Name of Your Organization:

Information-technology Promotion Agency, Japan (IPA)

Web Site:

http://www.ipa.go.jp/index-e.html

Adopting Capability:

MyJVN Version Checker

Capability home page:

http://jvndb.jvn.jp/apis/myjvn/vccheck.html (Japanese)
http://www.ipa.go.jp/security/english/vuln/200911_myjvn_vc_en.html
 (English)

General Capability Questions

Adoption Capabilities

If the functionality is available now, indicate "Yes." If it has been implemented but not released, indicate "Beta". If planned but not currently available, indicate "Planned". If there are no plans for a specific category, that section(s) is not included as part of the questionnaire below.

OVAL Definition Evaluator — (Yes)

Product Accessibility <AR_1.9>

Provide a short description of how and where your capability is made available to your customers and the public.

MyJVN Version Checker is the OVAL and XCCDF based free tool, easy-to-use on-line/off-line scanner that allows people to easily check whether the software installed on their PC is the latest version. This product downloads and uses the OVAL and XCCDF content from MyJVN API, which is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia.

Language Version Indication <AR_1.10>

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content.

The product supports primarily OVAL Versions 5.5 compatibility.

Capability Correctness Questions

Error Reporting <AR_2.1>

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error.

Customers can contact a support helpdesk to report an error in the use of OVAL.

Responding to Error Reports <AR_2.2>

Describe the approach to responding to the above error reports and how applicable fixes will be applied.

All issues are investigated by the technical support team. If a defect is confirmed, it’ll be fixed by the development team. Upon release of the fix, the customer can use the latest version without any update operations.

Documentation Questions

Adoption Documentation <AR_3.1>

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Adoption for any customers.

The following documents describe our activities related to OVAL:

http://www.ipa.go.jp/security/vuln/OVAL.html (Japanese) http://www.ipa.go.jp/security/english/vuln/OVAL_en.html (English)

Language Support <AR_3.2>

List each supported component schema and specific OVAL Tests in those component schemas that are supported. (AR_3.2)

MyJVN Version Checker supports tests (registry_test, file_test), objects (registry_object, file_object) and states (registry_state, file_state) for Microsoft Windows Operating Systems. Others are currently not supported.

OVAL Assessment Method <AR_3.3>

List each supported assessment method if applicable.

Query to a database of an endpoint's current configuration settings. Assessment of state by a host-based sensor.

OVAL Content Error Reporting <AR_3.4>

Provide a copy, or directions to the location, of where the documentation describes the procedure by which errors in OVAL content may be reported for any OVAL content that is produced by the product.

Customers can contact a support helpdesk to report an error in OVAL content.

Content Validity Questions

Syntax Error Detection and Reporting <AR_4.1> <AR_4.2> <AR_4.3> <AR_4.4>

Indicate how the product or repository detects and reports syntax errors in any OVAL content that is consumed by the product or repository.

The OVAL content that is downloaded from MyJVN API, is tested, and XML schema validation is done. Customers can contact a support helpdesk to report a syntax error in OVAL content.

Type-Specific Capability Questions

Definition Evaluator Capability Questions

Content Transparency <AR_8.1> <AR_8.2>

Indicate how the product allows users to determine which OVAL Definitions are being evaluated and examine the details of those definitions.

MyJVN Version Checker is an OVAL based on-line scanner to checks whether the software installed on their PC is the latest version. The results are shown as follows: "good (the latest version)", "poor (an older version)" or "N/A (not installed or non-supported version)". The customer can relate the OVAL definition to the results.

Content Import Process Explanation <AR_8.3>

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability.

The product downloads the list of OVAL content and the definition data of OVAL content from MyJVN API automatically. In MyJVN Version Checker, the OVAL content must be associated with a peculiar OVAL list file.

Content Evaluation <AR_8.4> <AR_8.5> <AR_8.6> <AR_8.7>

Indicate how users can review the detailed results of evaluating an OVAL Definition on a target system.

The results of MyJVN Version Checker are judged as "good", "poor" or "N/A". The product doesn’t support the output function of OVAL Results Document, but the customer can relate the OVAL result to the result of these products as follows: true (good); false (poor, N/A and bad).

Full OVAL Results <AR_8.8>

Indicate how users can review the full OVAL Results of the evaluation of an OVAL Definition on a target system.

The overview field of MyJVN Version Checker shows the list of the scanning target software and the summary of result which is judged as "good, poor and N/A". The detail field shows the software version of the scanned target and the update website.

Adoption Signature

Questions for Signature

Statement of Adoption <AR_1.2>

"As an authorized representative of my organization I agree that we will abide by all of the mandatory adoption requirements as well as all of the additional mandatory adoption requirements that are appropriate for our specific type of capability."

NAME: Hideaki Kobayashi
TITLE: Laboratory Manager, Security Engineering Laboratory, IT Security Center

Statement of Accuracy <AR_1.2>

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

NAME: Hideaki Kobayashi
TITLE: Laboratory Manager, Security Engineering Laboratory, IT Security Center

Statement on Follow-On Correctness Testing Support <AR_1.7>

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."

NAME: Hideaki Kobayashi
TITLE: Laboratory Manager, Security Engineering Laboratory, IT Security Center

Page Last Updated: February 28, 2014