News and Events - 2007 Archive

OVAL Celebrates 5 Years!

OVAL began five years ago this month as a new community baseline standard for how vulnerabilities could be identified on local computers. Since that time OVAL has grown significantly and is now an international information security community standard to promote open and publicly available security content and to standardize the transfer of that information using a language to encode system details and content repositories held throughout the community. Highlights of our progress are noted below.

OVAL Language
When OVAL began definitions were queries written in SQL against a standardized database schema. In late 2003, at the request of the community and because of the limits of SQL, XML Schema was adopted as the official format for expressing the OVAL Language and all SQL queries were converted into XML-based definitions written against the new XML Schema. The OVAL Language has also grown from a single schema for writing tests into three separate schemas, one for each step of the overall process: an OVAL System Characteristics Schema for collecting the information, OVAL Definition Schema for writing tests, and OVAL Results Schema for presenting the results of the tests. The individual tests are standardized, machine-readable XML Vulnerability, Compliance, Inventory, and Patch Definitions that are hosted in the OVAL Repository and in other community repositories. We are now on Version 5.3 of the OVAL Language, and are working on Version 5.4.

We also created a free OVAL Interpreter for the Windows and Red Hat Linux platforms to show how information can be collected from a computer for testing, to evaluate and carry out the OVAL Definitions for that platform, and to report the results of the tests. The OVAL Interpreter has since been incorporated into the August 2007 release of Debian 5.3-1 by the Debian Project, the November 2007 release of openSUSE 10.3 by Maitreya Security, and the December 2007 releases of Fedora 7 and Fedora 8 by Red Hat, Inc.

OVAL Repository
In the beginning, the OVAL Repository focused only on checks for vulnerabilities, each of which was based on a CVE Identifier from Common Vulnerabilities and Exposures. The version 5.0 release of the OVAL Language added support for other types of tests, which allowed the OVAL Repository to expand its scope to include OVAL Vulnerability, Compliance, Inventory, and Patch Definitions. These community-developed definitions check the machine state of computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches. Currently, there are 1,576 definitions for Microsoft Windows and 3,485 definitions for UNIX for a grand total of 5,061 definitions in the OVAL Repository now available to the public for incorporation into information security products and services. New definitions are always being added. Towards that end, we launched an "OVAL Repository Top Contributors Awards Program" in February 2007 that grants awards on a quarterly basis to the top contributors to the OVAL Repository. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

There are also currently two other publicly accessible OVAL repositories. The U.S. National Institute of Standards and Technology’s Security Content Automation Protocol (SCAP) repository was created in January 2007 and is a free public repository of security content to be used for automating compliance activities, vulnerability checking (both application misconfigurations and software flaws), and security measurement. The Red Hat, Inc. repository of OVAL content was created in May 2006 and consists of OVAL Patch Definitions that correspond to all Red Hat Errata security advisories.

Community Participation
Since the beginning OVAL has been industry-endorsed via the OVAL Board and through community participation on the OVAL Repository Forum and OVAL Developer’s Forum, ensuring that the OVAL Definitions and OVAL Language reflect the combined expertise of the broadest possible group of security and system administration professionals worldwide. Community endorsement is further emphasized by the numerous organizations that are listed on OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible pages.

Significant participation by the OVAL Community also includes the contribution of component schemas for the OVAL Language by the Center for Internet Security for Apple Macintosh beginning with Version 4.0 and ThreatGuard, Inc. for HP-UX (Hewlett Packard UNIX) beginning with Version 4.2. In addition, numerous organizations have contributed OVAL Definitions to the OVAL Repository including Maitreya Security, ThreatGuard; Bastille Linux, Secure Elements, Inc., Opsware, Inc., McAfee, Inc., Hewlett-Packard, and OS2A, while other organizations have made modifications to existing definitions including ThreatGuard, Opsware, Centennial Software, Maitreya Security, Bastille Linux, BigFix, Inc., Secure Elements, Security-Database, and GFI Software Ltd. Visit the Community Participation page to see the specific ways in which you or your organization can contribute.

OVAL Board
The OVAL Board includes members from major operating system vendors, commercial information security tool vendors, academia, government agencies, and research institutions from around the world. The Board’s primary responsibilities are to work with the OVAL moderator and the OVAL Community to define OVAL, provide input into OVAL’s strategic direction, and advocate OVAL in the community. The Board began with 17 members from 13 organizations and has since grown to 32 members from 28 organizations.

Compatible Products and Services
In July 2004 we added an OVAL-Compatible Products and Services program for organizations wishing to make their products or services "OVAL-Compatible." The formal process includes compatibility evaluations, the posting of questionnaires citing how the organizations have satisfied the Requirements and Recommendations for OVAL Compatibility document, and a branding program with an official compatibility logo for vendors to include with their products. This program, which ultimately includes publication of the organization’s statement on the OVAL Web site along with the use of the Official OVAL-Compatible logo, allows end users and prospective customers of OVAL-Compatible Products and Services to compare how the products satisfy the compatibility requirements and to more easily determine which specific implementations are best for their networks and systems.

To-date 20 products and services from 14 organizations are Officially OVAL-Compatible, and another 16 products from 11 organizations have Declarations to Be OVAL-Compatible.

Our Five-Year Anniversary
We thank all of you who have in any way helped promote OVAL, used the OVAL Language and OVAL Repository, and/or adopted OVAL-Compatible products or services for your enterprise. We would also like to thank our sponsor throughout these five years, the National Cyber Security Division of the U.S. Department of Homeland Security, for their past and current funding and support. We welcome any comments or feedback about the OVAL Language or the OVAL Repository at oval@mitre.org.

OVAL Repository Surpasses 5,000+ Definitions Milestone

The OVAL Repository surpassed the 5,000 OVAL Definitions milestone on December 14, 2007 with a new grand total of 5,061 definitions now available to the public on the OVAL Web site. Of these, there are 1,576 definitions for Microsoft Windows and 3,485 definitions for UNIX.

This milestone was a direct result of significant participation by the OVAL Community. Numerous organizations have contributed OVAL Definitions to the OVAL Repository including Maitreya Security, ThreatGuard, Inc.; Bastille Linux, Secure Elements, Inc., Opsware, Inc., McAfee, Inc., Hewlett-Packard, and OS2A, while others have made modifications to existing definitions including ThreatGuard, Opsware, Centennial Software, Maitreya Security, Bastille Linux, BigFix, Inc., Secure Elements, Security-Database, and GFI Software Ltd.

We thank all off these organizations for their contributions.

Red Hat Includes OVAL Interpreter in Fedora 7 and Fedora 8

Red Hat, Inc. has incorporated the OVAL Interpreter into the latest releases of Fedora 7 and Fedora 8. Red Hat posted the Fedora 7 Update: ovaldi-5.3-1.fc7.1 and Fedora 8 Update: ovaldi-5.3-1.fc8 release announcements to the Fedora Project email lists on December 3, 2007.

The OVAL Interpreter is a freely available reference implementation created to show how information can be collected from a computer for testing, to evaluate and carry out the OVAL Definitions for that platform, and to report the results of the tests.

Red Hat is a founding member of the OVAL Board and its Red Hat Errata security advisories are listed on the Other Repositories and the OVAL-Compatible Products and Services pages.

MITRE to Host "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE is scheduled to host a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference will expose the OVAL, CVE, CCE, CPE, CME, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

Ai Metrix Makes Declaration of OVAL Compatibility

Ai Metrix, a SYS Technologies Company, declared that its network management system for Security Content Automation Protocol (SCAP) services and reporting, NeuralStar Network, will be OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Mentioned in Product Releases Article in Processor Magazine

OVAL was mentioned in the "Product Releases" article in Processor Magazine on October 5, 2007. OVAL is mentioned in the "Security" section of the article regarding Secure Elements’ C5 Compliance Platform 3.3, which "...is the first product to work with NIST SCAP content to help federal government agencies meet the OMB Mandate. It also helps with compliance with NIST ISAP/SCAP initiative for auditing security configurations using OVAL, XCCDF, CPE, CVSS, CCE, and CVE."

OVAL Mentioned in Secure Elements Press Release

OVAL was mentioned in a September 18, 2007 news release from Secure Elements, Inc. entitled "Secure Elements Announces New Version of IT Audit and Compliance Platform." OVAL is mentioned in the portion of the release that describes how Secure Elements’ C5 Compliance Platform Version 3.3 adds enhanced NIST SCAP FISMA reporting: "For federal government agencies, C5 is the first enterprise solution that works directly with the NIST SCAP content to help them meet the OMB Mandate for secure desktop configurations as well as incorporating all of the latest standards as defined by the NIST ISAP/SCAP initiative for auditing security configurations utilizing OVAL, XCCDF, CPE, CVSS, CCE and CVE."

Secure Elements, Inc. is a member of the OVAL Board and its C5 Compliance Platform Version 3.0 is listed on the OVAL Web site as "Officially OVAL-Compatible."

OVAL Repository Main Topic of Secure Elements Press Release

The OVAL Repository was the main topic of an October 23, 2007 news release from Secure Elements, Inc. entitled "Secure Elements Receives OVAL Repository Top Contributor Award For Advancing Open Information Security Content Standards for the 3rd Quarter of 2007."

In addition to a paragraph describing OVAL and the Repository the release includes a quote by OVAL Program Lead Jon Baker describing the reason for the award: "The OVAL Repository Top Contributor Award is reserved for organizations that assist in making the OVAL Repository a gold standard for open information security content. Secure Elements is recognized again for their invaluable content submissions of new definitions and enhancements to existing Repository content."

The release also includes a quote by Secure Elements’ Chief Technical Officer Andrew Bove who states: "Secure Elements is proud to lead the growing OVAL community by contributing our information assurance expertise. This recognition reflects our commitment to support publicly available security content initiatives such as the OVAL Repository and for the NIST Information Security Automation Program (ISAP), where we are the custodians of the XML content for auditing the Federal Desktop Core Configuration (FDCC) for Microsoft Vista and XP."

Secure Elements, Inc. is a member of the OVAL Board and its C5 Compliance Platform Version 3.0 is listed on the OVAL Web site as "Officially OVAL-Compatible."

OVAL Repository Announces Top Contributors Awards for Q3-2007

Maitreya Security Ltd. Co., Opsware, Inc., Secure-Elements, Inc., and ThreatGuard, Inc. received the "OVAL Repository Top Contributors Awards" for Q3-2007. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL Mentioned in NetworkWorld Article

OVAL was mentioned in an article entitled "Service-oriented security" in NetworkWorld on September 25, 2007. OVAL is mentioned when the author discusses Security Content Automation Protocol (SCAP). The author states: "The basic premise is that the only way we’ll ever get a handle on the operational challenges of security management is to automate as many of the processes as possible. SCAP pulls information from a number of standardized information sources, including (warning: acronym soup ahead): the eXtensible Configuration Checklist Description Format (XCCDF), the Open Vulnerability Assessment Language (OVAL), Common Vulnerability Scoring System, (CVSS) and Common Vulnerabilities and Exposures (CVE) database."

Center for Internet Security Makes Declaration of OVAL Compatibility

The Center for Internet Security declared that its CIS Configuration Assessment Tool (CIS-CAT) is OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Main Topic of Article in SC Magazine

OVAL was the main topic of an August 20, 2007 article written by OVAL Board member Amol Sarwate of Qualys, Inc. entitled "Hot or not: Open Vulnerability Assessment Language" in SC Magazine. The author states: "The open standard OVAL promises to ease the integration of security applications and help organizations develop security checks for highly-customized networks and applications."

In the article the author explains what OVAL is, how it works, and the benefits of adopting OVAL: "The benefits of OVAL are many. For instance, security administrators can develop their own custom security checks, or they can use any of the more than 2,000 OVAL definitions. And security products from different vendors can share information and be integrated more easily through the use of OVAL. By choosing OVAL compatible solutions, organizations can deploy best-of-breed products for vulnerability assessments and policy assessments, and even link results to SIMs and other tools for advanced correlation to better identify where the highest risks lie."

The author concludes the article by describing OVAL’s involvement in the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP), and states: "As these standards continue to evolve and grow, they’ll improve security product integration even further, and give security teams the control necessary to develop the tools they need to keep their infrastructures secure, no matter how customized their networks and applications."

OVAL Included as Topic at Security Automation Conference 2007

OVAL was included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2007 on September 19-20, 2007 in Gaithersburg, Maryland, USA. NIST’s Security Content Automation Protocol (SCAP) employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

OVAL was also a topic in MITRE’s Making Security Measurable exhibitor booth during the exhibition portion of the event. The conference exposed the OVAL, CVE, CCE, CPE, CME, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry.

Visit the OVAL Calendar for information on this and other events.

eEye Digital Security, Inc. Makes Two Declarations of OVAL Compatibility

eEye Digital Security, Inc. has declared that its network security risk assessment and vulnerability management products, Retina Network Security Scanner and Retina Enterprise Suite, will be OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Included in Making Security Measurable Booth at Security Automation Conference 2007, September 19-20

MITRE will host a Making Security Measurable exhibitor booth at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2007 on September 19-20, 2007 in Gaithersburg, Maryland, USA. OVAL will also participate in discussion panels at the event on September 20th.

NIST’s Security Content Automation Protocol (SCAP) employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

The conference will expose the OVAL, CVE, CCE, CPE, CME, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

OVAL Included as Topic in MITRE Booth at Black Hat Briefings 2007

MITRE hosted a Making Security Measurable exhibitor booth at Black Hat Briefings 2007 on August 1-2, 2007 at Caesars Palace in Las Vegas, Nevada, USA. The conference exposed the OVAL, CVE, CCE, CPE, CME, CAPEC, CWE, and Making Security Measurable efforts to a diverse audience of information security-focused attendees from around the world.

See booth photos below:

Visit the OVAL Calendar for information on this and other events.

McAfee, Inc. Now Registered as Officially OVAL-Compatible

McAfee, Inc. has completed correctness testing for Phase 3 of the OVAL Compatibility Program for its Hercules Policy Auditor 4.5 and Hercules Remediation Manager 4.5 products, which are both now registered as "Officially OVAL-Compatible."

For additional information about these and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

Guidance Software, Inc. Makes Declaration of OVAL Compatibility

Guidance Software, Inc. has declared that its EnCase Information Assurance Suite will be OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Included as Topic at Security Automation Conference & Workshop 2007, September 19-20

OVAL will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2007 on September 19-20, 2007 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, OVAL will also participate in discussion panels on September 20th.

NIST’s Security Content Automation Protocol (SCAP) employs community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

Visit the OVAL Calendar for information on this and other events.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Monday, July 16, 2007 with 25 members participating. Topics of discussion included status updates on the OVAL Language regarding the recent move to Version 5.3 and the updated OVAL Interpreter; the OVAL Repository, including the 2,000 definitions milestone; adoption and OVAL-Compatibility; inclusion of OVAL in NIST’s Security Automation Conference & Workshop 2007 in September; the rescheduling of OVAL Developer Days 2007 to October; and the updated IP Agreement recently posted on the OVAL Web site.

OVAL Repository Announces Top Contributors Awards for Q2-2007

ThreatGuard, Inc., Secure-Elements, Inc., and Opsware, Inc. received the "OVAL Repository Top Contributors Awards" for Q2-2007. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

Version 5.3 of OVAL Now Available

Version 5.3 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files have also been updated.

Version 5.3 is a minor version change and includes the following: added sql test to the independent schema; changed the datatype of the comment attribute to not accept empty strings; added include_group and resolve_group behaviors to the windows accesstoken_object; modified the schematron of the rpminfo_state to allow ‘version’ as a valid datatype for the <release> and <version> entities; added new privileges to the windows accesstoken_test; added an optional mask attribute; fixed a schema error that had a_time, c_time, and m_time defined as strings, changed to ints; added the audit event policy subcategories test to the windows schema; added a schematron rule in certain places to validate that an int value was supplied when a datatype of int was declared; added a share permission test to the windows schema; added a printer effective rights test; changed the trustee_name entity to trustee_sid for existing effective rights and audit permission tests, deprecated the original tests; added a check_existence attribute to and OVAL Test; added the ‘none satisfy’ value to the existing check attribute of an OVAL Test; added a ONE operator to the criterion element; added a user access control test; modified the hp-ux patch test; and updated the documentation. This minor version change Version 5.3 will not invalidate existing content that currently validates against Version 5.2. See the OVAL Language Releases page for more information.

The following have been updated to Version 5.3:

• OVAL Definition schema
• OVAL System Characteristics schema
• OVAL Results schema

The following are also available for using Version 5.3:

• OVAL Interpreter
• Interpreter Source Code
• Data Files
• Bulk Content Download

The previous versions of the OVAL schemas, definitions, OVAL Interpreter, Interpreter source code, and data files have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.3.

OVAL Interpreter Updated for Version 5.3

The OVAL Interpreter has been updated to Version 5.3. Specific updates to the OVAL Interpreter included: addition of support for Version 5.3 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

OVAL Repository Surpasses 2,000+ Definitions Milestone

The OVAL Repository now contains more than 2,000 OVAL Definitions. As of June 13, 2007 at 1:35 a.m. there were 1,993 total OVAL Definitions posted on the OVAL Web site and of these 1,481 are for Windows and 512 for UNIX. An overview of the definitions posted to-date and a list of the top organizations and individuals who have contributed to the repository to-date are available on the OVAL Repository Statistics page.

Guidelines for Submitting OVAL Definitions Updated

Updated Guidelines for Submitting OVAL Definitions have been posted in the OVAL Repository section of the OVAL Web site. The updated guidelines provide additional details on how OVAL Community members can write and submit new OVAL Definitions and modify existing definitions.

OVAL Mentioned in Article about Security Content Automation Protocol in Government Computer News

OVAL was mentioned in a May 22, 2007 article entitled "NIST releases FISMA security control tools" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP), which according to the article is an "automated checklist that uses a collection of recognized standards for naming software flaws and configuration problems in specific products. It can help test for the presence of vulnerabilities and rank them according to severity of impact. The checklist files are mapped to NIST specifications for compliance with the Federal Information Security Management Act, so that the output can be used to document FISMA compliance."

OVAL is mentioned when the author states that "SCAP currently uses six open standards for enumerating, evaluating and measuring the impact of software problems and reporting the results," and includes OVAL as follows: "Open Vulnerability and Assessment Language, OVAL, from MITRE; a standard XML for security testing procedures and reporting." The other five standards are: Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

SCAP is an expansion of the U.S. National Vulnerability Database (NVD) that is based upon the CVE List, and NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

2nd Release Candidate of OVAL Version 5.3 Now Available

A second Release Candidate of Version 5.3 of the OVAL Language is now available. Version 5.3, scheduled to be moved to the Official stage on June 27, 2007, will be a minor version update to add new community-requested tests, fix some errors found in the Windows component schemas, and to update the documentation. As this is a minor version change Version 5.3 will not invalidate existing content that currently validates against Version 5.2, the current official version of OVAL. A complete list of changes for Version 5.3 is available on the Upcoming Minor Version page.

Opsware, Inc. Now Registered as Officially OVAL Compatible

Opsware, Inc. has completed correctness testing for Phase 3 of the OVAL Compatibility Program for its Opsware Server Automation System and it Opsware Network content repository, which are now registered as "Officially OVAL-Compatible."

For additional information about these and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

New OVAL Board Member

Roger Castillo of AlterPoint has joined the OVAL Board.

OVAL Version 5.3 in Release Candidate Stage

Version 5.3 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on June 6, 2007. Version 5.3 will be a minor version update to add new community-requested tests, fix some errors found in the Windows component schemas, and to update the documentation. As this is a minor version change Version 5.3 will not invalidate existing content that currently validates against Version 5.2, the current official version of OVAL. A complete list of changes for Version 5.3 is available on the Upcoming Minor Version page.

Opsware Inc. Posts Two OVAL Compatibility Questionnaires

Opsware Inc. has achieved the second phase of the OVAL Compatibility Program by posting an OVAL Compatibility Questionnaire for Opsware Server Automation System and OVAL Compatibility Questionnaire for Opsware Network. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible."

To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

US Army CERDEC Makes Declaration of OVAL Compatibility

US Army CERDEC has declared that its vulnerability assessment and remediation tool, Armadillo, will be OVAL Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Included as Product Feature in Network Computing Product Review

OVAL was included as a product feature in a March 19, 2007 product review article entitled "Rollout: Kace KBox 1000/2000 Series Appliances" in Network Computing. OVAL is mentioned as follows: "Add-ons to the 1000 series include a full asset-management package that tracks hardware and software configurations and licenses, a helpdesk package, and a vulnerability scan and audit component. The vulnerability scan is based on OVAL (Open Vulnerability and Assessment Language), a security standard used by the U.S. Computer Emergency Readiness Team and the Department of Homeland Security. OVAL results on our test machines pointed out some egregious vulnerabilities, particularly on the machines we had not added to the patch group."

KACE Networks, Inc.’s KBOX 1000 Series Systems Management Appliances is Officially OVAL-Compatible and is listed in the OVAL-Compatible Products and Services section.

OVAL Repository Announces Top Contributors Awards for Q1-2007

ThreatGuard, Inc. and Centennial Software Ltd. received the "OVAL Repository Top Contributors Awards" for Q1-2007. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

GFI Software Ltd. Now Registered as Officially OVAL Compatible

GFI Software Ltd. has completed correctness testing for Phase 3 of the OVAL Compatibility Program for GFI LANguard Network Security Scanner, its network vulnerability assessment and remediation product, which is now registered as "Officially OVAL-Compatible."

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

Security-Database.com Now Registered as Officially OVAL Compatible

Security-Database.com has completed correctness testing for Phase 3 of the OVAL Compatibility Program for System Security Analyzer, its vulnerability assessment and policy compliance product, which is now registered as "Officially OVAL-Compatible."

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

Opsware Inc. Makes Two Declarations of OVAL Compatibility

Opsware Inc. has declared that its Opsware Server Automation System, and its Opsware Network content repository, will be OVAL Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Holds Compatibility Correctness Testing Session on April 11th

MITRE held an OVAL Compatibility Correctness Testing session on April 11, 2007 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.2 of OVAL. Organizations participating included GFI Software Ltd. and Security-Database.com. Results have been posted on the OVAL-Compatible Products and Services page.

Organizations with compatibility declarations interested in participating in future sessions may register by contacting oval@mitre.org.

OVAL Version 5.3 in Draft Stage

Version 5.3 of the OVAL Language is currently in the Draft stage and is scheduled to be moved to the Official stage on May 7, 2007. Version 5.3 will be a minor version update to add new community-requested tests, fix some errors found in the Windows component schemas, and to update the documentation. As this is a minor version change Version 5.3 will not invalidate existing content that currently validates against Version 5.2, the current official version of OVAL. A complete list of changes for Version 5.3 is available on the Upcoming Minor Version page.

OVAL to Hold Compatibility Correctness Testing Session on April 11th

MITRE will hold an OVAL Compatibility Correctness Testing session on April 11, 2007 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.2 of OVAL. Organizations with compatibility declarations interested in participating should register by contacting oval@mitre.org.

GFI Software Ltd Makes Declaration of OVAL Compatibility and Posts Compatibility Questionnaire

GFI Software Ltd. has declared that its network vulnerability assessment and remediation product, GFI LANguard Network Security Scanner, will be OVAL Compatible. GFI Software has also achieved the second phase of the OVAL Compatibility Program by posting an OVAL Compatibility Questionnaire for GFI LANguard Network Security Scanner.

To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

McAfee, Inc. Posts Two OVAL Compatibility Questionnaires

McAfee, Inc. has achieved the second phase of the OVAL Compatibility Program by posting an OVAL Compatibility Questionnaire for Hercules Policy Auditor 4.2 and OVAL Compatibility Questionnaire for Hercules Remediation Manager 4.2. In Phase 2 of the compatibility process the organization’s completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible."

To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Included in Secure Elements, Inc. News Release

OVAL was included in a February 6, 2006 news release from Secure-Elements, Inc. entitled "Secure Elements announces first ever training program for authoring standards based XML documents for system audit and compliance measurement". OVAL is mentioned in the first sentence of the release: "Secure Elements, Inc., today announced at the RSA 2007 Conference that they will begin offering hands-on training courses regarding authoring and use of the Open Vulnerability Assessment Language (OVAL) and the eXtensible Configuration Checklist Description Format (XCCDF) for individuals and organizations interested in authoring documents for IS Audit evaluations and vulnerability assessments. As the world’s first enterprise software vendor to support these standards, and seasoned authors of their own content that are active contributors to the NIST Security Content Automation Program (SCAP), they will provide unique insights, tips, strategies, and lessons learned that are not available elsewhere."

OVAL is mentioned again in a quote by Secure Elements CTO Andrew Bove, who states: "XML, OVAL, and XCCDF represent a complex semantic landscape and even though they are mapped very well, some organizations prefer or need a guide to help them navigate. For organizations that desire to "jump start" their efforts, or for which the required skill sets may not be their core competency, we’re here to help."

Secure Elements, Inc. is a member of the OVAL Board and its product C5 EVM product is listed in the OVAL-Compatible Products and Services section.

OVAL Mentioned in Award Description in "2007 SC Magazine Awards"

OVAL was cited in the description of SC Magazine’s "Editor’s Choice Professional Award" to the NSA’s Information Assurance Directorate’s Vulnerability Analysis and Operations (VAO) Group for its work in the past year with the U.S. Air Force and Microsoft Corporation to "examine and provide security-setting recommendations for Microsoft’s new Vista operating system" and to promote the use of standards. OVAL was mentioned as follows: "The VAO Group is also shaping the development of security standards for vulnerability naming and identification, such as the Open Vulnerability and Assessment Language (OVAL), Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) standards." The "2007 SC Magazine Awards" were presented on February 6, 2007 at the Hilton San Francisco in San Francisco, California, USA.

Photos from OVAL Booth at 2007 Information Assurance Workshop

OVAL co-hosted a Making Security Measurable exhibitor booth for MITRE’s OVAL, CVE, CCE, CME, CWE, and CPE efforts at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-15, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. See photos below:

Configuresoft, Inc. Now Registered as Officially "OVAL-Compatible"

Configuresoft, Inc. has posted an OVAL Compatibility Questionnaire for Configuresoft Enterprise Configuration Manager for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. Configuresoft Enterprise Configuration Manager is now registered as "Officially OVAL-Compatible." MITRE presented Configuresoft with an Official Certificate of OVAL Compatibility at RSA Conference 2007 on February 7th, 2007 in San Francisco, California, USA.

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

NetIQ Corporation Now Registered as Officially "OVAL-Compatible"

NetIQ Corporation has posted an OVAL Compatibility Questionnaire for NetIQ Secure Configuration Manager for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. NetIQ Secure Configuration Manager is now registered as "Officially OVAL-Compatible." MITRE presented NetIQ with an Official Certificate of OVAL Compatibility at RSA Conference 2007 on February 7th, 2007 in San Francisco, California, USA.

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

National Institute of Standards and Technology Now Registered as Officially "OVAL-Compatible"

The U.S. National Institute of Standards and Technology (NIST) has posted an OVAL Compatibility Questionnaire for Security Content Automation Program Content for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. Security Content Automation Program Content is now registered as "Officially OVAL-Compatible."

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

ThreatGuard, Inc. Now Registered as Officially "OVAL-Compatible"

ThreatGuard, Inc. has posted an OVAL Compatibility Questionnaire for Secutor Prime for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. Secutor Prime is now registered as "Officially OVAL-Compatible."

For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Hosts Booth at 2007 Information Assurance Workshop, February 12-15

MITRE hosted an OVAL/CVE/CCE/CME/CWE/CPE exhibitor booth at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-15, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency (DISA) and National Security Agency (NSA), is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event introduced the efforts to representatives of the DOD and other Federal Government employees and their sponsored contractors. Organizations with OVAL-Compatible Products and Services also exhibited.

Visit the OVAL Calendar for information on this and other events.

OVAL Hosts Booth at RSA Conference 2007, February 5-8

MITRE hosted an OVAL/CVE/CCE/CME/CWE/CPE exhibitor booth at RSA Conference 2007 on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event introduced the efforts to security professionals from industry, government, and academia from around the world. Organizations with OVAL-Compatible Products and Services also exhibited.

See photos below:

MITRE Holds OVAL Demo at RSA Conference 2007

With the help of government and commercial vendors, MITRE held an OVAL Demonstration across the exposition floor of RSA Conference 2007 on February 5-8, 2007 in San Francisco, California, USA. The demonstration provided a view of the different sources of OVAL content, an example of tool interoperability as a result of adopting OVAL, and a demonstration of cooperative behavior within the security community.

By visiting the exhibitor booths of the following vendors conference attendees were able to obtain a personalized OVAL Definition file from a repository, conduct an assessment using that definition file, and see a display or remediation results of the assessment: MITRE Corporation’s OVAL Repository, National Institute of Standards and Technology (NIST)’s Security Content Automation Program Content, and Red Hat, Inc.’s Red Hat Network with repositories of OVAL Definitions; Configuresoft, Inc.’s Configuresoft Enterprise Configuration Manager, NetIQ Corporation’s NetIQ Secure Configuration Manager, Secure Elements, Inc.’s C5 Enterprise Vulnerability Management (EVM) Version 3.0, and ThreatGuard, Inc.’s ThreatGuard Vulnerability and Compliance Management System with definition consumer products; and McAfee, Inc.’s Hercules Remediation Manager and Hercules Policy Auditor with results consumers products.

See photos below:

OVAL Repository Launches Awards Program for Top Contributors

MITRE has launched an "OVAL Repository Top Contributors Awards Program" that grants awards on a quarterly basis to the top contributors to the OVAL Repository. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute. Initial recipients include ThreatGuard, Inc. for Q3-2005, Q4-2005, Q1-2006, Q2-2006, Q3-2006, and Q4-2006; Centennial Software Ltd. for Q3-2006; and Bastille Linux for Q3-2005.

Version 5.2 of OVAL Now Available

Version 5.2 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files have also been updated.

Version 5.2 is a minor version change and includes the following: added ‘include_group’ and ‘resolve_group’ behaviors to file audited permissions test, regkey audited permissions test, and regkey effective rights test; added a filehash test to the independent schema; changed the <possible> child element of an <external_variable> to contain either a single value held within a <possible_value> element or a range of values held within a <possible_restriction> element; removed unecessary ‘trustee_domain’ and ‘trustee_sid’ entities from fileauditedpermissions_item, fileeffectiverights_item, regkeyauditedpermissions_item, and regkeyeffectiverights_item; removed the ability to have nested <possible> elements in an external variable (this feature is not necessary); and updated the documentation. This minor version change Version 5.2 will not invalidate existing content that currently validates against Version 5.1. See the OVAL Language Releases page for more information.

The following have been updated to Version 5.2:

• OVAL Definition schema
• OVAL System Characteristics schema
• OVAL Results schema

The following are also available for using Version 5.2:

• OVAL Interpreter
• Interpreter Source Code
• This minor version change Version 5.2 will not invalidate existing content that currently validates against Version 5.1. See the OVAL Language Releases page for more information.

The following have been updated to Version 5.2:

• OVAL Definition schema
• OVAL System Characteristics schema
• OVAL Results schema

The following are also available for using Version 5.2:

• OVAL Interpreter
• Interpreter Source Code
• Data Files
• Bulk Content Download

The previous versions of the OVAL schemas, definitions, OVAL Interpreter, Interpreter source code, and data files have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.2.

OVAL Interpreter Updated for Version 5.2

The OVAL Interpreter has been updated to Version 5.2. Specific updates to the OVAL Interpreter included: addition of support for Version 5.2 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

OVAL Version 5.2 in Release Candidate Stage

Version 5.2 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on January 31, 2007. Version 5.2 will be a minor version update to fix some minor bugs in the Windows Component Schemas and to update the documentation. As this is a minor version change Version 5.2 will not invalidate existing content that currently validates against Version 5.1, the current official version of OVAL. A complete list of changes for Version 5.2 is available on the Upcoming Minor Version page.

OVAL Holds Compatibility Correctness Testing Session on January 17th

MITRE held an OVAL Compatibility Correctness Testing session on January 17, 2007 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.1 of OVAL. Organizations participating included Configuresoft, Inc. for its Configuresoft Enterprise Configuration Manager, NetIQ Corporation for its NetIQ Secure Configuration Manager, PatchLink Corporation for its OVAL™ XML Editor, and ThreatGuard, Inc. for its Secutor Prime. Compatibility results will be posted on the OVAL-Compatible Products and Services page as they are available.

Organizations with compatibility declarations interested in participating in future sessions may register by contacting oval@mitre.org.

MITRE to Hold OVAL Demo at RSA Conference 2007, February 5-8th

With the help of both government and commercial vendors, MITRE has organized an OVAL Demonstration to be held across the exposition floor of RSA Conference 2007 on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. The demonstration will provide a view of the different sources of OVAL content, an example of tool interoperability as a result of adopting OVAL, and a demonstration of cooperative behavior within the security community.

Conference attendees will be able to visit the booths of one or more of the vendors below that is hosting a repository of OVAL content and obtain a personalized OVAL Definition file. Attendees will then proceed to the booths of one or more of the vendors assessing the security (patch level, compliance, vulnerabilities) of the test lab and conduct an assessment using their personalized OVAL Definition file. Finally, attendees will visit the booths of one or more of the vendors that displays (SIM tools) or takes action on (remediation) the results of their personalized assessment.

The following organizations/products are participating in the OVAL Demonstration:

The OVAL Community is excited about the continued growth of the standard and looks forward to gaining new support as a result of this demonstration. Please stop by Booth 1949, or any of these booths, to learn more and to participate in the demonstration.

Security-Database.com Makes Declaration of OVAL Compatibility

Security-Database.com declared that its vulnerability assessment and policy compliance product, System Security Analyzer, will be compatible with Version 5.1 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Tuesday, January 16, 2007, with representatives from 7 member organizations and others participating. Topics included an OVAL status update; the Correctness Testing session held on January 17th; and the upcoming release of Version 5.2 of OVAL on January 31st. Meeting minutes will be posted on the Discussion Archives page once they are available.

OVAL Repository RSS Feed Now Customizable

The OVAL Repository Updates RSS feed can now be customized to a user’s preferences. The default Repository feed contains the 50 most recent updates to the Repository where updates might include any combination of New Definitions, Definitions with Status Changes, and/or Modified Definitions. For example, a default feed could have 3 new, 35 status changes, and 12 modified definitions. The customized feed can specify the number of records (from 1 to 500) and the combination of records (all, only new, only modified, only status changes) to include. See the OVAL RSS Feeds page for details.

OVAL to Hold Compatibility Correctness Testing Session on January 17th

MITRE will hold an OVAL Compatibility Correctness Testing session on January 17, 2007 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.1 of OVAL. Organizations with compatibility declarations interested in participating should register by contacting oval@mitre.org.

OVAL to Host Booth at RSA Conference 2007, February 5-8

MITRE is scheduled to host an OVAL/CVE/CCE/CWE/CME exhibitor booth at RSA Conference 2007 on February 5-8, 2007 at the Moscone Center in San Francisco, California, USA. RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event will introduce OVAL, CVE, CCE, CME, and CWE to security professionals from industry, government, and academia from around the world. Organizations with OVAL-Compatible Products and Services will also be exhibiting. Please stop by Booth 1949, or any of these booths, and say hello.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CME, CWE, and/or other vulnerability management topics at your event.

OVAL to Host Booth at the 2007 Information Assurance Workshop, February 12-16

MITRE is scheduled to host an OVAL/CVE/CCE/CWE/CME exhibitor booth at the 11th annual 2007 Information Assurance (IA) Workshop on February 12-16, 2007 at the Wyndham Orlando Resort, in Orlando, Florida, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency (DISA) and National Security Agency (NSA), is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of Department of Defense (DOD) IA strategy. The event will introduce OVAL, CVE, CCE, CME, and CWE to representatives of the DOD and other Federal Government employees and their sponsored contractors. Organizations with OVAL-Compatible Products and Services will also be exhibiting.

Visit the OVAL Calendar for information on this and other events.

Important Message about OVAL Web Site Availability, January 13th-16th

Due to business disaster planning activities the OVAL Web site may be temporarily unavailable for short periods from 5:00am eastern time on Saturday, January 13, 2007 through 5:00am on Tuesday, January 16, 2007. We apologize for any inconvenience. Please contact oval@mitre.org with any comments or concerns.

Page Last Updated: March 05, 2013