OVAL - Compatibility Questionnaire: Inverse Path Ltd. (Hercules Remediation Manager)

Compatibility Questionnaire: Inverse Path (TPOL – OVAL Security Compliance) — Archive

Important: The OVAL Compatibility Program was moved to "archive" status in December 2009, and replaced with the "OVAL Adoption Program." Under the OVAL Adoption Program product validation is performed by an external organization, allowing the OVAL Team to focus on educating vendors on best practices regarding the use and implementation OVAL and on how OVAL can continue to evolve as needed by the community.

Refer to the OVAL Adoption Program section for addition information and to review all products and services listed.

General Capability Questions | Accuracy Questions | Documentation Questions | Capability Specific Questions | Statements

Organizational Information

Name of Your Organization:

Inverse Path Ltd.

Web Site:

http://www.inversepath.com/

Product Information

Product/Service Name:

TPOL – OVAL Security Compliance

Compatible Categories:

OVAL Definition Consumer

OVAL Results Producer (Planned)

OVAL Results Consumer (Planned)

Product/Service Home Page:

http://www.inversepath.com/product-oval.html

General Capability Questions

Product Accessibility

Provide a short description of how and where your capability is made available to your customers and the public:

The TPOL Security Compliance product is available directly from Inverse Path by contacting sales@inversepath.com.

Accuracy Questions

Language Version Indication

Describe how and where the capability indicates the version of the OVAL Language used to validate, create, or update its content:

Within the documentation section of the web interface of TPOL and the shipped manual we clearly specify the language version we support as well as the last oval.xml file timestamp shipped by MITRE that has been tested against the tool.

Additionally, for maximum clarity, we provide an OVAL_COMPLIANCE document stating any incomplete and/or unsupported part of the standard that doesn’t have 100% support.

Approach for Correction of Errors

Indicate how a user who discovers an error in the capability’s use of OVAL can report the error:

The support team can be contacted at support@inversepath.com regarding any bug in the tool.

Describe the approach to responding to the above error reports and how applicable fixes will be applied:

A patch will be shipped as soon as possible to any affected customers.

Documentation Questions

Compatibility Documentation

Provide a copy, or directions to the location, of where the documentation describes OVAL and OVAL Compatibility for any customers:

The whole TPOL – OVAL Security Compliance tool, as the name implies, is built around the OVAL standard, user manual and web interface clearly show this essential characteristic.

Language Support

Indicate the component schemas and/or individual OVAL Tests that the capability does not support for each category of OVAL Compatibility being applied for:

TPOL currently supports all platforms, excluding IOS, MacOS and Microsoft Windows Schemas. We plan to support those in future releases.

Capability Specific Questions

Finding Elements Using OVAL

Provide details regarding how users can identify and find individual OVAL content (through OVAL-IDs) that is being consumed by the capability. For example, how can a user determine which definitions have been consumed and what the result of each definition is:

OVAL definitions can be quickly looked up using the search tool, which allows searches by OVAL ID, Version, Class, Title, Platform and Product.

Definitions are linked to Policies, when the Policies are checked against the Targets a dedicated page shows all results, specifying the Definition, Target name, Policy, the actual result and any error string with mismatches in case.

OVAL Content Importation Process Explanation

If the capability does not support consuming OVAL content at runtime, explain the documented process by which users can submit OVAL content for interpretation by the capability, including how quickly submitted content is made available to the capability:

A user can import the .xml file using a dialog, he will then see the definitions in the main list and can treat them as any other definition.

OVAL definitions which are not supported cannot be imported or created within the tool, the unsupported OVAL content is clearly advertised in our documentation.

Statements

Statement of Compatibility

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory compatibility requirements as well as all of the additional mandatory compatibility requirements that are appropriate for our specific type of capability."

Name:		Andrea Barisani
Title:		Chief Security Engineer, Inverse Path Ltd.

Statement of Accuracy

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the correctness of our capability’s use of the OVAL Language and the interpretation of the logic."

Name:		Andrea Barisani
Title:		Chief Security Engineer, Inverse Path Ltd.

Statement on Follow-on Correctness Testing Support

Have an authorized individual sign and date the following statement about your organizations willingness to support correctness testing of other capabilities, which will be managed by the Reviewing Authority and kept to reasonable levels of effort for all involved. (required):

"As an authorized representative of my organization, we agree to support the Review Authority in follow-on correctness testing activities, where appropriate types of OVAL documents might need to be exchanged with other organizations attempting to prove the correctness of their capabilities."