Open Vulnerability and Assessment Language

OVAL-Compatible Products and Services - Version 4.2 Archive

The products and services listed below achieved the final stage of MITRE's formal OVAL Compatibility Program and were "Officially OVAL-Compatible" with Version 4.2 of OVAL. Products and services compatible with the current version of OVAL are available on the OVAL–Compatible Products and Services page.

Products are listed alphabetically by organization name:

Web Site:  www.arcsight.com
Quote/Declaration: As a pioneer and leading provider of security management solutions for the enterprise ArcSight actively promotes and supports open systems standards such as OVAL.

Name: ArcSight ESM
Type: Real-Time Security Awareness/Incident Response
OVAL Results Consumer: Yes
Review Completed Questionnaire

Last Updated: September 15, 2006

Web Site:  www.bigfix.com
Quote/Declaration: BigFix enables organizations to better manage their global IT infrastructures with solutions to discover, analyze, change, and maintain security and software configurations faster and more accurately, resulting in improved processes, greater visibility, better security and more reliable services while reducing costs.

BigFix supports the adoption of open standards such as OVAL as an important part of reducing IT security risk and improving policy and regulatory compliance. The BigFix Enterprise Suite for Vulnerability and Security Configuration Management consumes OVAL Definitions to provide real-time vulnerability detection and remediation for heterogeneous distributed networks. The suite will produce OVAL Systems Characteristics and OVAL Results to enable tools that consume OVAL to leverage the accurate and real-time configuration and security visibility provided by BigFix solutions.

Name: BigFix Enterprise Suite
Type: Real-Time Security Configuration Management Suite
OVAL Definition Consumer: Yes OVAL Results Producer: Planned OVAL Systems Characteristics Producer: Planned
Review Completed Questionnaire

Last Updated: September 15, 2006

Web Site:  www.citadel.com
Quote/Declaration: Citadel Security Software's Hercules product automates the remediation of vulnerabilities identified directly by Hercules, as well as those identified by other industry-leading scanning tools and services. OVAL is raising the bar on interoperability between tools in the vulnerability identification and vulnerability remediation management fields. The ability to specifically describe vulnerabilities on a system and exchange that information between tools will do a great deal to improve the offerings vendors supply to their customers. Citadel is actively working with OVAL to foster this effort. OVAL's focus on more than just patch management shows they understand the true direction of the problem and the emerging technologies. Citadel understands this as Hercules has focused on solving all five classes of vulnerabilities (i.e., unsecured accounts, unnecessary services, backdoors, misconfigurations, and software defects) since its beginning in 2000. Citadel sees the OVAL effort as a positive contribution to the global computing community.

Citadel is initially integrating the ability to read results from the OVAL Results Schema. This will allow Hercules to import results from vulnerability scanners or other network tools that produce output in an OVAL Results Schema format, providing Hercules users with the ability to remediate vulnerabilities discovered by OVAL-compatible scanning tools. Additionally, Citadel will be integrating other aspects of OVAL such as OVAL Compliance Definitions, Patch Definitions, and Vulnerability Definitions.

Name: Hercules
Type: Automated Vulnerability Remediation
OVAL Results Consumer: Yes
Review Completed Questionnaire

Last Updated: November 14, 2005

Web Site:  www.kace.com
Quote/Declaration: The KBOX IT Management Suite automates routine and complex IT maintenance tasks improving IT productivity and security. Functionality includes inventory, distribution/update, patch management, scripting, security audit and enforcement, and reporting. Included in the KBOX IT Management Suite is the KBOX Security Enforcement and Audit Module which provides vulnerability auditing through seamlessly integrating OVAL tests and reporting on the outcomes at both the individual node and aggregate network levels. KBOX IT Management Suite is also searchable by OVAL-ID. In addition, security policies can be set and enforced through automatic remediation and, if necessary, node quarantine to prevent security breaches and/or network infections.

KACE applauds the OVAL standard efforts as a key enabler for helping IT organizations deal with the very real security and productivity threats that have escalated dramatically in the last five years.

Name: KBOX IT Management Suite
Type: Information Technology (IT) Management Appliance
OVAL Definition Consumer: Yes OVAL Results Consumer: Planned OVAL Results Producer: Planned
Review Completed Questionnaire

Last Updated: September 15, 2006

Web Site:  www.qualys.com
Quote/Declaration: QualysGuard allows organizations to conduct automated security audits and proactively identify security vulnerabilities on networks and applications. Comprehensiveness and timeliness of vulnerability detection is essential to prevent emerging threats.

Qualys was one of the early adopters of the now widely used CVE naming scheme and is committed to providing early support for the evolving validation and assessment language OVAL. Support for OVAL within QualysGuard allows customers to import existing OVAL definitions and rapidly develop custom vulnerability detection signatures via a standardized XML-based language.

Name: QualysGuard Consultant
Type: Network and Application Vulnerability Assessment Platform for Professional Services Organizations
OVAL Definition Consumer: Yes OVAL Results Producer: Planned
Review Completed Questionnaire

Name: QualysGuard Enterprise
Type: Network and Application Vulnerability Assessment Platform for Large Distributed Organizations
OVAL Definition Consumer: Yes OVAL Results Producer: Planned
Review Completed Questionnaire

Name: QualysGuard Express
Type: Network and Application Vulnerability Assessment Platform for Small to Medium-Sized Organizations
OVAL Definition Consumer: Yes OVAL Results Producer: Planned
Review Completed Questionnaire

Name: QualysGuard MSP
Type: Network and Application Vulnerability Assessment Platform for Managed Service Providers
OVAL Definition Consumer: Yes OVAL Results Producer: Planned
Review Completed Questionnaire

Last Updated: February 14, 2006

Web Site:  www.ThreatGuard.com
Quote/Declaration: ThreatGuard's Vulnerability Management products utilize accurate vulnerability reporting as one of their cornerstones. The OVAL definitions provided and maintained by the OVAL community represent the most accessible and thorough collection of on-box vulnerability definitions for Windows, Linux, Solaris, HP-UX, and Cisco IOS. ThreatGuard recognizes the advantages in applying the OVAL definitions on a network-wide basis to enhance vulnerability detection, patch management, compliance management, and software inventory and has thus made OVAL Compatibility a significant feature of the ThreatGuard products since January 2005.

By seamlessly including OVAL tests in our vulnerability scanning subsystem, ThreatGuard, Inc. validates and endorses the use of OVAL definitions on a network-wide basis. ThreatGuard also performs value-added steps, such as providing solution text and integrated CVSS references where applicable. By performing these tests in Java from a Linux-based, auto-updated network appliance, ThreatGuard enables a wide array of organizations to take advantage of the OVAL team's tremendous work.

Name: ThreatGuard
Type: Continuous Security Auditing and Compliance Management
OVAL Definition Consumer: Yes OVAL Results Producer: Yes
Review Completed Questionnaire

Name: ThreatGuard Traveler
Type: Continuous Security Auditing and Compliance Management for Service Providers
OVAL Definition Consumer: Yes OVAL Results Producer: Yes
Review Completed Questionnaire

Last Updated: July 27, 2006