OVAL Board Minutes

2007-10-15

Attendees

Jon Baker - MITRE
Carl Banzhof - McAfee
Steve Boczenowski - MITRE
Drew Buttner - MITRE
Nick Conner - Assuria
Jay Graver - nCircle
Rob Hollis - ThreatGuard
Tim Keanini - nCircle
Kent Landfield - McAfee
Melissa McAvoy - DoD
Raffy Marty - Splunk
Amol Sawarte - Qualys
Back to top

Meeting Summary

Welcome and House Keeping:

It is the continued support of everyone that makes OVAL a success. The agenda for this meeting was:

• Status Update
• 2007 Developer Days
• 2008 Goals
• Questions/Concerns

Status Update:

The meeting started with update on the status of OVAL and the different parts of the standard. OVAL is currently at version 5.3. Currently there are not plans for a major or minor release, although that is one of the topics for this meeting in planning for 2008. Over the past few months there have been a few suggestions about changes and additions to the OVAL Language. These changes are being tracked by MITRE.

The OVAL Repository continues to grow with more and more support from the community. The 3rd quarter top contributor awards were recently handed out and for the first time four different organizations were awarded.

• Maitreya (Novell)
• Opsware (Solaris)
• ThreatGuard (Windows)
• Secure Elements (Windows)

There are now 22 organizations participating in the OVAL Compatibility program. Of these, 14 are offering compatible products and 8 have made declarations for future compatibility. This participation has resulted in 20 different OVAL Compatible products and service available to the community.

The OVAL Web site has been enhanced over the past few months, especially in the ability to search the OVAL Repository. Better access to content has been provided by allowing users to search for individual tests, objects, states, and variables. In addition, users can search on comments across all of these items. Finally, the user can see a list of higher level items that use the individual test, object, state, or variable. These enhancements help those writing new content find existing items that they can reuse.

TODO: We have received requests for more views into what content has recently changed and we will work on providing this feature for the community.

Back to top

OVAL Developer Days:

The Developer Days was originally pushed back from the spring 2007 to the fall 2007, but has now been postponed until 2008. Financial support has stabilized and we are beginning the planning for the Developer Days to be held this coming spring, probably in the March or April time frame. The original plan was to hold a two day event in Bedford.

The board was asked what the goal of Developer Days should be. In response the following conversation was held:

Drew: I think we should use this as an opportunity to start development on Version 6. We have been keeping a list of issues here at MITRE and it would be great to go over some possibilities as a group, similar to what we did for Version 5.

Kent: Discussions around version 5 worked well. In addition to this, I would like OVAL Developer Days to be held in conjunction with other standards areas. Maybe make it a full week of discussions.

Rob: Lets make sure we establish a scope/binding on the protocols to be discussed.

Raffy: But please allow others (CWE, CEE) to piggy back if desired, since we will all be in the same area.

Kent: I think we should leave tutorials out as these meetings are supposed to be focused discussions. People should come with existing knowledge and be ready look at ways to enhance 6.0.

Kent: We also need to look at ways of adding things to the standards without bumping versions. How can we easily add new tests without having to go through a version process?

Steve: We have been talking about a full week, does anyone vote for smaller (just OVAL) focus for dev days?

Rob: A full week is tough for small businesses, want to support, but tough to be away for 5 straight days.

Jon: We will make sure we have a well defined agenda well ahead of time.

Back to top

2008 Goals

Regarding the OVAL Language, the biggest question is if we are ready to begin development of Version 6? The general feeling of the board was yes. But as we look into it further, and start to go over the issues that have been brought up, we need to make sure that a major change is actually necessary. If the changes can be made in a minor version, then we should go that route. Since the time line related to a major version is long, there was a question if this would put a 5.4 minor version in jeopardy.

Jon: No, we could still do a minor version during the major version process. We try for 3-4 minor versions a year. We will do the next one when there is significant demand.

Drew: How about a target of releasing a minor 5.4 in the spring and then a minor 5.5 in the fall, all the while working on the major version 6? During the development for Version 6, we probably will come up with features that could be rolled into one of the minor versions.

Jon: One goal of ours is to do a better job of putting the OVAL Language development tracker list on-line. We will try to put this up on the OVAL Web site.

As for the OVAL Repository, the question was posed to the Board about what other features are needed? How can the OVAL Web site better support writers/users?

Rob: One click to get the definition for a specific id. Ideally by entering it into the URL.

Jon: Actually, you can do that now. I will send out this info to the OVAL Discussion list.

Kent: We need more information about external repositories. Ideally best practices around managing an external repository, accessibility, content lifecycle, and interactions with other external repositories.

OVAL: Great idea, we will work on this.

For OVAL Compatibility, no major changes are anticipated. The plan is to have the program stay as is while we are at version 5. The program will be revised for Version 6. Also, we have no current plans to pass this work on to another organization, but we are worried that the program is starting to outpace MITRE's ability to support it.

Kent: Could we combine with SCAP compatibility?

Jon: We are open to discussions about a transition to NIST.

Steve: Official answer is that there are no plans at this time.

Questions/Concerns

The OVAL Board meeting was then opened up for questions or concerns to be presented. What is the board hearing about OVAL? What needs to be worked on?

Kent: There is a lot going on around the SCAP protocols, more vendors are jumping in. Personally I'm hearing a lot less from commercial customers and more from federal customers. How can we get this into commercial RFPs? We need to educate commercial users, maybe by targeting secondary vendors (financial markets), and looking at verticals and go after user groups.

Kent: Also, I'm hearing some discussion about how does this all fit into internationalization?

TK: What is the value proposition for user groups in vertical markets?

Drew: MITRE will take as action item to start a thread on board list to discuss different vertical markets to target and then help determine the value proposition for each on.

Melissa: Are auditors (SOX, HIPAA) aware of standards?

Kent: Yes. But good point, we need to include them in our value propositions.

Back to top

Page Last Updated: February 07, 2008