Compatibility Questionnaire: ThreatGuard (ThreatGuard) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

Organizational Information

Name of Your Organization:

ThreatGuard

Web Site:

Product Information

Product/Service Name:

ThreatGuard

Compatible Categories:

OVAL Definition Consumer
OVAL Results Producer
OVAL-ID Output and Searchable

Product/Service Home Page:

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public (required):
ThreatGuard is a single network appliance that provides 24/7, low-impact scanning for vulnerabilities. Multiple appliances can be tied together in a ThreatShield configuration for multi-site correlation of an organization's exposures. These appliances can be purchase through ThreatGuard's dynamic network of Value-Added Resellers (VARs). They can also be purchased directly from ThreatGuard (http://www.threatguard.com/contact.htm).
Accuracy Questions

Schema Currency Indication

Describe how and where your capability indicate the OVAL Schema used to create or update its contents and/or results (required):
The ThreatGuard Navigator client application shows the most recent OVAL Schema version used in the "About" screen. This is accessed from the main Navigator menu bar.

Schema Currency Update Approach

Indicate how often you plan on updating content to reflect new OVAL Schema versions and describe your approach to keeping reasonably current with schema versions (recommended):
ThreatGuard plans to affect an immediate reaction to both content and schema changes. When new schemas are released, we adjust our parser to extract information appropriately. This parser feeds information into the serialized object that we distribute to our fielded products.

Platform and Definition Type Support

Indicate which platforms and definition types for those platforms that your capability supports for each category of OVAL compatibility your capability supports (required):

Red Hat: We support Vulnerability class definitions. All subtests currently in use (except "ukn" tests) are supported as well.

Solaris: We support Vulnerability class definitions. All subtests currently in use (except "ukn" tests) are supported as well.

Windows: We support Vulnerability class definitions. All subtests required to assess the "software" section of the criteria block are supported, except the following: ukn, wat, wet, wmt.

Approach for Correction of Errors

Indicate how someone who discovers an error in your capabilities use of OVAL can report the error and describe your approach to responding to such reports and applying fixes (required):
We accept email notification of such errors. In response, we work with the reporter (where necessary) to recreate the target environment and thus recreate the error. We apply the fix, perform regression testing across our test lab, then distribute the fix (new software or revised definition) via our centralized live-update system. All Internet-connected appliances will download and install the update wihtin 24 hours. Clients with appliances on closed networks will receive an update CD.
Documentation Questions

Compatibility Documentation

Provide a copy, or directions to its location, of where your documentation describes OVAL, OVAL compatibility and/or OVAL-ID compatibility for your customers (required):

From APPENDIX D of the ThreatGuard User's Manual

About OVAL

Open Vulnerability and Assessment Language (OVAL) is an international, information security community baseline standard for how to check for the presence of vulnerabilities and configuration issues on computer systems. OVAL standardizes the three main steps of the process: collecting system characteristics and configuration information from systems for testing; testing the systems for the presence of specific vulnerabilities, configuration issues, and/or patches; and presenting the results of the tests.

For more information on the OVAL project, please reference "http://oval.mitre.org/about/". Details about OVAL-Compatibility and OVAL-ID Compatibility can be found at "http://oval.mitre.org/compatible/index.html".

Documentation of Finding Elements Using OVAL

Provide a copy, or directions to its location, of where your Documentation describes the specific details of how your customers can find individual security elements in the capability's repository by using OVAL definitions and/or how the user can find them elsewhere through the use of OVAL-IDs (required):

From APPENDIX D of the ThreatGuard User's Manual

Finding Vulnerabilities by OVAL ID

The ThreatGuard Navigator allows you to search for vulnerabilities by OVAL ID. The bottom, left-hand corner of the main window has a Search pane as shown at the top of Figure D1. Adjust the search parameter to "OVAL ID", type in the OVAL ID of interest and click the Search button. The Search Results window (also shown in Figure D1) is displayed, holding the title, description, and solution for the vulnerability, as well as all related hosts.


Figure D1

Documentation of Finding Results Information from Elements

Provide a copy, or directions to its location, of where your documentation describes how the user can obtain information in the OVAL Results Schema from individual elements in the capability's repository (required):

From APPENDIX D of the ThreatGuard User's Manual:

Finding OVAL References in GUI Elements

As a universal vulnerability assessor, ThreatGuard includes many different types of vulnerability references. While most high-profile vulnerabilities can be cross-referenced to multiple sources, many fail to be covered by all. The ThreatGuard Vulnerability Test Development Team makes every attempt to include all public industry references such that the user can view them with the Vulnerability Details window (Figure D2). This window is launched by double-clicking on any vulnerability in the Navigator GUI, including the Search Results window of Figure D1.


Figure D2

Documentation Indexing of OVAL-Related Material

If your documentation includes an index, provide a copy of the items and resources that you have listed under "OVAL" in your index. Alternately, provide directions to where these "OVAL" items are posted on your web site (recommended):
OVAL documentation is covered in APPENDIX D of the ThreatGuard User's Manual. The system's online help also provides context-specific OVAL-related guidance where appropriate.
Capability Specific Questions

OVAL Definition Consumer

Configuration and Software Usage Explanation

If your capability does not use both the configuration and software sections of definitions where do you describe to your customers how your capability deviates from the logic of the definitions that have both sections (required):

From APPENDIX D of the ThreatGuard User's Manual:

OVAL Software and Configuration Analysis

The OVAL definition schema contains two sections of test criteria to assess a vulnerability. The

<software> section describes how to identify vulnerable software. The <configuration> section accounts for ways to disable the software, rendering it harmless. It is ThreatGuard's mission to report vulnerable software regardless of configuration. Since configuration changes can quickly introduce major security risks, ThreatGuard recommends keeping software either patched or uninstalled.

OVAL Definition Information Process Explanation

If your capability does not support consuming OVAL Definitions at runtime explain where you have documented the process by which customers can submit OVAL Definitions for interpretation by the capability, including how quickly Definitions submitted are made available to the capability in use by your customers (required):

Our current process has the end-user email new definitions and subordinate subtests to ThreatGuard. We install and test the definitions and distribute them as soon as they check-out. The user can expedite this process by providing additional information that ThreatGuard adds (such as Risk Level, Solution, Title, and additional references). In parallel to the distribution, ThreatGuard also feeds the definitions to MITRE such that the entire OVAL community can grow and assist each other.

ThreatGuard plans to provide an interface that allows the end-user to upload a validated definition file for immediate use. ThreatGuard's value-added steps would not be applied in such cases, but this is a feature that supports the spirit and intent of the OVAL project.

OVAL-ID Output and Searchable

Finding Elements Using OVAL-ID

Give detailed examples and explanations of how a user can locate security elements in the capability by looking for their associated OVAL-ID(s) (required):

From APPENDIX D of the ThreatGuard User's Manual

Finding Vulnerabilities by OVAL ID

The ThreatGuard Navigator allows you to search for vulnerabilities by OVAL ID. The bottom, left-hand corner of the main window has a Search pane as shown at the top of Figure D1. Adjust the search parameter to "OVAL ID", type in the OVAL ID of interest and click the Search button. The Search Results window (also shown in Figure D1) is displayed, holding the title, description, and solution for the vulnerability, as well as all related hosts.

Finding OVAL-ID Using Elements in Reports

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated OVAL-IDs for the individual security elements in the report (recommended):

From APPENDIX D of the ThreatGuard User's Manual:

Finding OVAL References in Reports

Figure D3 provides an example of how ThreatGuard reports embed OVAL IDs. This excerpt from the Individual Vulnerability Occurrences Report provides details of a specific vulnerability. The References section lists the related OVAL ID as well as references to other sources such as CVE, Security Focus, the US-CERT, and vendor references. Similarly, the Host Risk Manager and Security Evaluation Reports include the same vulnerability information shown in D3.


Figure D3

Questions for Signature

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory Compatibility Requirements as well as all of the additional mandatory Compatibility Requirements that are appropriate for our specific type of capability."

Name:   Robert L. Hollis
Title:   Director of Product Development

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability's use of OVAL schema and logic."

Name:   Robert L. Hollis
Title:   Director of Product Development

Statement on Follow-on Testing Activity Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Reviewing Authority in follow-on testing activities, where appropriate types of files will be exchanged with other organizations attempting to prove the correctness of their capabilities."

Name:   Robert L. Hollis
Title:   Director of Product Development

Page Last Updated: December 17, 2009