OVAL Board Minutes

2005-12-15, 13:00 - 14:00 EST (GMT -0500)

Attendees

Raffael Marty - ArcSight
Nick Connor - Assuria
David Waltermire - Center for Internet Security
Carl Banzhof - Citadel
Kent Landfield - Citadel
Dennis Moreau - Configuresoft
Barry Day - DesktopStandard
Department of Defense
Stephen Boczenowski - MITRE
Matthew Burton - MITRE
Andrew Buttner - MITRE
David Proulx - MITRE
Matthew Wojcik (OVAL Moderator) - MITRE
Chris Andrew - Patchlink
Patrick Ravenel - Preventsys
Mark Cox - Red Hat
Scott Carpenter - Secure Elements
Rob Hollis - ThreatGuard

Agenda

  • OVAL status update
  • Progress on OVAL 5.0
  • Patch Definitions
  • OVAL Compatibility Program
  • OVAL Happenings at RSA 2006
  • OVAL: Language and Repository
Back to top

Meeting Summary

OVAL Status Update

Compatibility awards to ThreatGuard, Citadel, ArcSight

Since the last Board meeting, MITRE held a first round of OVAL Compatibility testing. On November 14, four products and services from three organizations--ThreatGuard, Citadel, and ArcSight--were awarded official "OVAL and OVAL-ID Compatible" status.

OVAL version 4.2 was adopted on December 2, 2005

Language work is focusing on Version 5.0

Repository work is focused on submission processing

ThreatGuard have been submitting new definitions and proposed changes to existing definitions at a significant rate. Many thanks to ThreatGuard, and especially Rob Hollis, for their work and continuing contributions to OVAL.

Processing submissions is presenting some challenges for MITRE's OVAL team, but development of better content management tools is ongoing. MITRE plans to increase its content review in the near term. There has also been an increase in comments on definition content, both on the public mailing lists and to oval@mitre.org, an encouraging example of the OVAL Community process in action.

Back to top

Progress on OVAL 5.0

Drew Buttner gave an update on the work on OVAL 5.0, the upcoming next release of the language. Version 5 represents major changes and enhancements, and has been under development since May 2005. A fourth draft of the schemas is ready for release on December 16, 2005. This draft addresses most of the remaining significant issues which have been put forward for version 5.0.

The OVAL Board and Community are urged to review Version 5.0 now. The timeline for release sets a January 2006 target for moving the schemas to Release Candidate status, freezing all changes so that implementation can take place. Example definitions are available on the OVAL web site to aid in the review.

Kent Landfield asked what work was being done on operating system and application name standardization in OVAL. Buttner replied that it's being worked on in discussion of the use of the "affected" element in Version 5. This is a large enough problem that OVAL alone is not able to address it fully, and the OVAL team is looking to other groups and emerging standards for assistance. In particular, OVAL team members have been participating in work on XCCDF-P, and some discussion of that effort has taken place on the OVAL mailing lists, with participation of XCCDF-P's designers.

Back to top

Patch Definitions

Matt Burton gave a brief update on work to flesh out OVAL Patch definitions for Version 5. He has drafted a set of Version 5 patch definitions for one of Microsoft's Security Bulletins from November. The approach was to attempt to capture the technical information about the patches described in the bulletin without making any changes to the language as described in the Version 5.0 drafts.

The result is an umbrella definition for the bulletin, which extends several more specific definitions targeted by platform or individual patch binary. In addition to definition extension, the strawman uses a number of other features of OVAL 5, including metadata not specified in the schemas and nested criteria.

These drafts will be sent to the OVAL mailing lists for discussion soon. They are meant as a platform for discussion; feedback is needed to make OVAL patch definitions viable. Remaining questions include the approach for dealing with superceding relationships and how to uniquely identify patches.

Back to top

OVAL Compatibility Program

The OVAL Compatibility Program continues to develop. MITRE continues to be approached by organizations wanting to join the process, starting by declaring their intent to make their products or services OVAL Compatible.

Since the last Board teleconference, MITRE held the first round of OVAL Compatibility testing in September 2005, at MITRE's facilities in Bedford, Massachusetts. On November 14th, four information security products and services from three organizations were officially awarded OVAL and OVAL-ID Compatibility, having successfully completed the testing. Representatives of ArcSight, Citadel, and ThreatGuard were presented with compatibility certificates at the 32nd annual CSI Computer Security Conference in Washington, D.C. This is a major milestone for the OVAL project and its adoption.

UPCOMING TESTING -- Week of January 23rd, 2006

MITRE will hold the next round of OVAL Compatibility testing the week of January 23rd, 2006, at the MITRE facilities in Bedford, Massachusetts. Any organization which has implemented OVAL in a production product or service is eligible to participate. Those interested should be sure to review the information on compatibility available on the OVAL web site, particularly the Requirements and Process description. Further details are available by contacting oval@mitre.org.

MITRE will be making a general announcement soon, and will be contacting organizations that have already made compatibility declarations.

Back to top

OVAL Happenings at RSA 2006

MITRE will be hosting a booth in the vendor's expo at the RSA 2006 conference in February. Since many OVAL Board members also attend RSA, we'd like to have an informal Board gathering to get to know one another and socialize. More details will be sent to the Board list closer to the date of the conference.

MITRE is also on the waiting list for a Birds of a Feather (BoF) session on OVAL, if a slot opens up.

Other possible OVAL activities coordinated with RSA had been discussed in the past: an official Board meeting with phone bridge for those not attending the conference; OVAL compatibility testing at RSA itself; a "Developer Day" focused on OVAL similar to the two-day meeting held in July 2005. Due to logistical concerns, these will not happen this year.

Back to top

OVAL: Language and Repository

There has been an increasing feeling at MITRE that the OVAL project really consists of two related but distinct pieces: the language itself, and the repository of community-developed content. The web site and other public documents do not currently make this distinction clear. There's a fear that this is potentially confusing to the public.

Over the next few months, MITRE will be reviewing the web site and other OVAL documents to attempt to clarify these two pieces of OVAL and their relationships with each other and the community. The goal is to have all materials updated for the official acceptance of OVAL Version 5. The work has already begun, however, and will start showing up in various ways over the next months.

Back to top

Page Last Updated: February 07, 2008