program

"OVAL-ID Compatibility" has been added to the OVAL Compatibility Program as a second, distinct type of compatibility. Being compatible with OVAL-IDs means that a Web site, database, archive, or security advisory includes OVAL-IDs as references as part of the information it conveys about a security issue, and provides for searching by OVAL-ID. This is different from a product or services being "OVAL-compatible," in which a tool, service, Web site, database, or advisory/alert uses OVAL technical data such as schemas or definitions for communicating details of vulnerabilities, patches, or security policies. As part of this update, a "Declarations of OVAL-ID Compatibility" page has been added to the Compatible Products and Services section.

Sintelli Makes 3 Declarations of OVAL-ID Compatibility

Sintelli has declared that its vulnerability alert/notification service, Sintelli Alert; vulnerability alerting service, Sintelli SME; and its Sintelli Vulnerability Database, are OVAL-ID compatible. For additional information about these and other OVAL-ID compatible products and services, visit the Declarations of OVAL-ID Compatibility page.

KACE Networks, Inc. Makes Declaration of OVAL-ID Compatibility

KACE Networks, Inc. has declared that its information technology management appliance, KBOX IT Management Suite 2.0, is OVAL-ID compatible. For additional information about this and other OVAL-ID compatible products and services, visit the Declarations of OVAL-ID Compatibility page.

MITRE Corporation Makes Declaration of OVAL-ID Compatibility

MITRE Corporation has declared that its list of standardized names for information security vulnerabilities on the CVE Web site, the CVE List, is OVAL-ID compatible. For additional information about this and other OVAL-ID compatible products and services, visit the Declarations of OVAL-ID Compatibility page.

OVAL Mentioned in KACE Networks, Inc. Press Release

OVAL was mentioned briefly in a September 12, 2005 press release from KACE Networks, Inc. entitled "KACE's KBOX Automates IT Management for Mid-Market Customers with Easy-to-Use, Unthinkably Comprehensive, Affordable Appliance." OVAL was mentioned as a feature of KACE's KBOX IT Management Suite 2.0: "Security Vulnerability Audit: Scans and reports on known security vulnerabilities based on the OVAL standard (covering almost 1000 vulnerabilities) endorsed by US Computer Emergency Readiness Team (US-CERT) and the [U.S.] Department of Homeland Security."

In addition, KACE Networks, Inc. and its KBOX IT Management Suite 2.0 are listed on the Declarations of OVAL Compatibility and the Declarations of OVAL-ID Compatibility pages in the Compatible Products and Services section of the OVAL Web site.

Back to top
September 1, 2005

BigFix, Inc. Makes Declaration of OVAL Compatibility

BigFix, Inc. has declared that its real-time security configuration management system, BigFix Enterprise Suite, will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services section.

MITRE to Host OVAL/CVE Booth at IT Security World 2005, September 28th-29th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at MISTI's IT Security World 2005 on September 28th - 29th at the Hyatt Regency in San Francisco, California, USA. The conference will expose OVAL and CVE to security professionals from industry, government, and academia charged with developing and running their organizations" information security programs. Please stop by Booth 415 and say hello. In addition, organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
August 26, 2005

Slovenian CERT References OVAL-IDs in Security Advisory

The Slovenian Computer Emergency Response Team (SI-CERT) issued a security advisory for CVE name CAN-2004-0549 that included the following OVAL-IDs as references: OVAL1133, OVAL207, OVAL241, and OVAL519.

OVAL-IDs are also used as references for security items in the U.S. National Vulnerability Database (NVD); Open Source Vulnerability Database (OSVDB); E-Soft, Inc.'s SecuritySpace.com vulnerability Web site; and the CVE List on the Common Vulnerabilities and Exposures (CVE) Web site. All OVAL Vulnerability Definitions are based upon CVE names.

Back to top
August 22, 2005

OVAL Mentioned in Article about U.S. National Vulnerability Database on SecurityFocus.com

OVAL was mentioned a August 12, 2005 article entitled "NIST, DHS add national vulnerability database to mix" on SecurityFocus.com. The main topic of the article is the U.S. National Vulnerability Database (NVD), which "scans the Common Vulnerability and Exposures (CVE), a listing of serious vulnerabilities ..." OVAL is mentioned in a quote by Peter Mell, a senior computer scientist at NIST, who states: "[CVE names] are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language."

According to the article, "this reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases," including Gerhard Eschelbeck, chief technology officer of vulnerability assessment service for Qualys, Inc., who states: "We believe there is a need in the market for an aggregator to bring together all the information from all the different sources. But we want the organizations to use all the open standards."

NVD, CVE, and OVAL are sponsored by the U.S Department of Homeland Security. In addition, Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section.

Back to top
August 12, 2005

OVAL Launches New Web Site

OVAL has upgraded its Web site with new information and new functionality to better serve our users. New functionality includes a centralized "OVAL Content" page for viewing or downloading the three classes of OVAL definitions, while new information includes the addition of a special "Focus On" column and the latest news headlines on the homepage, a new section about the reference OVAL Definition Interpreter in the FAQs, and a new centralized archive of the OVAL Board and Community Participation email list discussions, among other improvements.

  • Improved Access to OVAL Content
    Access to OVAL Definitions has been centralized on an OVAL Content page, from which you can view or download definitions. Definitions are also now separated by classification so that users can easily locate Vulnerability Definitions, Compliance Definitions, and/or Patch Definitions for a particular operating system or platform.
  • News Headlines on the Homepage
    Headlines for the latest breaking news for and about OVAL are now available directly from the OVAL Web site homepage. These headlines will link directly to the full text of the articles on the OVAL News and Events page, or to the Calendar of Events page if the headline refers to an upcoming event.
  • Focus On Column Added to the Homepage
    A new feature on the homepage is a new "Focus On" column that will highlight a different feature and/or aspect of the OVAL project every one or two weeks. This week's inaugural column focuses on the topic of OVAL Compatibility.
  • FAQs about the OVAL Definition Interpreter
    A new section, Section F. OVAL Definition Interpreter, has been added to the Frequently Asked Questions section that specifically addresses the reference OVAL Definition Interpreter including what the Interpreter is, how to use it, how to read and use the results of an OVAL analysis, terms of use, and availability of the Interpreter source code.
  • Centralized Archive of Email Discussion Lists
    The new Discussion Archive page provides a centralized location for all OVAL Community and OVAL Board discussions about OVAL. The page includes four sections: OVAL Board Email List, OVAL Board Meetings, OVAL Community Forum Email List, and OVAL Developer Email List. Archives to discussions from past years are also located here.
  • Other Improvements
    In addition to an improved look and feel to the site design, Section Contents have been added in the far-right column of most pages to assist users in navigating the site and a new section has been added with information about the Senior Advisory Council.

Official OVAL Schemas Updated to Version 4.1

Version 4.1 of the OVAL Schemas are now available on the Official OVAL Schemas page. The OVAL Definition Interpreters, Interpreter Source Code, and Data Files have also been updated.

Version 4.1 of the OVAL Schema includes the following: addition of the Independent Schema; Addition of the UNIX Schema; addition of the "Red Hat Enterprise Linux 4" platform to the Red Hat Schema; addition of the "Sun Solaris 10" platform to the Solaris Schema; addition of the version attribute with a value of "4.1" to the xsd:schema root element of all Schema files; expanding the <schema_version> element of all the three core schemas (definition, result, system_characteristics) to accept decimals instead of just integers; possible extension of the Windows passwordpolicy_test; addition of optional XML signatures at the document level; addition of the Fedora platform name; and the addition of an optional aggregated result attribute on the criteria element. All of the updates incorporate modifications and revisions that are a direct result of feedback from users.

The following schemas have been updated to Version 4.1 for the OVAL Core schemas and the component (Independent, Apple Macintosh, Cisco IOS, Debian Linux, Microsoft Windows, Red Hat Linux, Sun Solaris, and UNIX) schemas:

The following are also available for using Version 4.1 of OVAL:

The previous versions of the OVAL schemas, definitions, Definition Interpreters, Interpreter source code, and data files have been archived. Visit the Official OVAL Schemas page for the latest information on Version 4.1.

Back to top
August 5, 2005

Assuria Limited Makes Declaration of OVAL Compatibility

Assuria Limited has declared that its host-based vulnerability assessment tool, Assuria Auditor, will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

New OVAL Board Member

Andrew Bove of Secure Elements, Inc. has joined the OVAL Board.

New OVAL Board Member

Nick Connor of Assuria Limited has joined the OVAL Board.

Release Candidates of the Version 4.1 OVAL Schemas Now Available

Version 4.1 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema are now in the Release Candidate stage and are available for review on the Upcoming OVAL Schema Changes - Version 4.1 page. The Version 4.1 Schemas are currently scheduled to move to the Official stage on August 12, 2005.

Meeting Minutes from OVAL Developer Days Now Available

Meeting minutes from the OVAL Developer Days meeting on July 18th-19th at MITRE Corporation in Bedford, Massachusetts are now available on the OVAL Documents page. 35 members of the OVAL Community from 14 organizations attended the event. The original briefing slides are also available.

U.S. National Vulnerability Database Includes OVAL-IDs as References

OVAL-IDs are included as references in the U.S. National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD). NVD is searchable by OVAL-ID, as well as by CVE Name, US-CERT Technical Alerts and/or US-CERT Vulnerability Notes.

According to the NVD Web site, "NVD is a comprehensive cyber security vulnerability database that integrates all publicly available U.S. Government vulnerability resources and provides references to industry resources. It is based on the CVE vulnerability naming standard." All OVAL Vulnerability Definitions are based upon CVE names.

NVD and OVAL are both sponsored by the U.S Department of Homeland Security.

Back to top
July 28, 2005

MITRE Hosts OVAL Developer Days, July 18th - 19th

The OVAL Initiative hosted our first-ever OVAL Developer Days meeting on July 18th and July 19th at MITRE Corporation in Bedford, Massachusetts. 35 members of the OVAL Community from 14 organizations attended the event.

Developer Days was a success and brought together numerous members of the OVAL Community to discuss, in technical detail, the more difficult issues facing the current and future versions of the OVAL Schema and to derive solutions that benefit all concerned parties and continue the development of the language. Review the briefing slides.

The meeting minutes will be available soon. An announcement will be posted on this News page when they are available, or you may sign-up for OVAL's free e-Newsletters to receive this and other news about OVAL.

See photos below:

2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days 2005 OVAL Developer Days

Revised Drafts of the Version 4.1 OVAL Schemas Now Available

Revised drafts of the Version 4.1 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 4.1 page. The Timeline for Version 4.1 has been revised to reflect these revisions.

Version 4.1 is posted with "Draft" status; the current "Official" version of OVAL is Version 4. Comments on the draft Version 4.1 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

OVAL Presents Briefing at the New England Electronic Crimes Task Force Meeting on July 26th

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL/CVE at the New England Electronic Crimes Task Force Meeting on July 26th, 2005 in Wellesley, Massachusetts, USA. The Electronic Crimes Task Force includes members from industry as well as local, state, and federal law enforcement and was created to "help prevent and when necessary, prosecute these new kinds of [electronic and computer] crimes."

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
July 8, 2005

Version 4.1 OVAL Schemas Now Available

Version 4.1 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 4.1 page. A complete list of the updates is available in the Status Reports on the Version 4.1 Schema section, or you may read the "Introduction to OVAL Schema, Version 4.1" white paper.

Version 4.1 is posted with "Draft" status; the current "Official" version of OVAL is Version 4. Comments on the draft Version 4.1 OVAL Schemas are welcome on the OVAL Community Forum and OVAL Developer's List.

OVAL Introductory White Paper Updated

The OVAL introductory white paper, "Introduction to OVAL: A Language to Determine the Presence of Computer Vulnerabilities and Configuration Issues," has been updated to correspond with the most recent information about OVAL. The document is posted in the "Articles/Briefings/Papers/etc." section on the OVAL Documents page.

Updated OVAL Brochure Now Available

The OVAL Brochure has been updated. The brochure provides a complete overview of the OVAL initiative, including a graphical representation of how OVAL works, and is posted on the OVAL Documents page.

Back to top
July 1, 2005

MITRE to Host OVAL Developer Days, July 18th & 19th

The OVAL Initiative will host our first-ever OVAL Developer Days meeting on Monday, July 18th and Tuesday, July 19th at MITRE Corporation in Bedford, Massachusetts. Though direct invitations have been issued to OVAL Board Members, organizations with OVAL-Compatible Products/Services, and other experts, all members of the OVAL Community are welcome to attend.

The purpose of the meeting is for the OVAL Community to discuss, in technical detail, the more difficult issues facing the current version of the OVAL Schema, Version 4, and to drive development of Version 5. By bringing together the leading proponents of the OVAL Community, we hope to derive solutions that will benefit all parties and continue the development of the language.

Visit the OVAL Developer Days page and Meeting Q&A for more information about this event. You may also review the Meeting Agenda. We look forward to seeing you.

Conference Photos of OVAL Booth at the NetSec 2005

MITRE hosted an OVAL/CVE exhibitor booth at NetSec 2005 Conference & Exhibition, June 13 - 15th, 2005 in Scottsdale, Arizona, USA. See photos below.

NetSec 2005 NetSec 2005 NetSec 2005 NetSec 2005 NetSec 2005 NetSec 2005 NetSec 2005 NetSec 2005 NetSec 2005
Back to top
June 23, 2005

netForensics, Inc. Makes Declaration of OVAL Compatibility

netForensics, Inc. has declared that its security information management system, netForensics nFX Open Security Platform, will be OVAL-compatible.

For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, June 16, 2005, with 15 Board members and others participating. Topics included OVAL status updates, the proposed minor version change to the Version 4.1 of the OVAL Schema, the new "Introduction to OVAL Schema, Version 4.1" white paper, and OVAL Compatibility. You may also read the complete meeting minutes.

Preventsys, Inc. Press Release Announces OVAL Compatibility and Appointment to OVAL Board

Preventsys, Inc. issued a press release on June 14, 2005 entitled "Preventsys to Support OVAL Standard to Further Broaden Support for Common Vulnerability Definitions." The release announces that the "Preventsys Enterprise Security Management (ESM) System is now compatible with the Open Vulnerability and Assessment Language (OVAL™) standard" and "To complement Preventsys" support for OVAL, Preventsys has also announced that senior vice president of engineering and operations J. Patrick Ravenel has been appointed to the OVAL Board, a select group of security experts chosen to oversee the development of this "emerging standard."

The release describes what the OVAL effort is and isn't, the makeup and purpose of the OVAL Board, and includes a link to the OVAL Web site. The release also includes a quote from Ravenel, who states: "Preventsys supports and encourages the adoption of common standards, such as OVAL, because they allow our customers to get more accurate views of their enterprise-wide security posture, without product customization. The adoption of standards like OVAL are an important step in gaining a better understanding of IT security risk and compliance with policies and regulations, especially when multiple-integrated tools must be supported."

Preventsys is a member of the OVAL Board and its Preventsys ESM System is listed in the OVAL-Compatible Products and Services section.

Back to top
June 16, 2005

Two New OVAL Board Members

John Wilson and Varugis Kurien of Microsoft Corporation have joined the OVAL Board.

MITRE Hosts CVE/OVAL Booth at NetSec 2005

MITRE hosted an OVAL/CVE exhibitor at NetSec 2005 Conference & Exhibition, June 13 -15, 2005 in Scottsdale, Arizona, USA. The conference was successful and introduced OVAL and CVE to information security managers and directors, CIOs, CSOs, systems analysts, network engineers, network and systems managers and administrators, Webmasters, and other information security professionals.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
June 10, 2005

"Introduction to OVAL Schema, Version 4.1" Document Now Available

A new white paper entitled "Introduction to OVAL Schema, Version 4.1" has been posted on the OVAL Documents page. The document describes what the OVAL Schema is; how it has changed; how it is versioned, including minor and major versions; and the Schema review process. It also introduces modifications for OVAL Version 4.1, currently scheduled for release in July.

Technical aspects of the OVAL Schemas, such as the descriptions of valid elements and attributes, are documented in the OVAL Elements Dictionaries. Comments about the document are welcome on the OVAL Community Forum, or you may contact us directly at oval@mitre.org.

Upcoming Schema Changes Section Updated with Version 4.1 OVAL Schema Information

An overview of the modifications planned for Version 4.1 of the OVAL Schema has been posted in the Upcoming OVAL Schema Changes section. A more thorough discussion of the changes is included in "Introduction to OVAL Schema, Version 4.1."

New OVAL Board Member

Patrick Ravenel of Preventsys, Inc. has joined the OVAL Board.

New OVAL Board Member

Robert Hollis of ThreatGuard, Inc. has joined the OVAL Board.

1,000+ Definitions Now Have "Accepted" Status

Of the 1,079 OVAL Definitions now available to the public on the OVAL Web site, 976 have Accepted status, 88 Interim status, and 15 Draft status. Of these, 748 definitions are for Microsoft Windows, 203 definitions for Red Hat Linux, and 128 definitions for Sun Solaris. A complete breakdown of definitions by operating system family, and by individual platforms, is available on the OVAL Statistics page.

Back to top
June 2, 2005

nCircle Network Security, Inc. Makes Two Declarations of OVAL Compatibility

nCircle Network Security, Inc. has declared that its IP360 Vulnerability Management System, and its real-time threat prioritization intrusion detection system (IDS), nTellect for Cisco IDS, will be OVAL-compatible.

For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

OVAL/CVE Booth Number Changed for NetSec 2005

MITRE's OVAL/CVE exhibitor booth number for NetSec 2005 Conference & Exhibition, June 13 15, 2005 in Scottsdale, Arizona, USA, has been changed from E13 to D7. Organizations listed on the OVAL Board and OVAL-Compatible Products and Services pages will also be exhibiting. Please stop by any of these booths and say hello.

Visit the OVAL Calendar page for information on this and other upcoming events.

Back to top
May 19, 2005

DesktopStandard Corporation Makes Four Declarations of OVAL Compatibility

DesktopStandard Corporation has declared that its patch vulnerability assessment and remediation product, PolicyMaker Software Update, its configuration vulnerability assessment and remediation product, PolicyMaker Standard Edition, its application/task privilege vulnerability assessment and remediation product, PolicyMaker Application Security, and its registry-based vulnerability assessment and remediation product, PolicyMaker Registry Extension, will be OVAL-compatible.

For additional information about these and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

Back to top
May 12, 2005

"How OVAL Works" Illustration Added to OVAL Web Site

A graphical representation of How OVAL Works has been added to the About OVAL section of the OVAL Web site. The illustration shows how OVAL and information security tools and services compatible with OVAL Definitions, the OVAL System Characteristics Schema, and/or the OVAL Results Schema improve the vulnerability management process.

Back to top
May 5, 2005

MITRE to Host OVAL/CVE Booth at NetSec 2005, June 13th - 15th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at NetSec 2005 Conference & Exhibition, June 13 - 15, 2005 in Scottsdale, Arizona, USA. The conference is targeted to information security managers and directors, CIOs, CSOs, systems analysts, network engineers, network and systems managers and administrators, Webmasters, and other information security professionals. Please stop by Booth E13 and say hello. In addition, organizations listed on the OVAL-Compatible Products and Services page will also be exhibiting.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
April 29, 2005

Senior Advisory Council Holds Meeting

The CVE Senior Advisory Council, which also provides oversight for the OVAL effort, held a meeting on Monday, April 25, 2005. Topics included U.S. Department of Defense (DOD) vulnerability management using (Extensible Markup Language Configuration Checklist Data Format) XCCDF, OVAL, and CVE; the U.S. Department of Energy’s (DOE) enterprise-wide Microsoft license and contract; an update on Center for Internet Security (CIS) information security benchmarks and tools; and status updates on CME, CVE, and OVAL.

MITRE established the advisory council to help guide CVE and OVAL and to ensure the initiatives receive appropriate funding, and to help us all understand potential relationships with other ongoing activities, share information, and promote synergy across the security community. The advisory council is composed of senior executives from offices across the U.S. federal government who are responsible for information assurance on government networks and systems. Visit the CVE Web site to view a list of the advisory council members or to read a copy of the council charter.

OVAL Standards Effort a Main Topic of Article in CrossTalk

OVAL was a main topic in an article by OVAL Compatibility Lead Robert A. Martin entitled "Transformational Vulnerability Management Through Standards" in the May 2005 issue of CrossTalk, The Journal of Defense Engineering. The article discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the OVAL and CVE standards efforts. The author states: "In combination with procedural changes, the adoption of these and other standards such as the National Security Agency’s Extensible Markup Language Configuration Checklist Data Format, are making it possible to radically improve the accuracy and timeliness of the DOD's remediation and measurement activities, which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities."

OVAL is mentioned throughout this article in which the author describes what OVAL is and isn't, mentions that there are organizations that have made declarations of OVAL Compatibility, and describes OVAL definitions and the Official OVAL Schemas and their potential uses. How OVAL improves vulnerability assessment is also described in the caption to an illustration entitled "Standard-Based IAVA Process" in which the author notes that the new Information Assurance Vulnerability Alert (IAVA) requirements call for the use of "OVAL definitions on how to identify the new issue. Assessment tools are capable of using the OVAL definitions; they report their findings per the OVAL results XML standard. These same standard-based results are fed into the reporting process and the remediation process. Various procurements have started requiring support for the standards that will enable the transition to this new IAVA process. Work in transforming current checklists and checking guidelines into these standards is also under way, which will set the stage for the formal process to be changed."

The author concludes the article as follows: "DoD is moving to its new process by requiring the inclusion of CVE names and standardized OVAL XML vulnerability and configuration tests in software supplier's alerts and advisories, and by acquiring tools that can import new and future OVAL XML test definitions and export their findings as standardized OVAL XML results. By also obtaining capabilities that can import the OVAL XML results for remediation, organizational status reporting, and generating certification and accreditation reports, the DoD will have created a focused, efficient, timely, and effective enterprise incident management and remediation process by adopting information security products, services, and methodologies that support the CVE naming standard and use OVAL test definitions and results schemas." "Collectively these changes will dramatically improve the insight and oversight of the security and integrity of the systems and networks underlying tomorrow's network- centric warfare capabilities."

OVAL Mentioned in Article about Software Vulnerabilities in InfoSecurity Magazine

OVAL was mentioned in a May 15, 2005 article about software vulnerabilities entitled "CA exposure provokes disclosure debate" in InfoSecurity Magazine. OVAL is mentioned in a section about vulnerability assessment in which the author states: "The aim of the Open Vulnerability [and] Assessment Language initiative . . . [is] to provide a standardised way for the industry to define vulnerabilities and their seriousness and widespread industry adoption is expected to follow over the coming year."

The article also includes a discussion with OVAL Board Member Gerhard Eschelbeck of Qualys, Inc., in which the author of the article states: "The next stage after vulnerability assessment is to ensure that patching activities are automated as much as possible and are up-to-date and verified. While Eschelbeck acknowledges that patching everything constantly is impossible, he says that [the new universal Common Vulnerability Scoring System (CVSS)], which was released to vendors a few weeks ago at the RSA conference, should make prioritisation easier."

Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section. MITRE created and manages the OVAL and CVE projects, both of which are sponsored by the US-CERT at the Department of Homeland Security.

OVAL Participates on Panel Discussion at DOE Cyber Security Group Training Conference on April 21st

OVAL Compatibility Lead Robert A. Martin participated on a panel discussion entitled "Building Security into the Enterprise" in which OVAL and CVE were topics of discussion at the 27th Department of Energy (DOE) Cyber Security Group (CSG) Training Conference on April 21, 2005 in Denver, Colorado, USA.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

OVAL Presents Briefing at DOE Cyber Security Chiefs Council Meeting on April 20th

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL and CVE to the Department of Energy (DOE) Cyber Security Chiefs Council Meeting on April 20, 2005 in Denver, Colorado, USA. Visit the OVAL Calendar page for information on this and other upcoming events.

Back to top
April 21, 2005

OVAL Working Group Holds Teleconference

OVAL's Unauthenticated Remote Tests Working Group held a teleconference meeting on Thursday, April 7, 2005, with nine members participating. Those interested may read the complete meeting minutes. To join the working group, first subscribe to the "OVAL Developer's Email List" on the OVAL Community Forum sign-up page. After receiving a confirmation verifying your addition to the list, submit a message expressing your interest in addressing unauthenticated remote scanning to join the group. We welcome your participation.

OVAL Main Topic of Article about Vulnerability Assessment on SecurityPark.net

OVAL was the main topic of an April 15, 2005 article entitled "From SATAN to OVAL: The Evolution of Vulnerability Assessment" on SecurityPark.net. In this article, written by OVAL Board Member Gerhard Eschelbeck of Qualys, Inc., the author describes what OVAL is and isn't, mentions that OVAL is a community effort, notes the platforms supported by OVAL, mentions that there are declarations of OVAL Compatibility, and describes the OVAL Definition Schema, OVAL System Characteristics Schema, and OVAL Results Schema and their potential uses.

The author further states: "OVAL aims to standardize and define a structured process for identifying and communicating vulnerability and configuration information from the point of knowledge of a vulnerability to the point of action. Vulnerability Assessment has matured over the past years, and to standardize the information exchange during the full vulnerability lifecycle makes OVAL a significant contribution to the security industry. Multiple security vendors have committed support for OVAL in their upcoming product releases. Enterprises will benefit from OVAL compliant tools to integrate and improve the flow of information from vulnerability alert, to vulnerability detection as well as remediation."

Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section.

OVAL Presents Briefing at Systems and Software Technology Conference on April 19th

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL/CVE entitled "A Case Study on Transformational Vulnerability Management Through Standards" at the 17th Annual Systems and Software Technology Conference on April 19, 2005 at the Salt Palace Convention Center in Salt Lake City, Utah, USA.

The Systems and Software Technology Conference is co-sponsored by the United States Army, United States Marine Corps, United States Navy, Department of the Navy, United States Air Force, Defense Information Systems Agency (DISA), and Utah State University Extension. The conference is targeted to representatives from "military services, government agencies, defense contractors, industry, and academia." DISA is a member of the OVAL Board.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Back to top
April 14, 2005

Version 4 Definition Interpreters Updated

The Version 4 OVAL Definition Interpreters have been updated to correct known issues and improve functionality. This update corrects three issues that could occur while running the Interpreter: a Windows file probe that was incorrectly constructing file paths out of path components; Windows file tests that would always evaluate to unknown; and a problem occurring when a test with a pattern match in its object section inaccurately reported an unknown result if the specified pattern failed to find a match on the system being tested. This update also adds support for the xmlfilecontent_test; updates error reporting in the results.xml to make better use of the message element inside of test elements in the result.xml file; and creates a common interface for platform-specific File searching with regular expressions. The Interpreter Source Code has also been updated.

Use of the updated Definition Interpreters requires that you use the newest OVAL Data Files. We apologize for any inconvenience. Visit the Downloads page to download the latest Interpreters, Interpreter Source Code, and Data Files.

Preventsys, Inc. Makes Declaration of OVAL Compatibility

Preventsys, Inc. has declared that its Preventsys Enterprise Security Management System will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

New OVAL Board Member

Eric Voskuil of DesktopStandard Corporation has joined the OVAL Board.

New OVAL Board Member

Jim Alderson of GuardedNet, Inc. has joined the OVAL Board.

New OVAL Board Member

Chris Andrew of PatchLink Corporation has joined the OVAL Board.

OVAL Presents Briefing to FSTC Security Standing Committee

OVAL Compatibility Lead Robert A. Martin presented a briefing on April 14, 2005 entitled "Software Quality and Vulnerability Management - CVE and OVAL" to the monthly teleconference of the Financial Services Technology Consortium's (FSTC) Security Standing Committee (SSCOM). The talk focused on using OVAL and CVE standards to transform how organizations manage the flaws in the software systems they use to conduct their businesses. The mission of the FSTC SSCOM is to "help member financial institutions anticipate and respond to challenges and opportunities in the dynamic area of information security technology, while helping technology providers and standards organizations to understand the unique security needs of the financial services industry."

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Conference Photos of OVAL Booth at InfoSec World 2005

MITRE hosted an OVAL/CVE exhibitor booth at MISTI's InfoSec World Conference and Expo/2005, April 4 - 6th, 2005 in Orlando, Florida, USA. See photos below.

ISW 2005 ISW 2005 ISW 2005 ISW 2005 ISW 2005 ISW 2005
Back to top
April 8, 2005

OVAL to Participate on Panel Discussion at DOE Cyber Security Group Training Conference on April 21st

OVAL Compatibility Lead Robert A. Martin will participate on a panel discussion entitled "Building Security into the Enterprise" at the 27th Department of Energy (DOE) Cyber Security Group (CSG) Training Conference on April 21st, 2005 at the Westin Westminster in Denver, Colorado, USA. The conference theme is "Reduce Your Vulnerabilities and Protect Your Resources" and will include speakers from across the Federal Government, as well as the Department or Energy and the National Nuclear Security Administration. The event itself is scheduled for April 18 - 21.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

MITRE Hosts OVAL/CVE Booth at InfoSec World Conference and Expo/2005, April 4th-6th

MITRE hosted an OVAL/CVE exhibitor booth at MISTI's InfoSec World Conference and Expo/2005 on April 4th - 6th in Orlando, Florida, USA. The conference exposed OVAL and CVE to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. In addition, organizations listed on the OVAL-Compatible Products and Services page also exhibited.

Visit the OVAL Calendar for more information about this and other events.

OVAL Presents Briefing at Babson College's CIMS Technology Update Workshop on March 11th

OVAL Compatibility Lead Robert A. Martin and CVE Project Leader Margie Zuk presented a briefing about OVAL and CVE on March 11th at the Center for Information Management Studies' (CIMS) Technology Update Workshop at Babson College in Wellesley, Massachusetts, USA. CIMS is a "consortium of academic leaders and industry professionals working together to promote the effective use of information technology (IT)." CIMS provides "a valuable forum for IT management dialog . . . [among] IT executives, managers, and senior professionals," and its workshops, publications, and courses focus on issues that are most important to the IT community.

Visit the OVAL Calendar page for information on this and other upcoming events.

Back to top
March 31, 2005

Official OVAL Schemas Updated to Version 4

Version 4 of the OVAL Schemas are now available on the Official OVAL Schemas page. The OVAL Definition Interpreters, Interpreter Source Code, and Data Files have also been updated.

Version 4 of the Official OVAL Schema represents a significant advancement in the evolution of the OVAL effort. With Version 4 all of the Official OVAL Schemas have been brought under a single version number in order to simplify the task for all OVAL users (e.g., definition creators, tool developers, vulnerability researchers, etc.) in identifying the version against which a set of definitions/characteristics/results were generated, among numerous other modifications. The new version also includes the addition of schemas for Apple Macintosh and Cisco IOS. Specific changes are noted in the archive of Status Reports on the Version 4 Schema. All of the updates incorporate modifications and revisions that are a direct result of feedback from users.

The following schemas have been updated to Version 4 for the OVAL Core schemas and the platform-specific (Apple Macintosh, Cisco IOS, Debian Linux, Microsoft Windows, Red Hat Linux, and Sun Solaris) schemas:

The following are also available for using Version 4 of OVAL:

The previous versions of the OVAL schemas, definitions, Definition Interpreters, Interpreter source code, and data files have been archived. Visit the Official OVAL Schemas page for the latest information on Version 4.

"OVAL Element Dictionary" Now Available for Developers

An "OVAL Element Dictionary" is now available for assisting developers with incorporating OVAL into their tools and services. There are individual dictionaries for the Core Definition Schema, System Characteristics Schema, Results Schema, and for each of the individual platform-specific schemas. Each document describes the XML elements, types, and attributes that comprise the schemas and provides the information necessary to understand what each element and attribute represents in OVAL. The documents are intended for developers and assume some familiarity with XML. A comprehensive "OVAL Element Dictionary" for all schemas is available as a single download, or individual Element Dictionaries are available from the Documents page.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Thursday, March 17, 2005, with 19 Board members and others participating. Topics included OVAL status updates, licensing terms for the Reference OVAL Definition Interpreters, content ownership, and OVAL compatibility. You may also read the complete meeting minutes.

OVAL to Present Briefing at Systems and Software Technology Conference on April 19th

OVAL Compatibility Lead Robert A. Martin is scheduled to present a briefing about OVAL/CVE entitled "A Case Study on Transformational Vulnerability Management Through Standards" at the 17th Annual Systems and Software Technology Conference on April 19th, 2005 at the Salt Palace Convention Center in Salt Lake City, Utah, USA. The conference itself runs April 18 - 21.

The Systems and Software Technology Conference is co-sponsored by the United States Army, United States Marine Corps, United States Navy, Department of the Navy, United States Air Force, Defense Information Systems Agency (DISA), and Utah State University Extension. The conference is targeted to representatives from "military services, government agencies, defense contractors, industry, and academia." DISA is a member of the OVAL Board.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

OVAL Archive Page Added to OVAL Web Site

An OVAL Archive page has been added to the OVAL Web site. This centralized archive includes monthly downloads of all "Accepted," "Interim," and "Draft" OVAL definitions from the Current Version of OVAL; material from Previous Versions of OVAL including schemas, definitions, data files, definition interpreters, and interpreter source code; and materials from the deprecated SQL format. Definitions from the current version of OVAL are archived on this page on a monthly basis to allow OVAL users to track changes over time and tool developers to map OVAL Compatibility.

Back to top
March 24, 2005

OSVDB Including OVAL-IDs as Cross-References

OVAL-IDs are being included as a cross-reference in the Open Source Vulnerability Database (OSVDB). OVAL892, OVAL886, and OVAL885 are included in a listing for OSVDB Entry 5260. Other OSVD entries also include OVAL-IDs.

SecuritySpace Vulnerability Web Site Including OVAL-IDs as Cross-References

OVAL-IDs are being included as cross-references in SecuritySpace.com, E-Soft, Inc.'s vulnerability Web site. OVAL1503, OVAL1530, OVAL2155, OVAL3179, OVAL1186, OVAL1943, OVAL3514, and OVAL956 are included in a listing for SecuritySpace 13641. Other SecuritySpace entries also include OVAL-IDs.

CVE Web Site Including OVAL-IDs as References

OVAL-IDs are being included as references on the CVE List on the Common Vulnerabilities and Exposures (CVE) Web site. OVAL216, OVAL306, OVAL322, OVAL507, and OVAL515 are included in a listing for CAN-2004-0566. Other CVE names also include OVAL-IDs. Content on the CVE List is determined by the MITRE Corporation and information security-industry organizations participating on the CVE Editorial Board. MITRE created and manages the OVAL and CVE projects, both of which are sponsored by the US-CERT at the Department of Homeland Security.

New OVAL Board Member

Robert Stull of eEye Digital Security has joined the OVAL Board.

New OVAL Board Member

Nils Puhlmann of Adobe Systems Incorporated has joined the OVAL Board.

GRIDtoday Article Announces Appointment of ArcSight, Inc. to OVAL Board

OVAL was the main topic of a February 2, 2005 article on GRIDtoday entitled "ArcSight's Raffael Marty Appointed to MITRE OVAL Board." The article describes what the OVAL effort is and isn't and mentions the following other OVAL Board members: "Cisco Systems, IBM and Symantec, and U.S. government leaders including the Defense Information Systems Agency, the National Security Agency and the CERT Coordination Center." The article states that: "Marty's role will be to provide OVAL a complete, high-level view of network security status, including issues such as correlation and prioritization of security events, as security event management continues to emerge as a critical component of network security."

There are currently 34 OVAL Board Members from 28 organizations around the world.

ArcSight Press Release Announces Appointment to OVAL Board

ArcSight, Inc. issued a press release on January 16, 2005 entitled "ArcSight's Raffael Marty Appointed to MITRE OVAL (Open Vulnerability [and] Assessment Language) Board." The release announces Raffael Marty's appointment to the OVAL Board, describes what the OVAL effort is and isn't, and includes a link to the OVAL Web site.

The release also includes a quote by Hugh Njemanze, CTO and founder of ArcSight, Inc., who states: "We're thrilled that Raffael has been asked to participate in MITRE's OVAL efforts. We're looking forward to helping add our security event management innovation to OVAL's groundbreaking work to date."

There are currently 34 OVAL Board Members from 28 organizations around the world.

Conference Photos of OVAL Booth at the RSA 2005

MITRE hosted an OVAL/CVE exhibitor booth at RSA Conference 2005, February 14 - 18th, 2005 in San Francisco, California, USA. See photos below.

RSA 2005 RSA 2005 RSA 2005 RSA 2005
Back to top
March 10, 2005

MITRE to Host OVAL/CVE Booth at InfoSec World Conference and Expo/2005, April 4th-6th

MITRE is scheduled to host an OVAL/CVE exhibitor booth at MISTI's InfoSec World Conference and Expo/2005 on April 4th - 6th at the Coronado Springs Resort in Orlando, Florida, USA. The conference will expose OVAL and CVE to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Please stop by Booth 432 and say hello. In addition, organizations listed on the OVAL-Compatible Products and Services page will also be exhibiting.

Visit the OVAL Calendar for more information about this and other events.

Back to top
March 3, 2005

Release Candidate 3 of the Version 4 OVAL Schemas Now Available

Release Candidate 3 of the Version 4 OVAL Schemas are now available on the Proposed OVAL Schema page. The most significant updates are changes to the schema for Windows and involve the effective rights tests, the interface test, and the port test, among other changes. A complete list of updates is available in the Status Reports on the Version 4 Schema section. The current Version 4 Definition Interpreters and Data Files can be used with Release Candidate 3.

The Version 4 Schemas are currently scheduled to move to the Official stage in March 2005. Visit the Proposed OVAL Schema page to view or download the latest Schemas, Definition Interpreters, Interpreter Source Code, and Data Files for Version 4.

OVAL Adds Schema for Apple Macintosh

Release Candidate 3 of the Version 4 OVAL Schemas also includes new schemas for Apple Macintosh. The Version 4 Schemas are currently scheduled to move to the Official stage in March 2005. Visit the Proposed OVAL Schema page to view or download all of the the latest Schemas, Definition Interpreters, Interpreter Source Code, and Data Files for Version 4.

OVAL a Main Component of Vulnerability Assessment System Described in Princeton University White Paper

OVAL is mentioned throughout a December 2004 technical report from the Department of Computer Science at Princeton University entitled "TR-718-04: Policy-based Multihost Multistage Vulnerability Analysis." The paper describes MulVAL, "an end-to-end framework and reasoning system that conducts multihost, multistage vulnerability analysis [MulVAL] on a network." MulVAL automatically integrates formal vulnerability specifications from the bug-reporting community and is scaleable to networks with thousands of machines. MulVAL "comprises a scanner—run asynchronously on each host and which adapts existing tools such as OVAL to a great extent—and an analyzer, run on one host whenever new information arrives from the scanners."

OVAL is mentioned throughout the report and OVAL and the OVAL Reference Definition Interpreter are used by MulVAL to scan the network, conduct the tests for vulnerabilities using OVAL definitions, and to report the results. The report describes what OVAL is and details the OVAL System Characteristics Schema for collecting the information, OVAL Definition Schema for writing OVAL Definition tests, and OVAL Results Schema for presenting the results of the tests. The paper also mentions the OVAL Board, provides a breakdown of OVAL definitions as of January 31, 2005, and notes that the OVAL Reference Definition Interpreters are available for Red Hat Linux and Microsoft Windows platforms. After the presence of a vulnerability is identified by OVAL, MulVAL uses ICAT, "a vulnerability database developed by the National Institute of Standards and Technology" to describe "how [the vulnerability] can be exploited and what are the consequences".

OVAL is also included in the paper's abstract, in which the authors state: "Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines. We implemented our framework on the Red Hat Linux platform. Our framework can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language. We tested our tool on a real network with hundreds of users. The tool detected a policy violation caused by software vulnerabilities and the system administrators took remediation measures."

OVAL Presents Briefing at ANSI X9F4 Standards Meeting on March 2nd

OVAL Compatibility Lead Robert A. Martin presented a briefing about OVAL/CVE at the American National Standards Institute (ANSI) X9F4 Standards Meeting for the finance industry on March 2, 2005 in San Antonio, Texas, USA.

X9 is an ANSI-approved organization that creates standards for the financial services industry. Within X9, the X9F subcommittee deals with data and information security issues and the X9F4 Working Group focuses on cryptographic standards. ANSI is a private, non-profit organization that "administers and coordinates the U.S. voluntary standardization and conformity assessment system. The Institute's mission is to enhance both the global competitiveness of U.S. business and the U.S. quality of life by promoting and facilitating voluntary consensus standards and conformity assessment systems, and safeguarding their integrity."

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

Configuresoft Press Release Announces Appointment to OVAL Board

Configuresoft, Inc. issued a press release on March 1, 2005 entitled "Configuresoft CTO Dennis Moreau Tapped for OVAL Board." The release notes that Dr. Dennis Moreau, chief technology officer for Configuresoft was appointed to the OVAL Board, describes what the OVAL effort is and isn't, mentions that OVAL vulnerability definitions are based upon CVE names, and includes a link to the OVAL Web site.

The article also includes a quote by Moreau, who states: "OVAL is the most ambitious of the current standardization efforts. On behalf of Configuresoft and the Center for Policy & Compliance, I am delighted to sit on the OVAL Board."

There are currently 32 OVAL Board Members from 26 organizations around the world.

Back to top
February 24, 2005

Beta Version of the Red Hat Reference Definition Interpreter for Version 4 Updated

Beta versions of the Red Hat OVAL Definition Interpreter, Interpreter Source Code, and Data Files are now available for testing Release Candidate 2 of the Version 4 OVAL Schemas. A Version 4 Reference Definition Interpreter for Microsoft Windows is also available. Use of the updated Definition Interpreters requires that you use the newest Version 4 OVAL Data Files. We apologize for any inconvenience.

Visit the Proposed OVAL Schema page to download the Interpreter and Data Files and for the latest information on Version 4.

MITRE Hosts OVAL/CVE Booth at RSA Conference 2005, February 14th-18th

MITRE hosted an OVAL/CVE exhibitor booth at RSA Conference 2005 on February 14th - 18th in San Francisco, California, USA. The conference introduced OVAL and CVE to information technology professionals, developers, policy makers, industry leaders, and academics from organizations that deploy, develop, or investigate data security or cryptography products or initiatives. Visit the OVAL Calendar page for information on this and other upcoming events.

Back to top
February 17, 2005

Beta Versions of the Reference Definitions Interpreters for Release Candidate 2 of Version 4 Now Available

Beta versions of the OVAL Definition Interpreters, Interpreter Source Code, and Data Files for testing Release Candidate 2 of the Version 4 OVAL Schemas have been updated. Use of the updated Version 4 Definition Interpreter requires that you use the newest Version 4 OVAL Data Files. We apologize for any inconvenience.

  • OVAL Definition Interpreters, Version 4
  • Interpreter Source Code, Version 4
  • Data Files, Version 4
  • Bulk Content Download, Version 4

Visit the Proposed OVAL Schema page for the latest information on Version 4.

OVAL Working Group Holds Teleconference

OVAL's Unauthenticated Remote Tests Working Group held its first teleconference meeting on Thursday, February 10, 2005, with nine members participating. The purpose of the group is to look at handling unauthenticated remote tests in OVAL. Those interested may read the complete meeting minutes.

Anyone with interest or expertise in unauthenticated scanning is welcome to comment on the minutes and/or participate in future meetings. To join the working group, first subscribe to the OVAL Developer's Email List on the OVAL Community Forum sign-up page. After receiving a confirmation verifying your addition to the list, submit a message expressing your interest in addressing unauthenticated remote scanning to join the group. We welcome your participation.

OVAL Included in XCCDF Security Configuration Checklists Program for Information Technology Products and Services

OVAL was included as part of the January 20, 2005 release of the Extensible Configuration Checklist Description Format (XCCDF) on the National Institute of Standards and Technology's (NIST) Computer Security Resource Center Web site. Led by the U.S. National Security Agency (NSA) along with contributions from other agencies and organizations, XCCDF was created to be a "specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices."

OVAL is mentioned in the Additional Notes section on the main page of the XCCDF Web site, which states: "XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's OVAL(tm). More information about OVAL maybe found at The MITRE Corporation OVAL Web site." In addition, NSA is a member of the OVAL Board.

MITRE Hosts OVAL/CVE Booth at 2005 Information Assurance Workshop, February 7th-10th

MITRE hosted a OVAL/CVE exhibitor booth at the 2005 Information Assurance (IA) Workshop in Atlanta, Georgia, USA, February 7th-10th. The purpose of the workshop, which was hosted by the Defense Information Systems Agency, National Security Agency, Joint Staff, and the United States Strategic Commands, was to provide a forum for the IA community on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event was successful and introduced OVAL and CVE to representatives of the DOD and other Federal Government employees and their sponsored contractors.

Back to top
February 10, 2005

Release Candidate 2 of the Version 4 OVAL Schemas Now Available

Release Candidate 2 of the Version 4 OVAL Schemas are now available on the Proposed OVAL Schema page. The most significant updates are changes to the schema for Windows and involve the effective rights tests, the interface test, and the port test, among other changes. A complete list of updates is available in the Status Reports on the Version 4 Schema section.

The Version 4 Schemas are currently scheduled to move to the Official stage in March 2005. Visit the Proposed OVAL Schema page to view or download the latest Schemas, Definition Interpreters, Interpreter Source Code, and Data Files for Version 4.

Back to top
February 7, 2005

Fifty Compliance Definitions Added to OVAL Web Site

50 OVAL Compliance Definitions have been added to the OVAL Definitions page as OVAL-IDs 1351-1400. OVAL compliance definitions test the configuration settings of a system and are used to measure compliance with a security policy, for example to determine whether a particular service is running, a port is open, a password is of at least a particular length, etc. The OVAL Web site also includes 1,120 vulnerability definitions.

Back to top
January 24, 2005

Version 4 OVAL Schemas Updated to Release Candidates

Version 4 of the OVAL Schemas are now in the Release Candidate stage. In addition, beta versions of the OVAL Definition Interpreters, Interpreter Source Code, and Data Files for Version 4 are currently available for testing the new version of OVAL. The schemas will be updated to the "Official" stage in March per the Version 4 Timeline, at which time the current schemas, Definition Interpreters, Interpreter Source Code, and Data Files and will be archived.

Version 4 of the Official OVAL Schema represents a significant advancement in the evolution of the OVAL effort. With Version 4 all of the Official OVAL Schemas have been brought under a single version number in order to simplify the task for all OVAL users (e.g., definition creators, tool developers, vulnerability researchers, etc.) in identifying the version against which a set of definitions/characteristics/results were generated, among numerous other modifications. Specific changes are noted in the New in the Version 4 Schema and Status Reports on the Version 4 Schema sections. All of the updates incorporate modifications and revisions that are a direct result of feedback from users.

The following schemas have been updated to release candidates for the OVAL Core schemas and the platform-specific (Cisco IOS, Debian Linux, Microsoft Windows, Red Hat Linux, and Sun Solaris) schemas:

Beta versions of the following are also available for testing the new version of OVAL:

  • OVAL Definition Interpreters, Version 4
  • Interpreter Source Code, Version 4
  • Data Files, Version 4
  • Bulk Content Download, Version 4

Visit the Proposed OVAL Schema page for the latest information on Version 4.

New OVAL Board Member

Chip Lawson of BindView Corporation has joined the OVAL Board.

MITRE to Host OVAL/CVE Booth at the 2005 Information Assurance Workshop, February 7th-10th

MITRE is scheduled to host an OVAL/CVE exhibitor booth on February 7th - 10th at the 2005 Information Assurance Workshop in Philadelphia, Pennsylvania, USA. The purpose of the workshop, which is hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event will introduce OVAL and CVE to representatives of the DOD and other Federal Government employees and their sponsored contractors. Please stop by Booth 207 and say hello.

Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

MITRE to Host OVAL/CVE Booth at RSA Conference 2005, February 14th-18th

MITRE is scheduled to host an OVAL/CVE exhibitor booth on February 14th - 18th at RSA Conference 2005 at the Moscone Center in San Francisco, California, USA. The conference will introduce OVAL and CVE to information technology professionals, developers, policy makers, industry leaders, and academics from organizations that deploy, develop, or investigate data security or cryptography products. Please stop by Booth 1231 and say hello.

Visit the OVAL Calendar for information on this and other upcoming events.

Back to top
January 13, 2005

OVAL Announces "Calendar of Events" for 2005

The OVAL effort has announced its initial calendar of events for the first half of 2005. Details regarding MITRE's scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, and/or other vulnerability management topics at your event.

netForensics Press Release Announces Appointment to OVAL Board

netForensics, Inc. issued a press release on December 20, 2004 entitled "netForensics Security Strategist Appointed to MITRE Open Vulnerability Assessment Language Board." mentions that Anton Chuvakin, Ph.D., GCIA, GCIH, and Security Strategist for netForensics, Inc. was appointed to the OVAL Board, describes what the OVAL effort is and isn't, and includes a link to the OVAL Web site.

The article also includes a quote by Patrick Guay, netForensics EVP Product Management and Marketing, who states: "Anton is an excellent example of the level of security practitioner we have in place to develop [netForensics, Inc.'s] robust SIM solution and to support our customers unique requirements. As a member of the OVAL Board he will continue to offer this insight and innovation for developing a common standard for describing system vulnerabilities and methods for checking them."

There are currently 31 OVAL Board Members from 26 organizations around the world.

Back to top
January 7, 2005

OVAL Effort Surpasses 1,000+ Definitions Milestone

OVAL has achieved a major milestone with 1,003 OVAL Definitions now posted on the OVAL Web site. As of this site update, there are 748 Accepted, 4 Interim, 21 Draft, and 230 Initial Submission vulnerability definitions available for the Windows, Linux, and UNIX operating systems.

OVAL began in December 2002 with a total of 72 definitions for three initially supported platforms-Windows NT 4.0, Windows 2000, and Sun Solaris 7/8. Since that launch we have increased the number of definitions to the current total of 1,003; added support for seven additional operating systems: Windows XP, Windows Server 2003, Sun Solaris 9, Red Hat Linux, Debian Linux, Hewlett-Packard UNIX, and Cisco IOS; registered 154 participants on the OVAL Community Forum email discussion list and 101 participants on the OVAL Developer's Working Group email discussion list; released proof-of-concept Definition Interpreters with regular data file updates; and initiated an "OVAL Compatibility" program with industry declarations for 12 OVAL-compatible products and services and several more pending.

As always, active participation is important to the success of the OVAL effort. Join the OVAL Community Forum and/or OVAL Developer's Working Group on the Community Forum & Developer's List Sign-up page then visit the How to Participate on the OVAL Community Forum page for the specific and detailed ways in which you may help this growing community effort.

ThreatGuard, Inc. Makes OVAL Compatibility Declaration

ThreatGuard, Inc. has declared that its ThreatGuard Continuous Security Auditing and Compliance Management system will be OVAL-compatible. For additional information about this and other OVAL-compatible products, visit the OVAL-Compatible Products and Services page.

Back to top

Page Last Updated: June 17, 2013