OVAL Official Adopters

OFFICIAL OVAL Adopters

Organizations Participating: 22
Products and Services: 30

The products and services listed below have achieved the final stage of MITRE’s formal OVAL Adoption Program Process and are now "Official OVAL Adopters." Each organization’s product is now eligible to use the OVAL Adopter Product/Service logo, and their completed and reviewed "Requirements and Recommendations for OVAL Adoption and Use" questionnaires based upon the "OVAL Technical Use Cases Guide" are posted here and on the OVAL Adoption Program Participants page as part of their product listings.

Products are listed alphabetically by organization.

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
Altex-Soft Date Declared: January 30, 2012

Web Sites:

(Russian) www.altx-soft.ru
(English) www.altex-soft.com

Product Name: Altex-Soft Ovaldb

Type: Web-Based OVAL Repository Database

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: RedCheck

Type: Vulnerability, Patch, and Compliance Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Nov 3, 2014

Back to top
Beyond Trust Date Declared: September 8, 2010

Web Site:

Quote/Declaration: Beyond Trust is an innovative leader in vulnerability and security research, providing security solutions that help businesses and users protect their systems and intellectual property from compromise. eEye enables secure computing through world-renowned research and innovative technology, supplying the world's largest businesses with an integrated and research-driven vulnerability assessment, intrusion prevention, and client security solution. eEye is pleased to support the CVE Initiative and will continue to promote the standardization of the CVE naming convention and vulnerability identification.

Product Name: Retina Network Security Scanner

Type: Vulnerability Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 25, 2014

Back to top
Center for Internet Security Date Declared: Feb 26 2014

Web Site:

Quote/Declaration: CIS-CAT is an SCAP-compliant, host-based configuration assessment tool primarily designed to perform compliance assessments against recommendations contained in CIS benchmarks. OVAL-based compliance content developed by third parties, such as DISA and NIST, is also supported by CIS-CAT for major Microsoft products, including Windows, Office, Internet Explorer, and SQL server, as well as Red Hat Enterprise Linux platforms. CIS-CAT's support for OVAL also affords users the ability to perform compliance, vulnerability, inventory, and patch assessments using content generated from numerous sources, including CIS, DISA, and NIST/USGCB, from a single tool.

Product Name: Center for Internet Security Configuration Assessment Tool (CIS-CAT)

Type: Host-Based Configuration Assessment Tool

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 27, 2014

Back to top
GCP Global Date Declared: September 24, 2012

Web Site:

Quote/Declaration: ORCA GRC is a web-based solution intended to aid organizations of all sizes in managing their security, risk, compliance, and governance efforts in a single software platform. ORCA uses OVAL Definitions to identify non-conformities in security and compliance in an automated manner simplifying the auditing workflow.

Product Name: ORCA

Type: Governance, Risk, and Compliance (GRC) Solution

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Jun 20, 2013

Back to top
Greenbone Networks GmbH Date Declared: March 30, 2010

Web Site:

Product Name: Greenbone Security Manager

Type: Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
Information-technology Promotion Agency, Japan (IPA) Date Declared: February 2, 2011

Web Site:

Quote/Declaration: IPA offers three products for JVN Security Content Automation Framework. Version Checker is an OVAL-based free, easy-to-use scanner that allows people to easily check whether the software installed on their PC is the latest version. With just one mouse click, people can check the versions of multiple software. The results are easy to understand: a tick mark signifies the latest version and a cross mark signifies an obsolete version. If the software is not the latest version, users can easily access the vendor's download website with just a few clicks. Security Configuration Checker is an XCCDF and OVAL-based free, easy-to-use scanner that assesses Windows security configuration, including the USB autorun feature, password, and lockout policies of CCE. MyJVN API is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia. To enable application developers to use data through an open interface, JVN iPedia has adopted SCAP, a set of standards for describing vulnerability countermeasure information.

Product Name: MyJVN API

Type: Vulnerability Assessment and Configuration Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: MyJVN Security Configuration Checker

Type: Configuration Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: MyJVN Version Checker

Type: Vulnerability Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Mar 3, 2014

Back to top
Institute for Information Industry - CyberTrust Technology Institute Date Declared: December 12, 2012

Web Site:

Quote/Declaration: CSK controller performs automatic compliance auditing to each CSK agent on enterprise endpoints. It can check security mis-configurations, scan systems and application vulnerabilities, evaluate enterprise threats through the baselines which is in the context of XCCDF based on enterprise demands or official compliance. CSK agent gathers all the security information including system configurations, application weakness, service status on each endpoint. Moreover, CSK agent also sends the security content according to the OVAL and CCE definitions to the controller for generating the human-readable reports evaluated by CVSS and specified baselines (USGCB, MS-baselines).

Product Name: Crystal Security Keeper (CSK)

Type: Vulnerability Assessment, Configuration Management, Auditing and Centralized Audit Validation

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: February 20, 2013

Back to top
Inverse Path S.r.l. Date Declared: Mar 10, 2010

Web Site:

Quote/Declaration: Our compliance tool aims at allowing an easy and effective management of security policies. We've always looked at standardization efforts as a very effective approach for improving the state of security and/or known vulnerability checking, OVAL does just that and we are committed in supporting it for seamless integration and empowering users without reinventing the wheel.

Product Name: TPOL - OVAL Security Compliance

Type: Vulnerability, Patch, and Compliance Assessment

  OVAL Adopter
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Mar 12, 2014

Back to top
jOVAL.org Date Declared: June 30, 2011

Web Site:

Product Name: jOVAL Definition Interpreter (jovaldi)

Type: Open Source, Java-based OVAL Definition Interpreter

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
McAfee, Inc. Date Declared: March 8, 2011

Web Site:

Quote/Declaration: McAfee has long understood the value of standards, actively participating on directional bodies such as the OVAL Board. McAfee was a very early adopter of OVAL and other security automation standards. McAfee has had OVAL Certified products in the past and continues to assure OVAL is used appropriately in a range of McAfee products. Today McAfee uses OVAL in three different security technologies, Policy Auditing, Vulnerability Management, and Network Access. We are using the same content in all three areas. Policy Auditor was the first enterprise class product to natively support SCAP. McAfee NAC was to first Network Access product to support SCAP. OVAL is a critical aspect of that support. Our OVAL support today includes Microsoft, AIX, HP-UX, Solaris, Mac OS X, and various Linux distributions across our product uses. In addition, McAfee is innovating SCAP by supplying and supporting localized SCAP/OVAL content in many different languages. It also provides a means to make XCCDF/OVAL results much more usable than just telling you if you are compliant or not against a specific benchmark. McAfee continues to develop innovative OVAL content for our customers' uses. McAfee has and will continue to invest in OVAL.

Product Name: McAfee Network Access Control

Type: Network Connection Health Check, Auditing and Centralized Audit Validation, Configuration Management, Patch Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: McAfee Policy Auditor

Type: Auditing and Centralized Audit Validation, Configuration Management, Patch Management

  OVAL Adopter
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Product Name: McAfee Vulnerability Manager

Type: Vulnerability Assessment, Auditing and Centralized Audit Validation, Configuration Management, Patch Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Aug 7, 2013

Back to top
National Institute of Advanced Industrial Science and Technology (AIST) Date Declared: January 14, 2011

Web Site:

Quote/Declaration: SIX OVAL is a free and open-source Java class library to build enterprise compliance/vulnerability management applications. The main parts are OVAL domain model and object-XML/object-RDB data mapping. It also provides off-the-shelf server/client components including a repository of definitions and results at the central server, which can be searched from and posted to via a web service connection from any number of clients. The client is capable of getting definitions from the repository, evaluating the content on the local host, and reporting the results back to the central server.

Product Name: SIX OVAL

Type: Enterprise Compliance/Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated:

Back to top
NopSec, Inc. Date Declared: December 23, 2010

Web Site:

Quote/Declaration: NopSec Vulnerability Risk Management (VRM) automates the life cycle of network auditing and vulnerability management across the enterprise, including network discovery and mapping, asset prioritization, vulnerability assessment reporting and charting, elimination of virtually all false positives, remediation tracking, and ticketing system according to business risk. NopSec VRM vulnerability scanning engine has planned support for OVAL Definitions evaluations. It is in beta phase for what concerns the OVAL Results Consumer and OVAL Systems Characteristics Producer Capabilities. NopSec has chosen to adopt the OVAL Standard in order to aid in integrations, perform SCAP validation, judge FDCC benchmarks, and extend third party application testing.

Product Name: NopSec Vulnerability Risk Management (VRM)

Type: Vulnerability Risk Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Jun 27, 2013

Back to top
OpenVAS Date Declared: July 6, 2012

Web Site:

Quote/Declaration: OpenVAS is a vulnerability management and vulnerability scanning software framework. A feed service allows regular updates of Network Vulnerability tests (NVTs). The main security scan phase of the application collects security information about each host in the network being scanned. Subsequently, comprehensive OVAL-related processing is possible. his includes exporting system characteristics for the whole network, and applying the applications reporting framework according to OVAL Definitions.

Product Name: OpenVAS

Type: Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
Positive Technologies CJSC Date Declared: May 11, 2012

Web Site:

Quote/Declaration: Positive Technologies is a leading provider of vulnerability and compliance management, application security, SCADA security and penetration testing. As one of the development directions, we decided to use the SCAP technology in our products. We are implementing OVAL standards, supporting FDCC/USGCB, and maximizing integration with other open security standards in our products. We also provide an open OVAL repository containing vulnerability descriptions collected from various sources.

Product Name: Positive Technologies OVAL Repository

Type: OVAL Definition Repository

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: Apr 22, 2014

Back to top
Red Hat, Inc. Date Declared: February 10, 2010

Web Site:

Quote/Declaration: Red Hat was a founding board member of the OVAL project and has been publishing OVAL Vulnerability Definitions for Red Hat Enterprise Linux Security Advisories since 2006. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards.

Product Name: Red Hat Security Advisories

Type: Product Vulnerability Security Advisories

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Last Updated: October 24, 2012

Back to top
SAINT Corporation Date Declared: March 5, 2010

Web Site:

Quote/Declaration: SAINT Corporation's vulnerability scanning product is a Web-based application available as a software download, appliance, or Software as a Service (SaaS or "Cloud" technology). SAINT Vulnerability Scanner uncovers areas of weakness and recommends fixes via its extensive tutorials. SAINT is certified under NIST's SCAP specification as an Unauthenticated Vulnerability Scanner and Authenticated Vulnerability and Patch Scanner. SAINT supports OVAL by allowing users to import OVAL checks from the OVAL Repository, as well as importing user-developed XML files containing OVAL checks. SAINT provides view/download of OVAL result files via the GUI. SAINT also reports system characteristics of identified hosts for use in analysis, auditing, remediation and/or patch management.

Product Name: SAINT Vulnerability Scanner

Type: Vulnerability Assessment

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
SecPod Technologies Date Declared: December 10, 2010

Web Site:

Quote/Declaration: SecPod is an information security research and development company offering services in the area of threat detection and management. SecPod supports OVAL, an open standard to provide security automation. SecPod SCAP Feed is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE's for various operating systems, enterprise servers, and applications. The feed, also hosted as a repository, is backed with professional support, can be integrated into vendor products, and also consumed by end users. SecPod Saner is a light-weight, easy-to-use enterprise grade vulnerability mitigation software that proactively assesses and secures endpoint systems. SecPod Saner adopts OVAL natively consuming the SCAP feed from the SecPod SCAP Repo content repository.

Product Name: SecPod SCAP Feed

Type: OVAL Repository

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: No
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: No

Review Completed Questionnaire

Product Name: SecPod Saner

Type: Vulnerability Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 27, 2014

Back to top
Security-Database Date Declared: April 7, 2010

Web Site:

Quote/Declaration: Security-Database is pleased to support this initiative by supplying OVAL information along with vulnerability information and to provide access to a full mirroring repository of OVAL XML and online OVAL Definitions.

Product Name: Security-Database OVAL Repository

Type: Web-Based OVAL Repository Database

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Planned
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Planned

Review Completed Questionnaire

Last Updated: Mar 3, 2014

Back to top
SPAWAR Systems Center Atlantic Date Declared: Februry 25, 2010

Web Site:

Quote/Declaration: The SCAP Compliance Checker has adopted OVAL as part of the FDCC Scanner capabilities of SCAP Validation Program. SCAP Compliance Checker is able to process all four of OVAL's schemas: the Definitions schema, the System Characteristics schema, the Results schema and the Variables schema. SCAP Compliance Checker processes the XCCDF content of a SCAP stream and extracts any variables that need to be imported into the OVAL engine. It then creates an XML file using the OVAL Variables schema that contains these variables. The OVAL engine later uses this file during OVAL processing. By using the industry standard OVAL schemas, SCAP Compliance Checker can share data with any tool that understands OVAL.

Product Name: SCAP Compliance Checker

Type: OVAL Definition Evaluator

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: No
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Feb 27, 2014

Back to top
ThreatGuard, Inc. Date Declared: February 24, 2010

Web Site:

Quote/Declaration: ThreatGuard offers three products that fully integrate support for OVAL: S-CAT, Secutor Prime, and Secutor Magnus. From 2004 to present day, ThreatGuard has fulfilled OVAL definition consumer compatibility requirements with each major evolution of the language. The ThreatGuard OVAL interpreter was engineered from the beginning to assess local computers and remote targets using agentless 'over the wire' technology. This OVAL interpreter currently supports Microsoft Windows, as well as Solaris, HP-UX, Linux, and Cisco IOS. Support for additional operating systems and applications, such as mainframes and databases, will be added as new OVAL content is developed. All three products automatically processes the OVAL definition content as referenced in the XCCDF file to perform assessment activities. S-CAT has an option to bypass the XCCDF file and process OVAL vulnerability content files to perform vulnerability assessments. Secutor Prime includes an OVAL Notes tab that allows the user to see the decisions made by the interpreter as it processes the OVAL content and includes an option to display the OVAL-ID of vulnerability definitions in the tree as the title for each vulnerability definition. Secutor Magnus can automatically load OVAL-based vulnerability content to perform vulnerability assessments against a variety of operating systems.

Product Name: Secutor Compliance Automation Toolkit (S-CAT)

Type: Universal, Integratable SCAP Assessment Module

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Product Name: Secutor Magnus

Type: Enterprise SCAP Compliance/Vulnerability Management System

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Product Name: Secutor Prime

Type: Desktop Compliance/Vulnerability Assessment Tool

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Planned
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated:

Back to top
ToolsWatch Date Declared: Jul 22 2015

Web Site:

Quote/Declaration: SSA (Security System Analyzer) is free non-intrusive OVAL/XCCDF host-based security analyzer and compliance tool. It introduces a new simplified way to rely on open standards such OVAL and XCCDF to report compliance issues. SSA has adopted the OVAL standard as part of its vulnerability validation process. As a result, SSA consumes the Definitions and solely relies on the OVAL and XCCDF interpreters.

Product Name: SSA - Security System Analyzer

Type: Security Scanner and Compliance Assessment Software

  OVAL Adopter
  • OVAL Authoring Tool: Yes
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: Yes
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Last Updated: Jul 22, 2015

Back to top
Tripwire, Inc. Date Declared: October 19, 2010

Web Site:

Quote/Declaration: Tripwire provides a comprehensive suite of file integrity, policy compliance, and log and event management solutions. Tripwire Enterprise automates change detection and mis-configuration correction to reduce risk of exploits and breaches. Tripwire Enterprise provides SCAP functionality that includes the ability to process OVAL content.

Product Name: Tripwire Enterprise

Type: Security Configuration Management

  OVAL Adopter
  • OVAL Authoring Tool: No
  • OVAL Definition Evaluator: Yes
  • OVAL Definition Repository: No
  • OVAL Results Consumer: Yes
  • OVAL System Characteristics Producer: Yes

Review Completed Questionnaire

Last Updated: Jun 18, 2014

Back to top