News and Events - 2009 Archive

Making Security Measurable Briefing and Booth at IT Security Automation Conference 2009

MITRE presented a Making Security Measurable briefing and hosted a Making Security Measurable booth at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA. The OVAL Team also contributed to the OVAL-related workshops.

Visit the OVAL Calendar for information on this and other events.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on October 19, 2009. Discussion topics included status updates on the OVAL Language, OVAL Interpreter, and OVAL Repository; a review of the OVAL Version 5.6 release process; the timeline for OVAL Version 5.7; and plans for updating project documentation for the public on the OVAL Web site. Read the meeting minutes.

OVAL Repository Announces Top Contributors Awards for Q3-2009

Hewlett-Packard, Gideon Technologies, Inc., and SecPod Technologies received the "OVAL Repository Top Contributors Awards" for Q3-2009. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL/Making Security Measurable Booth at IT Security Automation Conference 2009, October 26-29

MITRE is scheduled to host a Making Security Measurable booth and present a Making Security Measurable briefing at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2009 in Baltimore, Maryland, USA. The OVAL Team is also scheduled to contribute to the OVAL-related workshops.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

Visit the OVAL Calendar for information on this and other events.

OVAL Repository Surpasses 6,000+ Definitions Milestone

The OVAL Repository surpassed the 6,000 OVAL Definitions milestone on September 29, 2009 with a new grand total of 6,002 definitions now available to the public on the OVAL Web site. Of these, 8 are for All OS Families, 3 are for Cisco PIX, 126 are for Cisco IOS, 3,830 for UNIX, and 2,035 are for Windows.

This milestone was a direct result of significant participation by the OVAL Community. Numerous organizations have contributed OVAL Definitions to the OVAL Repository including Hewlett-Packard, Gideon Technologies, Inc., SecPod Technologies, Maitreya Security, ThreatGuard, Inc., Bastille Linux, Secure Elements, Inc., Opsware, Inc., McAfee, Inc., DTCC, and OS2A, while others have made modifications to existing definitions including ThreatGuard, Opsware, Centennial Software, Maitreya Security, Bastille Linux, BigFix, Inc., Secure Elements, Security-Database, and GFI Software Ltd.

We thank all of these organizations for their contributions.

OVAL Interpreter Updated to Version 5.6.3

The OVAL Interpreter has been updated to Version 5.6, Build 3. Specific updates to the OVAL Interpreter included correcting some minor bugs.

The complete list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

Making Security Measurable Main Topic of Article in CrossTalk, The Journal of Defense Engineering

An article entitled "Making Security Measurable and Manageable" by OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin was published in the September/October 2009 issue of CrossTalk, The Journal of Defense Engineering.

The article explains how measurable security and automation can be achieved by having government and public efforts address the creation, adoption, operation, and sustainment of their information security infrastructures in a holistic manner and by using common, standardized concepts to define the data (CVE, CCE, CPE, CAPEC, CWE, etc.), communicating this information through standardized languages (OVAL, XCCDF, CEE, etc.), sharing the information in standardized ways (OVAL Repository, NVD, etc.), and adopting tools and services that adhere to these standards.

Version 5.6 of OVAL Now Available

Version 5.6 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter and OVAL Repository have also been updated to Version 5.6.

Version 5.6 is a minor version change, highlights of which includes the following: the pattern match operation may now be used on elements that are restricted to an enumeration; tests may now reference multiple states for more sophisticated state comparisons; introduced a choice structure inside of objects to allow files to be defined by either a path and filename or simply a complete file path; changed the required regular expression syntax from POSIX to Perl 5’s regular expression specification; added numerous Schematron rules to further restrict and enhance the quality of valid OVAL documents; documentation improvements throughout the OVAL Language schemas, including adding detailed deprecation information to the schemas to align with the OVAL Language Deprecation Policy; deprecated the resolve_group behavior on all tests in the Windows component schema except for the sid_sid_test and the sid_test to avoid overly resource-intensive searches for Windows trustees; and, added the following new tests and component schemas: win-def:serviceeffectiverights_test to support checking the rights of services on Windows, the ind-def:ldap_test to support checking settings via LDAP queries to a directory server, the aix-def:interim_fix_test to support checking interim or emergency fixes on IBM AIX, the SharePoint component schema, and a new patch test to the VMware ESX component schema. This minor version change Version 5.6 will not invalidate existing content that currently validates against Version 5.5. See the OVAL Language Releases page for more information.

The previous versions of OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.6.

OVAL Interpreter Updated for Version 5.6

The OVAL Interpreter and its source code have been updated to Version 5.6. Specific updates to the OVAL Interpreter included: addition of support for Version 5.6 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

OVAL Repository Updated for Version 5.6

The OVAL Repository has been updated to OVAL Version 5.6. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services, per the Terms of Use.

OVAL Included as Topic at IT Security Automation Conference 2009, October 26-29

OVAL will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 5th Annual IT Security Automation Conference on October 26-29, 2008 in Baltimore, Maryland, USA. The OVAL Team is also scheduled to contribute to the OVAL-related workshops.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

Visit the OVAL Calendar for information on this and other events.

Making Security Measurable Briefing at GFIRST5: The 5 Pillars of Cyber Security

OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about Making Security Measurable at GFIRST5: The 5 Pillars of Cyber Security on August 24-28, 2009 at Atlanta, Georgia, USA.

Visit the OVAL Calendar for information on this and other events.

Release Candidate 2 of OVAL Version 5.6 Now Available

Release Candidate 2 of Version 5.6 of the OVAL Language is now available on the OVAL Web site. Version 5.6, which is now scheduled to be moved to the Official stage on September 9, 2009, is a minor version change and will not invalidate existing content that currently validates against Version 5.5, the current official version of OVAL. A complete list of changes for Version 5.6 is available on the Upcoming Minor Version page.

OVAL Interpreter Updated to Version 5.5.25

The OVAL Interpreter has been updated to Version 5.5, Build 25. Specific updates to the OVAL Interpreter included: adding support for one new test, and correcting some minor bugs.

The complete list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

OVAL Version 5.6 in Release Candidate Stage

Version 5.6 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on August 28, 2009. Version 5.6 is a minor version change and will not invalidate existing content that currently validates against Version 5.5, the current official version of OVAL. A complete list of changes for Version 5.6 is available on the Upcoming Minor Version page.

OVAL Interpreter Updated to Version 5.5.23

The OVAL Interpreter has been updated to Version 5.5, Build 23. Specific updates to the OVAL Interpreter included: adding support for several new tests and functions, and correcting some minor bugs.

The complete list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

MITRE Hosts ‘Making Security Measurable’ Booth at Black Hat Briefings 2009

OVAL participated in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

OVAL Repository Announces Top Contributors Awards for Q2-2009

Hewlett-Packard, Gideon Technologies, Inc., and SecPod Technologies received the "OVAL Repository Top Contributors Awards" for Q2-2009. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on July 14, 2009. Discussion topics included updates on the OVAL Language and the upcoming release of OVAL 5.6, OVAL Interpreter, OVAL Repository, and a recap on the OVAL portion of Security Automation Developer Days 2009. Read the meeting minutes.

Photos from MITRE’s Security Automation Developer Days 2009

MITRE hosted the first-ever Security Content Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

See event photos:

For additional information visit the Developer Days page on the Making Security Measurable Web site.

Draft 2 of OVAL Version 5.6 Now Available

Draft 2 of Version 5.6 of the OVAL Language is now available on the OVAL Web site. Version 5.6, which is scheduled to be moved to the Release Candidate stage on July 17, 2009 and the Official stage on August 14, 2009, is a minor version change and will not invalidate existing content that currently validates against Version 5.5, the current official version of OVAL. A complete list of changes for Version 5.6 is available on the Upcoming Minor Version page.

"OVAL Checker" Utility Now Available on OVAL Utilities SourceForge.net Web Site

A free "OVAL Checker" utility was posted for the public on June 15, 2009 on the free OVAL Utilities SourceForge.net site at http://sourceforge.net/projects/ovalutils/. The OVAL Checker is a Schematron-based utility that will flag common mistakes and poor stylistic decisions in OVAL Definition documents. The list of issues that the utility detects and reports will be ever-evolving as the community identifies OVAL authoring best practices. The current listing of authoring style guidelines is based off the OVAL Repository Style Guide (http://oval.mitre.org/repository/about/style.html).

Please send any comments or concerns to oval@mitre.org.

OVAL Scheduled to Participate in ‘Making Security Measurable’ Booth at Black Hat Briefings 2009 on July 29-30

OVAL is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2009 on July 29-30, 2009 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Stop by Booth 70 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

Instruction on Using OVAL Included in MITRE’s Free Benchmark Development Course, July 14-15

MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on July 14-15, 2009. Instruction on using the OVAL Interpreter and OVAL Definitions in benchmark development is included in two sections of the course, "Compliance Checks" and "Generate XCCDF." The course explains the benefits of using OVAL for standardized compliance checks in automated benchmarks, shows how to use the OVAL Interpreter, teaches how to write OVAL Definitions, and explains how OVAL works with XCCDF.

The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use the OVAL Interpreter and Open Vulnerability and Assessment Language (OVAL) Definitions, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated.

Visit the OVAL Calendar for information on this and other events.

MITRE Hosts Security Automation Developer Days 2009

MITRE hosted the first-ever Security Automation Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference was technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event was for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases.

For additional information visit the Developer Days page on the Making Security Measurable Web site.

"OVAL Splitter" Utility Now Available on OVAL Utilities SourceForge.net Web Site

A free "OVAL Splitter" utility was posted for the public on June 1, 2009 on the OVAL Utilities SourceForge.net site at http://sourceforge.net/projects/ovalutils/. The utility takes an XML file that contains one or more definitions as a command line input and splits the input document in one of two ways: (1) the user indicates on the command line the OVAL-ID of a definition, test, object, state, or variable and each of the items is split into its own new valid document; and (2) the user indicates on the command line that the input document should be fully split at a specified level (definitions, test, object, state, variable) and the utility creates a new XML file for each item at the designated level (for example, if the input document has five definitions and the user indicates that the document should be split at the definition level the utility will create a new XML file for each definition in the input document).

Please send any comments or concerns to oval@mitre.org.

OVAL Mentioned in Article about SCAP in Computerworld

OVAL was mentioned in an article entitled "How SCAP Brought Sanity to Vulnerability Management" in Computerworld on May 11, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

OVAL is mentioned when the author explains that "SCAP is part of the Information Security Automation Program and is made up of a collection of existing standards. These standards include some that many of us are already familiar with, such as the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Additionally, it includes the Common Platform Enumeration (CPE), a standard to describe a specific hardware, OS and software configuration. This is helpful for enumerating assets, giving you your baseline information to apply all of this data; the Common Configuration Enumeration (CCE), very similar to CVE but dealing with misconfiguration issues; the Open Vulnerability and Assessment Language (OVAL) to provide schemas that describe the inventory of a computer, the configuration on that computer and a report of what vulnerabilities were found on that computer; and Extensible Configuration Checklist Description Format (XCCDF), a description language to help you apply your technical policies and standards to your scanning tools."

The author also provides an example of SCAP in action: "Let’s see how this helps me in building a real solution. As a head of a vulnerability management program as discussed earlier, I am sitting on data from application security assessment tools, host and network scanners, and database vulnerability and configuration scanners. In reality, this includes multiple products and services for application security, as well as multiple tools for host and network assessments. I set out by taking advantage of APIs when available from the assessment tool providers as well as XML data feeds. Utilizing the code I’ve just written to automate the movement of the data, I now need to map this information to a normalized schema, taking advantage of the SCAP standards. This is a big deal! I now have a common way to describe the vulnerabilities. I can eliminate duplicates that reference the same CVE on the same platforms."

OVAL Mentioned in Article about SCAP in Government Computer News

OVAL was mentioned in an article entitled "Draft guidelines issued for using SCAP to automate security validation" in Government Computer News on May 7, 2009. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Special Publication 800-117: Guide to Adopting and Using the Security Content Automation Protocol that specifies how enterprises can use its Security Content Automation Protocol (SCAP), and a revised version of its testing requirements that security products using SCAP must meet to achieve SCAP validation entitled Draft NIST Interagency Report 7511: Security Content Automation Protocol Validation Program Test Requirements, Revision 1.

OVAL is mentioned in the article as one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results: "Open Vulnerability and Assessment Language, an XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues and patches." The other five standards are Common Vulnerabilities and Exposures (CVE), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Extensible Configuration Checklist Description Format (XCCDF), and Common Vulnerability Scoring System (CVSS).

Comments on draft guidelines 800-117 are due to NIST by June 12, 2009 and should sent to 800-117comments@nist.gov and include "Comments SP 800-117" in the subject line.

OVAL Version 5.6 in Draft Stage

Version 5.6 of the OVAL Language is currently in the Draft stage and is scheduled to be moved to the Official stage on August 14, 2009. As this is a minor version change Version 5.6 will not invalidate existing content that currently validates against Version 5.5, the current official version of OVAL. A complete list of changes for Version 5.6 is available on the Upcoming Minor Version page.

MITRE to Host Security Automation Developer Days 2009, June 8-12

MITRE is scheduled to host the first-ever Security Automation Developer Days 2009 on June 8-12, 2009, at MITRE in Bedford, Massachusetts, USA. This free five-day conference will be technical in nature and focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP in technical detail and to derive solutions that benefit all concerned parties. Currently scheduled discussion topics include NIST SP 800-126, SCAP content management, lifecycle, validation, and remediation; OVAL®, XCCDF, emerging specifications, and perceived gaps in standards coverage; ontology; and use cases.

For additional information, visit http://makingsecuritymeasurable.mitre.org/participation/devdays.html#2009.

OVAL Repository Announces Top Contributors Awards for Q1-2009

Hewlett-Packard and Gideon Technologies, Inc. received the "OVAL Repository Top Contributors Awards" for Q1-2009. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

New OVAL Board Member

Jim Hansen of BigFix, Inc. has joined the OVAL Board.

OVAL Board Teleconference Minutes Posted

Meeting minutes for the OVAL Board teleconference held on Monday, April 13, 2009 have been posted on the Discussion Archives page.

MITRE Hosts "Making Security Measurable" Booth at RSA 2009

MITRE hosted a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Booth photos:

Visit the OVAL Calendar for information on this and other events.

Information Systems Security Association (ISSA) Awards MITRE as "Outstanding Organization of the Year 2008"

MITRE Corporation was recognized as "Outstanding Organization of the Year" for 2008 by the Information Systems Security Association (ISSA). The award was presented at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 22, 2009, and was accepted on behalf of MITRE by Senior Vice President and General Manager of the Center for Integrated Intelligence Systems Robert Nesbit, Information Security Executive Director Marion Michaud, and Principal Information Systems Engineer Marc Noble.

MITRE was nominated for the award by the ISSA Northern Virginia Chapter for its role as a long-time supporter of the association and the information security profession, and for the development of publicly available solutions to thwart cybercrime, such as its "honeyclient" open-source package that proactively monitors Internet servers for fast-running, malicious programs designed to infect user systems.

"We see it as part of our public service mission to support the information security profession, including sharing knowledge we’ve developed to safeguard data and protect it from misuse," said Al Grasso, MITRE president and chief executive. "Recognition by ISSA tells us we’re meeting this critical responsibility."

In the past decade, MITRE has developed four of the six security standards that comprise the National Institute of Standards and Technology’s Security Content Automation Protocol, or SCAP. The four standards — Common Vulnerabilities and Exposures (CVE®); Open Vulnerability and Assessment Language (OVAL®); Common Platform Enumeration (CPE™); and Common Configuration Enumeration (CCE™) — are also part of MITRE’s "Making Security Measurable" effort.

"OVAL Utilities" Now Available on SourceForge.net Web Site

The OVAL Team has created a new OVAL Utilities project on the Sourceforge.net Web site at https://sourceforge.net/projects/ovalutils/ to host a suite of open source utilities that simplify working with OVAL content. The initial tools posted are those that the OVAL Team uses internally to manage content. However, we hope to develop new utilities for use by the community that will help simplify common tasks related to managing OVAL content.

The main purpose of this project is to promote OVAL by ensuring that there are tools to help with the common content problems, provide a location for external developers to host OVAL utilities, and further OVAL adoption by making it easier to use OVAL.

Please send any comments or concerns to oval@mitre.org.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on April 13, 2009. Discussion topics included updates on the OVAL Board, OVAL Compatibility/Adoption, the OVAL Language Versioning process, and the Language release road map. Meeting minutes will be posted once they are available.

MITRE to Host "Making Security Measurable" Booth at RSA 2009, April 20-24

MITRE is scheduled to host a Making Security Measurable booth at RSA 2009 at the Moscone Center in San Francisco, California, USA, on April 20-24, 2009. Please stop by Booth 2411 and say hello!

Visit the OVAL Calendar for information on this and other events.

"OVAL Language Deprecation Policy" Now Available

A new page entitled OVAL Language Deprecation Policy has been posted in the OVAL Language section of the OVAL Web site. The new page details how and why unneeded constructs are deprecated from the OVAL Language.

OVAL "Terms of Use" Updated

The OVAL Terms of Use page has been updated with a new "Introduction" section to help clarify that MITRE has copyrighted the OVAL Language for the benefit of the community in order to ensure it remains a free and open standard, as well as to legally protect the ongoing use of it and any resulting content that is stored in the OVAL Repository by government, vendors, and/or users, and that MITRE has trademarked ® the OVAL acronym and the OVAL logo to protect their sole and ongoing use by the OVAL effort within the information security arena.

The OVAL Language and any resulting OVAL content based upon the language that is stored in the OVAL Repository have been and remain free to use by any organization or individual for any research, development, and/or commercial purposes, per the OVAL Terms of Use.

We encourage you to contact oval@mitre.org if you require further clarification on this issue.

Instruction on Using OVAL Included in MITRE’s Free Benchmark Development Course, April 8

MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on April 8, 2009. Instruction on using the OVAL Interpreter and OVAL Definitions in benchmark development is included in two sections of the course, "Compliance Checks" and "Generate XCCDF." The course explains the benefits of using OVAL for standardized compliance checks in automated benchmarks, shows how to use the OVAL Interpreter, teaches how to write OVAL Definitions, and explains how OVAL works with XCCDF.

The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use the OVAL Interpreter and Open Vulnerability and Assessment Language (OVAL) Definitions, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Configuration Enumeration (CCE), Common Platform Enumeration (CPE), Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated.

Visit the OVAL Calendar for information on this and other events.

MITRE Hosts "Making Security Measurable" Booth at InfoSec World 2009

MITRE hosted a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009.

Visit the OVAL Calendar for information on this and other events.

OVAL/Making Security Measurable Briefing Presented at DHS/DoD/NIST SwA Forum

OVAL Team Member and CWE Program Manager Robert A. Martin presented a briefing about OVAL/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA.

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL/Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum, March 10-12

OVAL Team Member and CWE Program Manager Robert A. Martin is scheduled to present a briefing about OVAL/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 10-12, 2009 at MITRE Corporation in McLean, Virginia, USA.

Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CRF, CVE, CCE, CPE, CAPEC, CWE, CEE, and/or Making Security Measurable at your event.

New OVAL Board Member

Chandrashekhar B of SecPod Technologies has joined the OVAL Board.

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2009, March 9-10

MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2009 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on March 9-10, 2009. Please stop by booth 531 and say hello.

Visit the OVAL Calendar for information on this and other events.

MITRE Hosts "Making Security Measurable" Booth at 2009 Information Assurance Symposium

MITRE hosted a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-5, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks."

Visit the OVAL Calendar for information on this and other events.

Two New OVAL Board Members

Blake Frantz and Steven Piliero of the Center for Internet Security have joined the OVAL Board.

MITRE to Host "Making Security Measurable" Booth at 2009 Information Assurance Symposium, February 3-6

MITRE is scheduled to host a Making Security Measurable booth at the 2009 Information Assurance Symposium at the Sheraton Dallas International Conference and Exposition Center, in Dallas, Texas, USA, on February 3-6, 2009. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks." Please stop by booth 301 and say hello.

Visit the OVAL Calendar for information on this and other events.

Four New OVAL Board Members

Scott Armstrong and Jonathan Frazier of Gideon Technologies, Inc., Stephen Quinn of the National Institute of Standards and Technology (NIST), and Anton Chuvakin of Qualys, Inc. have joined the OVAL Board.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on January 12, 2009. Discussion topics included updates on the OVAL Board; OVAL Compatibility/Adoption; the OVAL Language Versioning process, including allowable minor version impact, the deprecation process improvement, and allowance for breaking backward compatibility; Language expansion versus a major revision; and the Language release road map. Read the meeting minutes.

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2009

MITRE has announced its initial Making Security Measurable calendar of events for 2009. Details regarding MITRE’s scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

• 2009 Information Assurance Symposium, February 3-6, 2009
• InfoSec World Conference & Expo 2009, March 9-10, 2009
• RSA 2009, April 20-24, 2009
• Black Hat Briefings 2009, July 29-30, 2009

Other events may be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have MITRE present a briefing or participate in a panel discussion about OVAL, CRF, CPE, CVE, CCE, CAPEC, CWE, CEE, and/or Making Security Measurable at your event.

OVAL Repository Announces Top Contributors Awards for Q4-2008

Hewlett-Packard and Secure Elements a division of Fortinet, Inc. received the "OVAL Repository Top Contributors Awards" for Q4-2008. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

Page Last Updated: April 28, 2015