OVAL Board Minutes
2007-07-16
Attendees
Jon Baker - MITRE
Carl Banzhof - McAfee
Steve Boczenowski - MITRE
Andrew Bove - Secure Elements, Inc.
Scott Carpenter - Secure Elements, Inc.
Nick Connor - Assuria Limited
Ed Grossenbacher - AlterPoint, Inc.
Tim Keanini - nCircle Network Security, Inc.
Kent Landfield - McAfee
David Mann – MITRE
Raffael Marty - ArcSight, Inc.
Melissa McAvoy - National Security Agency (NSA)
Dennis Moreau - Configuresoft, Inc.
Pai Peng - Opsware, Inc.
Alex Quilter - Opsware, Inc.
Nils Puhlmann - Individual
Amol Sarwate - Qualys, Inc.
Randy Taylor - ThreatGuard, Inc.
Gregory Toto - BigFix, Inc.
David Waltermire - Booz Allen Hamilton
Mark West - Microsoft
Chan Yoon - NetIQ Corporation
Meeting Summary
Welcome and House Keeping:
After a brief welcome a summary of the recent board house keeping effort was discussed.
This meeting was the first meeting following the clean up of the OVAL board.
The purpose of this effort was to ensure continued pro-active involvement
of all Board members and provide a clear documented set of expectations
for all Board members to review and agree to. As part of this clean up effort
the following items have been completed or changed:
• New OVAL Board member expectations have been posted on the web site.
• Updated OVAL Board member list has been posted on the web site.
• A formalized board meeting schedule has been posted on the web site.
Future meetings are now planned for the 3rd Monday of January, April, July,
and October
Status Update:
A large portion of the meeting was dedicated to a status update that covered the OVAL Language, the OVAL Repository, OVAL Compatibility, and a few other areas. Each topic is detailed below.
OVAL Language:
On June 27th version 5.3 of the OVAL Language became official. Version 5.3 is a minor update that includes several bug fixes and new tests. A full list of changes in version 5.3 is available on the version 5.3 page (http://oval.mitre.org/language/download/schema/version5.3/index.html).
Scott Carpenter: Version 5.3 is not fully backward compatible with version 5.2 content.
Jon Baker: This is a great topic for the oval-developer-list. Let’s address the issue there so that the community can benefit from the discussion.
Scott Carpenter: Will send email to the oval-developer list detailing the issue.
Along with the release of version 5.3 the OVAL Interpreter was updated to support version 5.3. In addition to changes needed to support the new version, several new features were added. A detailed list of changes in the OVAL Interpreter can be found in the version.txt document included in the source and binary distributions of the OVAL Interpreter.
OVAL Repository:
Community participation in the OVAL Repository is steadily growing. We have more organizations actively participating than ever before with new participants emerging all the time.
The number of definitions in the OVAL Repository surpassed the 2000 definition milestone late in June.
As community adoption grows the OVAL Repository is expanding in to new areas. The repository now includes inventory, vulnerability, and patch definitions. Based on community member discussion compliance content is not far off either. In addition to expanding into new classes of definitions, the repository is also expanding into new platforms. Thanks to the efforts of Opsware, Inc. the OVAL Repository now covers recent Solaris vulnerabilities. In the near future a complete set of inventory definitions for all Novell products will also be available.
In order the support the increasing diversity of content in the OVAL Repository some changes to the bulk downloads are in the works. Soon downloads will be available by id namespace and class. This topic will be discussed on the oval-discussion-list.
OVAL Repository Top Contributor Awards were recently handed out for the second quarter of 2007 to ThreatGuard, Inc., Secure-Elements, Inc., and Opsware, Inc.
OVAL Compatibility:
There are now 13 organizations with compatible products and services. This is more than ever before. We are shifting our compatibility outreach efforts to focus more on adoption by primary source vendors. The goal of this shift is to increase the amount of content available in OVAL. We believe that this will have the largest impact on OVAL adoption in the near future. We ask that the Board support us in this effort by continuing advocate OVAL when talking to primary source vendors whenever possible.
Funding:
MITRE continues to be funded by DHS to moderate and advance OVAL. However, DHS was forced to make a funding cut to numerous projects including OVAL for the current fiscal year. Because of this, we will be forced to reduce some activities over the summer. For the most part we don’t expect any noticeable changes in our support of OVAL. However, there are 3 main areas that will be impacted by this cut. The first and most noticeable is that Developer Days will be pushed back until the fall; we really don't want to cancel this. Second, we have also had to limit the amount of review of new OVAL Repository content submissions and have had to rely more on the community. Finally, we will have to wait on new versions of the schema until next year. We expect to be back to normal in FY 2008 but wanted to let everyone know what is going on as we will probably not be meeting the expectations that we have established in the past. Our expectation is that this will not be a major issue for the community and will not have a big impact on OVAL as long as this cut is not long term.
OVAL Developer Days:
We are considering a fall 2007 date for OVAL Developer Days, possibly October. Currently major topics for the event include development of version 6 requirements, possible extension into remediation, and extension into network devices. In preparation for a fall event we ask that board and the community at large continue to contribute topics for the event. We are internally tracking suggestions that are submitted via the oval-developer-list.There will be an OVAL/CPE workshop following the SCAP conference. The agenda for this workshop has not yet been set and is largely up to the SCAP conference organizers. Any suggestions for that workshop should be submitted to the conference organizers. More information on the conference is available at the SCAP web site. (http://nvd.nist.gov/events.cfm)
Tim Keanini: Currently the OVAL workshop at the SCAP conference seems to be leaning towards an introduction to OVAL. It would be great if we could also have a more advanced OVAL brainstorming session following the conference. One possible topic could be “unification across the SCAP standards”.
Jon Baker: It would be nice to capitalize on the fact that so many of us are gathered at one event.
Tim Keanini: Will send email to Steve Quinn requesting two tracks for the workshops around the SCAP conference to allow for both an introduction to the standard and a brainstorming session.
Other Items:
Debian is supporting a Google summer of code project related to OVAL. The project aims to produce OVAL vulnerability definitions for Debian as well as an OVAL Interpreter. For more information see: http://wiki.debian.org/SummerOfCode2007
The intellectual property agreement that the OVAL Community and MITRE legal developed in the fall of 2006 is posted on the OVAL web site at: http://oval.mitre.org/about/termsofuse.html. In the near future a click through will be implemented requiring users to agree to the terms of use.
We received an out of band request to discuss 2 questions related to intellectual
property.
1. A board member influences the OVAL standard towards a direction that causes
a patent infringement on that board members patent.
2. A board member influences the OVAL standard towards a direction that causes a patent infringement on another board members (or any other) patent.
It was agreed that intellectual property agreement should protect the standard form such situations, but that the scenarios needed to be looked into to make sure that they are in fact covered by the new intellectual property agreement.
Andrew Bove: Aware of a related document from the w3c and will send email to the oval-board-list with more information after a bit of research.
Jon Baker: Will review the intellectual property agreement, any information discovered by Andrew Bove, and consult MITRE legal as needed to ensure that the intellectual property agreement does protect the standard from the two scenarios.
Conclusion:
The meeting concluded with an opportunity for additional comment from the Board and a reminder of the next board meeting date.
Dennis Moreau: Hearing great feedback from the auditing community when discussing OVAL and the other related standards that are moderated by MITRE.
Page Last Updated: January 18, 2011