Compatibility Questionnaire: Citadel Security Software Inc. (Hercules) — Archive
Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.
Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.
Organizational Information
Name of Your Organization:
Web Site:
Product Information
Product/Service Name:
Compatible Categories:
OVAL Results Consumer
Product/Service Home Page:
Product Accessibility
The Hercules products are available via channel partners and directly from Citadel Security Software.
Citadel customers can find OVAL information in the Hercules Vulnerability Remedy data, in the context and on-line help as well as in the Hercules product documentation.
Schema Currency Indication
Within the Help functionality of the Hercules Administrator Console and the product documentation, it states Hercules provides support for OVAL 4.0 or later schema. The image below shows a section of the Hercules User's Guide indicating the OVAL Schema version supported.
Additionally, the Hercules V-Flash service is an automated delivery mechanism connecting Hercules customers to the Citadel V-Flash server. The V-Flash Server houses the library of vulnerability remedies. Hercules customer sites are updated with new remediations electronically through this service. Notifications are included in the V-Flash notification messages indicating the date the OVAL content was last updated. The snippet below is a sample of what is depicted at the end of each V-Flash notification message.
----------------------------------------------------------------------- Note: This V-Flash uses CVE information from CVE Version 20040901. The CVE Candidate information was last updated 9/28/2005. For additional information on the CVE process, see http://cve.mitre.org/. This V-Flash uses OVAL content which was last updated 9/28/2005. For additional information on OVAL, see http://oval.mitre.org/. -----------------------------------------------------------------------
Schema Currency Update Approach
There are two separate questions being asked here, how often do you update the OVAL content for the Mitre currently supported schemas and how do you plan on keeping current with new OVAL Schemas published on the Mitre site.
Keeping OVAL content current is a daily on-going process. The Citadel Remediation Security Group has dedicated staff members focused on assuring the accuracy and integrity of the data used within the Hercules product line. We have implemented an automated process that pulls down the OVAL content files each day for all platforms available from the Mitre site. The new information is merged into our database each time the process runs. Since we are Certified CVE Compatible, we auto-associate new OVAL checks to the appropriate remediation using the CVE ID as the key. New and updated OVAL content not auto-associated are manually reviewed to assure coverage and accuracy from a Hercules product perspective.
When new OVAL Schemas are released, Citadel will be matching the OVAL release schedule for minor releases so new schemas are supported immediately. For major releases we will have newly supported OVAL importers available within 45 days. This is due to testing and integrating with existing product release schedules. We are and plan to continue to be an active part of the OVAL Schema development so we can minimize the time and plan releases to better fit OVAL major release schedules.
Platform and Definition Type Support
Approach for Correction of Errors
If you are a product vendor and you are trying to initially integrate with Hercules from an OVAL perspective, contact the Technical Contact listed above for assistance.
If you are a customer and you feel errors have been discovered in either our importer or our data, contact customer support by telephone at 1.888.924.8233 or via email support@citadel.com. If the problem is an OVAL content issue, the correction will be made within the next business day and made available to customers via the Citadel V-Flash service. If the problem is with the importer software itself we will work with the submitter to understand why they think they have discovered a problem with the software. If an error is encountered we will work to provide an expedient resolution to the issue.
Compatibility Documentation
Documentation of Finding Elements Using OVAL
The Hercules User Guide and Hercules Vulnerability Assessment and Remediation Overview both reference the OVAL capabilities of the product. These documents are provided as a part of the response to this questionnaire. They are included with the Hercules product for customer use.
Customers can also use the Third Party ID Search capabilities of the product to locate a remediation associated with a specific or set of OVAL IDs.
If a specific OVAL ID is entered, the remediation associated with the OVAL ID is selected. The user can then browse the remedy or use it in some other way.
Users can also use other search capabilities to locate sets of remedies corresponding to the search criteria entered. In the example below, simple wildcarding was used.
Documentation of Finding Results Information from Elements
OVAL-ID Output and Searchable
Finding Elements Using OVAL-ID
Questions for Signature
Statement of Compatibility
Have an authorized individual sign and date the following Compatibility Statement (required):
"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."
Name: | Carl Banzhof | |
Title: | Chief Technology Officer |
Statement of Accuracy
Have an authorized individual sign and date the following accuracy Statement (recommended):
"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."
Name: | Carl Banzhof | |
Title: | Chief Technology Officer |
Statement on Follow-on Testing Activity Support
Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):
"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."
Name: | Carl Banzhof | |
Title: | Chief Technology Officer |
Page Last Updated: December 17, 2009