News and Events - 2011 Archive

Subscribe to the OVAL News feed to get notifications of our latest headlines.

Release Candidate 1 of OVAL Version 5.10.1 Now Available

Release Candidate 1 of Version 5.10.1 of the OVAL Language is now available on the OVAL Web site. Version 5.10.1 is scheduled to be moved to the Official stage on January 13, 2012. This is an update version change, per the revised OVAL Language Versioning Policy, that fixes a critical issue discovered in Version 5.10 of the OVAL Language.

Additional information about Version 5.10.1 is available on the Version 5.10.1 Upcoming Version page.

Draft of OVAL Version 5.10.1 Now Available

A Draft of Version 5.10.1 of the OVAL Language is now available on the OVAL Web site. Version 5.10.1 is scheduled to be moved to the Official stage on January 13, 2012.

Version 5.10.1 is an update version change that fixes a critical issue discovered in Version 5.10 of the OVAL Language, per the new "OVAL Language Versioning Policy" document. Version 5.10.1 adds the missing extended_name entity to the linux-def:rpmverifypackage_state and fixes the minOccurs attribute on the entities in the linux-def:rpmverifypackage_object and linux-def:rpmverifyfile_object so that they are required. Finally, this draft includes an update to the schema_version entity, in the oval:GeneratorType, so that it aligns with the new three-component version identifier in the updated OVAL Language Versioning Policy.

Additional information about Version 5.10.1 is available on the Version 5.10.1 Upcoming Version page.

OVAL Language Versioning Policy Updated

The "OVAL Language Versioning Policy" document has been updated. The new policy describes that there are now three different types of releases: Major, Minor, and Update; it also explains the new version identifier format of MAJOR.MINOR.UPDATE (e.g., Version 5.10.1). By allowing update releases to the most recent version of the OVAL Language, such as the upcoming update of the current official version of the OVAL Language from Version 5.10 to Version 5.10.1 on January 13, 2012, fixes and other important updates to the language can be made available to the public as quickly as possible.

OVAL Test Content Downloads Moved to SourceForge.net

The OVAL Test Content downloads will now be hosted on the SourceForge.net Web site at http://sourceforge.net/projects/ovaltestcontent/. The transition was made to provide better access to the OVAL Test Content downloads and related documentation, as well as public access to bug tracking and feature request tracking for the test content.

The OVAL Test Content Page on SourceForge includes the following:

• SVN Repository File Review/Downloads
• Bug and Feature Request Tracking
• Wiki
• Help Forum

The OVAL Test Content page on the OVAL Web site will now point visitors to the new location for file distribution. Please send any comments or concerns to oval@mitre.org.

OVAL/SCAP/Software Assurance Workshops and OVAL/Making Security Measurable Booth at IT Security Automation Conference 2011

OVAL was included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 – November 2, 2011 in Arlington, Virginia, USA. MITRE also participated in workshops about the Making Security Measurable, CVE, CCE, CPE, XCCDF, ARF, CWE, CAPEC, CEE, and MAEC efforts and hosted an OVAL/Making Security Measurable booth.

Slides from the event include the following:

• OVAL Workshop slides

NIST’s Security Content Automation Protocol (SCAP) employs existing and emerging community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the eight open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other seven standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; Open Checklist Interactive Language (OCIL), a standard language for expressing and evaluating non-automated security checks; Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities; and Common Configuration Scoring System (CCSS), a standard for conveying and scoring the impact of software security configuration issues.

Visit the OVAL Calendar for information on this and other events.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on October 17, 2011. Discussion topics included status updates on the OVAL Language, OVAL Repository, and OVAL Adoption; scripting; release planning and strategy for upcoming versions of OVAL; OVAL content development; and expanding outreach efforts. Read the meeting minutes.

Tripwire, Inc. Updates OVAL Adoption Declaration for Tripwire Enterprise

Tripwire, Inc. has updated its declaration stating that its security configuration management product, Tripwire Enterprise, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.

jOVAL.org Corporation Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter

jOVAL.org achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for jovaldi. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

OVAL Included as Topic at IT Security Automation Conference 2011, October 31 – November 2

OVAL will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 7th Annual IT Security Automation Conference on October 31 – November 2, 2011 in Arlington, Virginia, USA. The OVAL Team is also scheduled to contribute to the OVAL-related workshops, and MITRE will host an OVAL/Making Security Measurable booth.

Visit the OVAL Calendar for information on this and other events.

OVAL Repository Announces Top Contributors Awards for Q3-2011

G2, Inc., SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q3-2011. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL/Making Security Measurable Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop

OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin presented an OVAL/Making Security Measurable briefing and a CWE/CAPEC/MAEC briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA. In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek presented a Software Assurance briefing.

Visit the OVAL Calendar for information on this and other events.

Version 5.10 of OVAL Now Available

Version 5.10 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language page. The OVAL Interpreter and OVAL Repository have also been updated to Version 5.10.

Version 5.10 includes the following: a new test to support using PowerShell cmdlets to collect system state information (win-def:cmdlet_test); a new win-def:peheader_test; corrected Schematron rules for objects in EntityAttributeGroup that did not account for the new EntityObjectRecordType(oval-definitions-schema.xsd); added documentation on implementing the operations for the fileset_revision datatype; added instance entity to the macos-def:plist_object -and creation of macos-def:plist510_object; addition of last_logon entity to win-def:user_state, win-sc:user_item, unix-def:password_state, and unix-sc:password_item; clarified documentation around handling of recording partial matches in system characteristics items; clarified documentation and added dependency_check_passed, digest_check_passed, verification_script_successful, and signature_check_passed entities to the lin-def:rpmverify_test; corrected conflicting and invalid documentation of the mask attribute; added add win-def:sharedresourceeffectiverights_test and win-def:sharedresourceauditedpermissions_test; and corrected several issues in the sharepoint component schema.

The previous versions of OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.10.

OVAL Interpreter Updated for Version 5.10

The OVAL Interpreter and its source code have been updated to OVAL Version 5.10. Specific updates to the OVAL Interpreter included: addition of support for Version 5.10 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the terms of use.

OVAL Repository Updated for Version 5.10

The OVAL Repository has been updated to OVAL Version 5.10. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services, per the Terms of Use.

OVAL/Making Security Measurable Briefing and CWE/CAPEC/MAEC Briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop, September 26

OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin will present an OVAL/Making Security Measurable briefing and a CWE/CAPEC/MAEC briefing at Software Assurance Enabling Reliability, Resilience, Robustness, and Security Workshop on September 26, 2011 in Linthicum Heights, Maryland, USA.

In addition, Director for Software Assurance at U.S. Department of Homeland Security (DHS) National Cyber Security Division (NCSD) Joe Jarzombek will present a Software Assurance briefing.

Visit the OVAL Calendar for information on this and other events.

Release Candidate 2 of OVAL Version 5.10 Now Available

Release Candidate 2 of Version 5.10 of the OVAL Language is now available on the OVAL Web site. Version 5.10 is scheduled to be moved to the Official stage on September 14, 2011. As this is a minor version change, Version 5.10 will not invalidate existing content that currently validates against Version 5.9, the current official version of OVAL.

A complete list of changes for Version 5.10 is available on the Upcoming Minor Version page.

OVAL Version 5.10 to Be Released on September 14, 2011

Version 5.10 of the OVAL Language is now scheduled to be moved to the Official stage on September 14, 2011. The new release date was necessary in order to provide ample time to add new features recommended by the community. Please send any comments or concerns to oval@mitre.org.

OVAL/Making Security Measurable Briefing at GFIRST 2011

CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum, and MAEC Program Manager Penny Chase presented an OVAL/Making Security Measurable and a CWE/CAPEC/MAEC briefing at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA.

Visit the OVAL Calendar for information on this and other events.

OVAL/Making Security Measurable Briefing at GFIRST 2011, August 8-12

CWE/CAPEC Program Manager Robert A. Martin, CWE/CAPEC Co-Founder and Architect Sean Barnum, and MAEC Program Manager Penny Chase will present an OVAL/Making Security Measurable and a CWE/CAPEC/MAEC briefing at GFIRST National Conference 2011 on August 8-12, 2011 at the Gaylord Opryland Hotel & Convention Center in Nashville, Tennessee, USA.

Visit the OVAL Calendar for information on this and other events.

OVAL/Making Security Measurable Booth at Black Hat Briefings 2011

MITRE hosted an OVAL/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how the OVAL, CVE, CCE, CPE, CWE, CAPEC, MAEC, CEE etc., information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

SAINT Corporation Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter

SAINT Corporation achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for SAINT Vulnerability Scanner. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

OVAL Interpreter Updated to Version 5.9.2

The OVAL Interpreter and its source code have been updated to Version 5.9.2. Specific updates to the OVAL Interpreter included fixing some minor issues reported by the OVAL Community.

A detailed list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest information.

Release Candidate of OVAL Version 5.10 Now Available

Version 5.10 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on August 16, 2011. Version 5.10 is a minor version change and will not invalidate existing content that currently validates against Version 5.9, the current official version of OVAL. A complete list of changes for Version 5.10 is available on the Upcoming Minor Version page.

Draft of OVAL Language Specification Now Available

A working draft of the OVAL Language Specification document is now available for community review and comment on the Upcoming Minor Version page in the OVAL Language section. The specification defines the use cases, requirements, data model, and processing model for the OVAL Language.

Please submit comments or questions about the current draft directly to the OVAL Developer’s Forum email list.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on July 11, 2011. Discussion topics included status updates on the OVAL Language, OVAL Repository, OVAL Interpreter, and OVAL Adoption and OVAL Validation programs; the draft of the OVAL Language Specification; and the upcoming minor version release of OVAL 5.10 planned for August 16, 2011. Read the meeting minutes.

OVAL/Making Security Measurable Booth at Black Hat Briefings 2011

MITRE will host an OVAL/Making Security Measurable booth at Black Hat Briefings 2011 on August 3-4, 2011 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 307 and say hello!

Visit the OVAL Calendar for information on this and other events.

OVAL Meeting Minutes from Security Automation Developer Days 2011 Now Available

Meeting minutes from the OVAL-focused sessions at the Security Automation Developer Days 2011 conference on June 14-17, 2011 are now available for download on the Developer Days page on the OVAL Web site.

OVAL Repository Announces Top Contributors Awards for Q2-2011

G2, Inc., SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q2-2011. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

Draft 3 of OVAL Version 5.10 Now Available

Draft 3 of Version 5.10 of the OVAL Language is now available on the OVAL Web site. Version 5.10 is scheduled to be moved to the Official stage on August 16, 2011. As this is a minor version change, Version 5.10 will not invalidate existing content that currently validates against Version 5.9, the current official version of OVAL.

A complete list of changes for Version 5.10 is available on the Version 5.10 Upcoming Minor Version page.

jOVAL.org Makes Declaration to Adopt OVAL

jOVAL.org declared that its open source, Java-based OVAL Definition Interpreter, jOVAL, will incorporate OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

OVAL Briefing Slides from Security Automation Developer Days 2011 Now Available

6 briefing presentations from the OVAL-focused sessions at the Security Automation Developer Days 2011 conference on June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA are now available for download on the Developer Days page on the OVAL Web site.

Draft 2 of OVAL Version 5.10 Now Available

Draft 2 of Version 5.10 of the OVAL Language is now available on the OVAL Web site. Version 5.10 is scheduled to be moved to the Official stage on August 16, 2011. As this is a minor version change, Version 5.10 will not invalidate existing content that currently validates against Version 5.9, the current official version of OVAL.

A complete list of changes for Version 5.10 is available on the Version 5.10 Upcoming Minor Version page.

OVAL Included as Reporting Requirement in 2011 FISMA Continuous Monitoring Compliance Document

OVAL was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology for Federal Information Security Management Act (FISMA) compliance. The document provides cybersecurity status reporting metrics for government agencies focusing on the ability to automate system monitoring and security controls.

OVAL is included as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."

Registration Now Closed for MITRE’s Security Automation Developer Days 2011 on June 14-17

Registration is now closed for MITRE’s free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page.

OVAL Technical Use Cases Guide Updated

The OVAL Technical Use Cases Guide in the OVAL Adoption section has been updated with new information. In addition to updating each of the eight use cases — Security Advisory Distribution, Vulnerability Assessment, Patch Management, Configuration Management, Auditing and Centralized Audit Validation, Security Information Management Systems (SIMS), System Inventory, and Malware and Threat Indicator Sharing — each now includes one or more Use Case Scenarios detailing how OVAL can be used to improve or enhance those areas of information security. For example, the "Configuration Management" use case now includes three use case scenarios: "Policy Distribution," "Authoritative Policy Reuse," and "Compliance Reporting."

We welcome your feedback. Please send any comments or questions about the use cases to oval@mitre.org.

Agenda Now Available for MITRE’s Security Automation Developer Days 2011 on June 14-17

The agenda for MITRE’s free Security Automation Developer Days 2011 conference scheduled for June 14-17, 2011 at MITRE in Bedford, Massachusetts, USA is now available at http://makingsecuritymeasurable.mitre.org/participation/agenda.pdf.

Arellia Corporation Makes Declaration to Adopt OVAL

Arellia Corporation declared that its configuration management product, Arellia Security Analysis Solution, will incorporate OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

New OVAL Board Member

Christopher Johnson of Hewlett-Packard Development Company, L.P. has joined the OVAL Board.

McAfee, Inc. Posts Three OVAL Adoption Questionnaires to Become Official OVAL Adopter

McAfee, Inc. achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for McAfee Vulnerability Manager, OVAL Adoption Questionnaire for McAfee Policy Auditor, and OVAL Adoption Questionnaire for McAfee Network Access Control. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

Symantec Corporation Makes Two Declarations to Adopt OVAL

Symantec Corporation declared that its enterprise configuration, vulnerability, risk, and compliance management product, Symantec Risk Automation Suite, and its automated risk and policy compliance management product, Symantec Control Compliance Suite, incorporate OVAL.

For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

Guidelines for Requesting Changes to the OVAL Language Now Available

The Requesting Changes to the OVAL Language document is now available in the OVAL Language section. The guidelines were created to help OVAL Community members propose changes to the OVAL Language, including requests to add new OVAL Constructs (e.g., component schemas, core capabilities, tests, entities, or functions), improve existing OVAL Constructs, and/or deprecate OVAL Constructs.

MITRE to Host Security Automation Developer Days 2011 on June 14-17

MITRE Corporation will host the third Security Automation Developer Days conference on June 14-17, 2011, at MITRE in Bedford, Massachusetts, USA. This four-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).

The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop. MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.

An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.

MITRE Hosts OVAL/Making Security Measurable Booth at InfoSec World 2011

MITRE hosted a OVAL/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011. Attendees learned how the OVAL, CVE, CWE, CCE, CPE, CAPEC, CEE, MAEC, etc. information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

Red Hat, Inc. Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter

Red Hat, Inc. achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for Red Hat Security Advisories. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

Inverse Path S.r.l. Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter

Inverse Path S.r.l. achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for TPOL — OVAL Security Compliance. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

Greenbone Networks GmbH Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter

Greenbone Networks GmbH achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for Greenbone Security Manager. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on April 11, 2011. Discussion topics included status updates on the OVAL Language, OVAL Repository, OVAL Interpreter, and OVAL Adoption program, and OVAL Language Specification; follow-up on the OVAL sessions from Security Automation Developer Days Conference Spring 2011; and release planning for upcoming minor version OVAL 5.10 scheduled for this summer. Read the meeting minutes.

OVAL Included in Department of Homeland Security’s Enabling Distributed Security in Cyberspace White Paper

OVAL was included in the U.S. Department of Homeland Security (DHS) Enabling Distributed Security in Cyberspace white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats — creating and exchanging trusted information and coordinating courses of action in near real time."

The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.

The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.

The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.

"OVAL Merge" Utility Now Available for Content Authors

A free OVAL Merge utility is now available on the OVAL Utilities page on SourceForge.net. This free utility, which was built to be used with OVAL Version 5.9, will take one or more files that contain valid OVAL content and combine them into a single, valid OVAL file that contains the union of all of the definitions, tests, objects, states, and variables found in the individual OVAL files.

Visit the OVAL Author’s Resources page for descriptions and access to all currently available OVAL utilities.

OVAL Repository Announces Top Contributors Awards for Q1-2011

Hewlett-Packard, SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q1-2011. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

Secure Bytes Corporation Makes Declaration to Adopt OVAL

Secure Bytes Corporation declared that its automated auditing product, Secure Auditor, will incorporate OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

OVAL Meeting Minutes and Briefing Slides from Spring 2011 Security Automation Developer Days Now Available

Meeting minutes and the 10 briefing presentations from the OVAL-focused sessions at the Spring 2011 Security Automation Developer Days conference on March 22-25, 2011 are now available for download on the Developer Days page on the OVAL Web site.

MITRE to Host OVAL/Making Security Measurable Booth at InfoSec World 2011, April 19-21

MITRE will host a OVAL/Making Security Measurable booth at InfoSec World Conference & Expo 2011 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 19-21, 2011.

Members of the OVAL Team will be in attendance. Please stop by Booth 307 and say hello!

Visit the OVAL Calendar for information on this and other events.

OVAL and Trusted Platform Module (TPM) White Paper Now Available

The OVAL and TPM: Using the Trusted Platform Module to Enhance OVAL Driven Assessments white paper provides a basic introduction to the Trusted Computing Group’s Trusted Platform Module (TPM) technology and outlines the synergies between it and the assessment infrastructure supported by the OVAL Language. The document is intended to educate the OVAL community about TPMs in general and about the exciting possibilities made possible by OVAL interactions with the TPM. It is hoped that the paper will encourage vendors to support expansions of OVAL to include TPM information as well as consider infrastructure enhancements that could lead to greater security of the OVAL process.

OVAL Test Content Now Available

The OVAL Test Content is a set of OVAL Definitions that provides a simple way to test the capability of OVAL Definition Evaluators. After running the OVAL Test Content through an OVAL Definition Evaluator, the OVAL Results will show you which tests are properly supported by that tool. This allows unit testing of tools against the language. Over time, the OVAL Test Content will cover the basic behavior of all tests and capabilities in the OVAL Language.

Developers may use this content to help guide the development of new tools, users may use this content as part of their evaluation of competing products, and content authors may use the content as a reference for writing new content.

Visit the OVAL Test Content page to learn more and for downloads.

OVAL Author’s Resources Page Now Available

The OVAL Author’s Resources page gathers documents and tools for authoring content in the OVAL Language into a single location. Included are prerequisites, instructional documents, useful tools, and how to obtain further assistance.

Challenges of Writing OVAL Definitions White Paper Now Available

The Challenges of Writing OVAL Definitions white paper describes the skill set required for authoring OVAL Definitions, of which knowledge of the OVAL Language itself is only a small part. Also explained is how the underlying research necessary to sufficiently understand a known good or bad system state is a challenge that is independent of OVAL, but that by providing a standard format for describing it OVAL significantly helps software vendors and researchers by providing a baseline for them to collaborate in investigating the detailed system information that is needed.

ThreatGuard, Inc. Posts Three OVAL Adoption Questionnaires to Become Official OVAL Adopter

ThreatGuard, Inc. has achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for Secutor Compliance Automation Toolkit (S-CAT), OVAL Adoption Questionnaire for Secutor Magnus, and OVAL Adoption Questionnaire for Secutor Prime. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

Information-technology Promotion Agency, Japan (IPA) Posts Two OVAL Adoption Questionnaires to Become Official OVAL Adopter

Information-technology Promotion Agency, Japan (IPA) has achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for MyJVN Version Checker and an OVAL Adoption Questionnaire for MyJVN Security Configuration Checker. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

McAfee, Inc. Makes Three Declarations to Adopt OVAL

McAfee, Inc. declared that its auditing and centralized audit validation, configuration management, and patch management tool, McAfee Policy Auditor, network connection health check, auditing and centralized audit validation, configuration management, and patch management tool, McAfee Network Access Control, and vulnerability assessment, auditing and centralized audit validation, configuration management, and patch management tool, McAfee Vulnerability Manager, incorporate OVAL.

For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

Microsoft Corporation Makes Two Declarations to Adopt OVAL

Microsoft Corporation declared that its security and compliance knowledge management tool, Microsoft Security Compliance Manager, and its enterprise configuration management tool, SCAP Extension for System Center Configuration Manager 2007, incorporate OVAL.

For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

MITRE Hosted OVAL/Making Security Measurable Booth at the 2011 Information Assurance Symposium

MITRE hosted an OVAL/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. Attendees learned how the OVAL, CVE, CWE, CCE, CPE, CAPEC, CEE, MAEC, etc. information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

Photos from OVAL/Making Security Measurable Booth at RSA 2011

MITRE hosted an OVAL/Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011.

OVAL Adopter photos:

Making Security Measurable booth photos:

Visit the OVAL Calendar for information on this and other events.

Draft of OVAL Version 5.10 Now Available

A Draft of Version 5.10 of the OVAL Language is now available on the OVAL Web site. Version 5.10 is scheduled to be moved to the Official stage on July 26, 2011. As this is a minor version change, Version 5.10 will not invalidate existing content that currently validates against Version 5.9, the current official version of OVAL.

A complete list of changes for Version 5.10 is available on the Version 5.10 Upcoming Minor Version page.

OVAL a Main Topic at Spring 2011 Security Automation Developer Days, March 22-25

OVAL will be a main topic at Spring 2011 Security Automation Developer Days conference on March 22-25, 2011 held at U.S. National Institute of Standards and Technology (NIST) in Gaithersburg, Maryland, USA. Members of the OVAL Team will present the OVAL-related workshops.

The conference will focus on discussing enhancements to existing Security Content Automation Protocol (SCAP) specifications, content repository automation and standardization, content development best practices, and standardizing remediation capabilities. SCAP uses the CVE, CCE, CPE, OVAL, XCCDF, and CVSS community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation."

For conference details and to register, visit: http://www.nist.gov/itl/csd/sec-automation-developer.cfm.

Version 5.9 of OVAL Now Available

Version 5.9 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language page. The OVAL Interpreter and OVAL Repository have also been updated to Version 5.9.

Version 5.9 includes a significant refactoring of the XML Schema definition of the record datatype in the oval-system-characteristics-schema and the oval-definitions-schema to address an invalid XML Schema construct that was reported by the community. This release also removes an improper use of the xpath 2.0 exists() function, corrects the mac-os:pwpolicy_object, and adds a Schematron rule to ensure proper use of the filename entity.

The previous versions of OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.9.

OVAL Interpreter Updated for Version 5.9

The OVAL Interpreter and its source code have been updated to OVAL Version 5.9. Specific updates to the OVAL Interpreter included: addition of support for Version 5.9 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the terms of use.

OVAL Repository Updated for Version 5.9

The OVAL Repository has been updated to OVAL Version 5.9. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services, per the Terms of Use.

Coverage of Mac OS X Added to OVAL Repository

The OVAL Repository now includes coverage for Apple Inc.’s Macintosh OS X operating system, in addition to coverage for IOS, PIX IOS, Windows, and UNIX. Seven OVAL Definitions for Mac OS X were added to the Repository on February 3, 2011.

MITRE to Host OVAL/Making Security Measurable Booth at the 2011 Information Assurance Symposium, March 8-10

MITRE will host an OVAL/Making Security Measurable booth at the 2011 Information Assurance Symposium in Nashville, Tennessee, USA, on March 8-10, 2011. The symposium is designed to bring together industry, government, and military information assurance (IA) professionals with the latest available IA products and solutions.

Visit the OVAL Calendar for information on this and other events.

MITRE Hosts OVAL/Making Security Measurable Booth at RSA 2011

MITRE hosted an OVAL/Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Members of the OVAL Team were in attendance. Attendees learned how the OVAL, CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, etc. information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

SecPod Technologies Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter

SecPod Technologies has achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for SecPod OVAL Definitions Professional Feed. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.

For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.

NetIQ Makes Declaration to Adopt OVAL

NetIQ declared that its NetIQ Secure Configuration Manager incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.

OVAL Version 5.9 in Release Candidate Stage

Version 5.9 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on February 22, 2011. Version 5.9 is a minor version change and will not invalidate existing content that currently validates against Version 5.8, the current official version of OVAL. A complete list of changes for Version 5.9 is available on the Upcoming Minor Version page.

Information-technology Promotion Agency, Japan (IPA) Makes Three Declarations to Adopt OVAL

Information-technology Promotion Agency, Japan (IPA) declared that its vulnerability assessment product, MyJVN Version Checker; configuration management product, MyJVN Security Configuration Checker; and its vulnerability assessment and configuration management product, MyJVN API; incorporate OVAL.

For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.

MITRE to Host OVAL/Making Security Measurable Booth at RSA 2011, February 14-18

MITRE is scheduled to host an OVAL/Making Security Measurable booth at RSA 2011 at the Moscone Center in San Francisco, California, USA, on February 14-18, 2011. Members of the OVAL Team will be in attendance. Please stop by Booth 2617 and say hello!

Visit the OVAL Calendar for information on this and other events.

Draft 3 of OVAL Version 5.9 Now Available

Draft 3 of Version 5.9 of the OVAL Language is now available on the OVAL Web site. Version 5.9 is scheduled to be moved to the Official stage on February 22, 2011. As this is a minor version change, Version 5.9 will not invalidate existing content that currently validates against Version 5.8, the current official version of OVAL.

A complete list of changes for Version 5.9 is available on the Version 5.9 Upcoming Minor Version page.

National Institute of Advanced Industrial Science and Technology Makes Declaration to Adopt OVAL

National Institute of Advanced Industrial Science and Technology (AIST) declared that its enterprise compliance/vulnerability management product, SIX OVAL, will incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.

OVAL Board Meeting Minutes Now Available

Meeting minutes for the OVAL Board teleconference meeting held on Monday, January 10, 2011 have been posted in the Community section.

OVAL/Making Security Measurable Booth at Black Hat DC 2011

MITRE hosted an OVAL/Making Making Security Measurable booth at Black Hat DC 2011, on January 18-19, 2011 in Arlington, Virginia, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

Draft 2 of OVAL Version 5.9 Now Available

Draft 2 of Version 5.9 of the OVAL Language is now available on the OVAL Web site. Version 5.9 is scheduled to be moved to the Official stage on February 22, 2011. As this is a minor version change, Version 5.9 will not invalidate existing content that currently validates against Version 5.8, the current official version of OVAL.

A complete list of changes for Version 5.9 is available on the Version 5.9 Upcoming Minor Version page.

OVAL Board Holds Teleconference Meeting

The OVAL Board held a teleconference meeting on January 10, 2011. Discussion topics included status updates on the OVAL Language, OVAL Repository, OVAL Interpreter, and OVAL Adoption and OVAL Validation programs; OVAL Language Specification; and release planning for upcoming minor versions of OVAL planned for 2011. Meeting minutes will be posted when available.

New OVAL Board Member

Alberto Bastos of Modulo has joined the OVAL Board.

NopSec, Inc. Makes Declaration to Adopt OVAL

NopSec, Inc. declared that its NopSec Vulnerability Risk Management (VRM) product incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.

OVAL Repository Announces Top Contributors Awards for Q4-2010

G2, Inc., Hewlett-Packard, SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q4-2010. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2011

MITRE has announced its initial Making Security Measurable calendar of events for 2011. Details regarding MITRE’s scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

• Black Hat DC 2011, January 18-19, 2011
• RSA Conference 2011, February 14-18, 2011
• 2011 Information Assurance Symposium, March 8-10, 2011
• InfoSec World Conference & Expo 2011, April 19-21, 2011

Other events may be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have MITRE present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CPE, CAPEC, CWE, MAEC, CEE, Software Assurance, and/or Making Security Measurable at your event.

Page Last Updated: April 28, 2015