Name of Your Organization:

ThreatGuard, Inc.

Web Site:

http://www.threatguard.com

Adopting Capability:

Secutor Prime

Capability home page:

http://threatguard.com/products/secutor-prime

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Evaluator — Yes
OVAL Systems Characteristics Producer — Yes
OVAL Results Consumer — Yes

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

Secutor Prime Free edition is available for free download from www.ThreatGuard.com. A license key will unlock premium features of the product.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

Secutor Prime indicates its OVAL Language version in the About text off the help menu.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

All correctness and functional issues should be reported to support@threatguard.com.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

ThreatGuard responds promptly to error reports without any preconceptions of the content being the source of the error. We try to ascertain and recreate the environment in which the error was found. If we find that the error is a content issue, we convey the problem to the custodian if we have a viable relationship with that custodian to do so. Errors in OVAL logic are corrected immediately and fielded in the next release of the product. Upgrades are available via free download either automatically or at the user’s convenience.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

OVAL adoption is described in Appendix E of Secutor Prime's on-board User's Guide.

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

Secutor Prime supports all OVAL test types and capabilities for Windows, Unix, and Linux as defined in the SCAP v1.2 requirements. The product includes additional support for a variety of other platforms including HP-UX, Solaris, BlackBerry Enterprise Server, VMware ESX, Cisco IOS, IBM AIX, and Apple OSX.

Assessment Method <AR_3.3>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

Assessment of state by a host-based sensor.
Assessment of state by a remote-scanning sensor.

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

We don't place the burden on our customers to differentiate between content and interpreter problems. Also, we don't automatically assume that a false reading is a content problem. Typically, we find that the customer simply recognizes a general problem and we work with that customer to determine the nature of that problem. If we mutually agree that the problem is indeed a content problem, we follow our content error reporting process.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

Upon loading content, the user can check the ‘Validate’ checkbox to ensure syntactic correctness.

Type-Specific Capability Questions

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

Once the OVAL definitions are loaded, Secutor Prime renders a tree with a child element for each definition. By default, all definitions are selected for evaluation. The user can uncheck individual definitions to not have them evaluated. Once the assessment is performed, each node (definition) in the tree receives a green check (pass), red check (vulnerable), or other visual status indicators. We maintain a trail of OVAL Notes that clearly show the OVAL definition, each test, and how the outcome of each test falls into the overall logic of the definition's criteria

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

We are *strong* advocates of processing the raw SCAP XML at runtime (including both XCCDF and OVAL). This native processing grants us ultimate flexibility as OVAL evolves and as new use cases are introduced.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

Once the assessment is performed, the results are rendered in a tree view. Each node (definition) in the tree receives a green check (pass), red check (vulnerable), or other visual status indicators. For further inspection, the user can select a node in the tree to view the OVAL Notes for the associated definition. The OVAL Notes clearly show the OVAL definition, each test, and how the outcome of each test falls into the overall logic of the definition's criteria.

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

OVAL Results output is one of the export menu items. This option context menu provides the option to export the THIN or FULL OVAL Results format.

Results Consumer Capability Questions

Examine Imported Content <AR_9.1> <AR_9.2>

Indicate how users can review OVAL Results that are imported into the product and explain how users can determine which endpoint a particular set of results applies to.

Secutor Prime in MultiView mode can import a variety of result formats, including OVAL. Multiple results files can be loaded at the same time. They are displayed and organized by assessed target in a tree or flat view. The hosts are listed by unique IP address, hostname, or other identifiers. When a host is selected, the assessment results of each oval definition are shown in the display. These results can be interactively viewed and/or use to generate human-readable reports.

Content Import Process Explanation <AR_9.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

OVAL Results are available for review at runtime.

Systems Characteristics Producer Capability Questions

Collecting System Data <AR_5.2> <AR_5.3>

Explain the criteria used to collect system data that is included in an OVAL System Characteristics document.

Since our products process the raw OVAL XML at runtime, all criteria required to capture the data necessary for System Characteristics output is inherently a part of every assessment.

Content Export <AR_5.2> <AR_5.3>

Indicate how the product allows users to export OVAL System Characteristics documents.

System Characteristics output is included in the FULL OVAL Results output.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Randal S. Taylor
TITLE: Chief Technology Officer

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Randal S. Taylor
TITLE: Chief Technology Officer

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Randal S. Taylor
TITLE: Chief Technology Officer

Page Last Updated: February 28, 2014