Industry News Coverage - 2005 Archive

Below is a comprehensive monthly review of the news and other media's coverage of OVAL. A brief summary of each news item is listed with its title, author (if identified), date, and media source.

December 2005

Date: 12/2/2005
Publication: SecurityFocus.com

Byline: Robert Lemos
Title: "Federal flaw database commits to grading system"

Excerpt or Summary:
OVAL was mentioned in a December 2, 2005 article about the U.S. National Vulnerability Database (NVD), in which OVAL is mentioned as follows: "NVD piggybacks on the Common Vulnerability and Exposures (CVE) [Initiative] ... [and] CVE definitions are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language ... " NVD, OVAL, and CVE are sponsored by the U.S. Department of Homeland Security.

Back to top
November 2005

Date: 11/3/2005
Publication: DAWN Sci-Tech World

Title: "Tips and tricks: Worming it out."

Excerpt or Summary:
OVAL was mentioned briefly in this article about the Common Malware Enumeration (CME) initiative—headed by US-CERT and MITRE along with numerous members of the anti-virus community—that aims to provide single, common identifiers to new virus threats (i.e., malware) to reduce public confusion during malware outbreaks.

OVAL is mentioned when the author states: "Why CME has become so popular within a couple of weeks of its launch has much to do with its backers — US-CERT (Computer Emergency Readiness Team), and US Department of Homeland Security. MITRE Corporation manages CME under funding from US-CERT and DHS which also fund two similar projects, CVE (Common Vulnerabilities and Exposures), and OVAL (Open Vulnerability and Assessment Language)."

CVE, CME, OVAL, and US-CERT are sponsored by the U.S Department of Homeland Security.

Back to top
September 2005

Date: 9/12/2005
Publication: KACE Networks, Inc.

Title: "KACE's KBOX Automates IT Management for Mid-Market Customers with Easy-to-Use, Unthinkably Comprehensive, Affordable Appliance"

Excerpt or Summary:
OVAL was mentioned briefly in this press release as a feature of KACE's KBOX IT Management Suite 2.0: "Security Vulnerability Audit: Scans and reports on known security vulnerabilities based on the OVAL standard (covering almost 1000 vulnerabilities) endorsed by US Computer Emergency Readiness Team (US-CERT) and the [U.S.] Department of Homeland Security." In addition, KACE Networks, Inc. and its KBOX IT Management Suite 2.0 are listed on the Declarations of OVAL Compatibility and the Declarations of OVAL-ID Compatibility pages in the Compatible Products and Services section of the OVAL Web site.

Back to top
August 2005

Date: 8/12/2005
Publication: SecurityFocus.com

Byline: Robert Lemos
Title: "NIST, DHS add national vulnerability database to mix"

Excerpt or Summary:
OVAL was mentioned in this article about the U.S. National Vulnerability Database (NVD), which "scans the Common Vulnerability and Exposures (CVE), a listing of serious vulnerabilities ..." OVAL is mentioned in a quote by Peter Mell, a senior computer scientist at NIST, who states: "The CVE [names] are one of the standards that the National Vulnerability Database depends on. The database also uses the Open Vulnerability and Assessment Language (OVAL) to describe the security issues in a standard language."

According to the article, "this reliance on standards gained the effort some plaudits from representatives of security companies that rely on such databases," including Gerhard Eschelbeck, chief technology officer of vulnerability assessment service for Qualys, Inc., who states: "We believe there is a need in the market for an aggregator to bring together all the information from all the different sources. But we want the organizations to use all the open standards."

NVD, CVE, and OVAL are sponsored by the U.S Department of Homeland Security. In addition, Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section.

Back to top
May 2005

Date: 5/2005
Publication: CrossTalk, The Journal of Defense Engineering

Byline: Robert A. Martin
Title: "Transformational Vulnerability Management Through Standards"

Excerpt or Summary:
OVAL was a main topic in this article by OVAL Compatibility Lead Robert A. Martin that discusses the U.S Department of Defense's (DOD) new enterprise licenses for vulnerability assessment and remediation tools that require using capabilities that conform to the OVAL and CVE standards efforts. The author states: "In combination with procedural changes, the adoption of these and other standards such as the National Security Agency's Extensible Markup Language Configuration Checklist Data Format, are making it possible to radically improve the accuracy and timeliness of the DOD's remediation and measurement activities, which are critical to ensuring the network and systems integrity of their network-centric warfare capabilities."

OVAL is mentioned throughout this article in which the author describes what OVAL is and isn't, mentions that there are organizations that have made declarations of OVAL Compatibility, and describes OVAL definitions and the Official OVAL Schemas and their potential uses. How OVAL improves vulnerability assessment is also described in the caption to an illustration entitled "Standard-Based IAVA Process" in which the author notes that the new Information Assurance Vulnerability Alert (IAVA) requirements call for the use of " OVAL definitions on how to identify the new issue. Assessment tools are capable of using the OVAL definitions; they report their findings per the OVAL results XML standard. These same standard-based results are fed into the reporting process and the remediation process. Various procurements have started requiring support for the standards that will enable the transition to this new IAVA process. Work in transforming current checklists and checking guidelines into these standards is also under way, which will set the stage for the formal process to be changed."

The author concludes the article as follows: "DoD is moving to its new process by requiring the inclusion of CVE names and standardized OVAL XML vulnerability and configuration tests in software supplier's alerts and advisories, and by acquiring tools that can import new and future OVAL XML test definitions and export their findings as standardized OVAL XML results. By also obtaining capabilities that can import the OVAL XML results for remediation, organizational status reporting, and generating certification and accreditation reports, the DoD will have created a focused, efficient, timely, and effective enterprise incident management and remediation process by adopting information security products, services, and methodologies that support the CVE naming standard and use OVAL test definitions and results schemas." "Collectively these changes will dramatically improve the insight and oversight of the security and integrity of the systems and networks underlying tomorrow's network- centric warfare capabilities."

Back to top
April 2005

Date: 4/15/2005
Publication: SecurityPark.net

Byline: Gerhard Eschelbeck
Headline: "From SATAN to OVAL: The Evolution of Vulnerability Assessment"

Excerpt or Summary:
OVAL was a main topic in this article about the evolution of vulnerability assessment by OVAL Board Member Gerhard Eschelbeck of Qualys, Inc. The author describes what OVAL is and isn't, mentions that OVAL is a community effort, notes the platforms supported by OVAL, mentions that there are declarations of OVAL Compatibility, and describes the OVAL Definition Schema, OVAL System Characteristics Schema, and OVAL Results Schema and their potential uses.

The author further states: "OVAL aims to standardize and define a structured process for identifying and communicating vulnerability and configuration information from the point of knowledge of a vulnerability to the point of action. Vulnerability Assessment has matured over the past years, and to standardize the information exchange during the full vulnerability lifecycle makes OVAL a significant contribution to the security industry. Multiple security vendors have committed support for OVAL in their upcoming product releases. Enterprises will benefit from OVAL compliant tools to integrate and improve the flow of information from vulnerability alert, to vulnerability detection as well as remediation. "

Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section.

Back to top
March 2005

Date: 3/2005
Publication: MITRE Corporation Web Site

Byline: Robert A. Martin
Title: "White Paper: Transformational Vulnerability Management Through Standards"

Excerpt or Summary:
OVAL was a main topic of this technical report white paper by OVAL Compatibility Lead Robert A. Martin that was originally published in the May 2005 issue of CrossTalk, The Journal of Defense Engineering, as noted above.

Date: 3/15/2005
Publication: InfoSecurity Magazine

Byline: Cath Everett
Headline: "CA exposure provokes disclosure debate"

Excerpt or Summary:
OVAL was mentioned in this article about software vulnerabilities in a section about vulnerability assessment. The author states: "The aim of the Open Vulnerability [and] Assessment Language initiative . . . [is] to provide a standardised way for the industry to define vulnerabilities and their seriousness and widespread industry adoption is expected to follow over the coming year."

The article also includes a discussion with OVAL Board Member Gerhard Eschelbeck of Qualys, Inc., in which the author of the article states: "The next stage after vulnerability assessment is to ensure that patching activities are automated as much as possible and are up-to-date and verified. While Eschelbeck acknowledges that patching everything constantly is impossible, he says that [the new universal Common Vulnerability Scoring System (CVSS)], which was released to vendors a few weeks ago at the RSA conference, should make prioritisation easier."

Qualys, Inc. is a member of the OVAL Board and its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP are listed in the OVAL-Compatible Products and Services section. MITRE created and manages the OVAL and CVE projects, both of which are sponsored by the US-CERT at the Department of Homeland Security.

Date: 3/1/2005
Publication: MarketWire.com

Headline: "Configuresoft CTO Dennis Moreau Tapped for OVAL Board"

Excerpt or Summary:
OVAL was a main topic in this press release from Configuresoft, Inc. regarding the appointment of Dr. Dennis Moreau, chief technology officer for Configuresoft to the OVAL Board. The release notes that Dr. Dennis Moreau, chief technology officer for Configuresoft was appointed to the OVAL Board, describes what the OVAL effort is and isn't, mentions that OVAL vulnerability definitions are based upon CVE names, and includes a link to the OVAL Web site.

The article also includes a quote by Moreau, who states: "OVAL is the most ambitious of the current standardization efforts. On behalf of Configuresoft and the Center for Policy & Compliance, I am delighted to sit on the OVAL Board." There are currently 32 OVAL Board Members from 26 organizations around the world.

Back to top
February 2005

Date: 2/2/2005
Publication: GRIDtoday

Headline: "ArcSight's Raffael Marty Appointed to MITRE OVAL Board"

Excerpt or Summary:
This article is based upon the ArcSight, Inc. news release announcing Raffael Marty's appointment to the OVAL Board. The article describes what the OVAL effort is and isn't and mentions the following other Board members: "Cisco Systems, IBM and Symantec, and U.S. government leaders including the Defense Information Systems Agency, the National Security Agency and the CERT Coordination Center." The article states that: "Marty's role will be to provide OVAL a complete, high-level view of network security status, including issues such as correlation and prioritization of security events, as security event management continues to emerge as a critical component of network security."

Back to top
January 2005

Date: 1/20/2005
Publication: NIST's Computer Security Resource Center Web Site

Headline: "Extensible Configuration Checklist Description Format (XCCDF)"

Excerpt or Summary:
OVAL was included as part of the January 20, 2005 release of XCCDF on the National Institute of Standards and Technology's (NIST) Computer Security Resource Center Web site. Led by the U.S. National Security Agency (NSA) along with contributions from other agencies and organizations, XCCDF was created to be "a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices."

OVAL is mentioned in the Additional Notes section on the main page of the XCCDF Web site, which states: "XCCDF was designed to support integration with multiple underlying configuration checking 'engines'. The expected or default checking technology is MITRE's OVAL(tm). More information about OVAL maybe found at The MITRE Corporation OVAL Web site." In addition, NSA is a member of the OVAL Board.

Date: 1/16/2005
Publication: ArcSight Web Site

Headline: " ArcSight's Raffael Marty Appointed to MITRE OVAL (Open Vulnerability [and] Assessment Language) Board"

Excerpt or Summary:
This ArcSight, Inc. news release announces Raffael Marty's appointment to the OVAL Board, describes what the OVAL effort is and isn't, and includes a link to the OVAL Web site. The release also includes a quote by Hugh Njemanze, CTO and founder of ArcSight, Inc., who states: "We're thrilled that Raffael has been asked to participate in MITRE's OVAL efforts. We're looking forward to helping add our security event management innovation to OVAL's groundbreaking work to date."

Date: 1/11/2005
Publication: ZATAZ.com

Headline: "Open Vulnerability [and] Assessment Language"

Excerpt or Summary:
This French-language article discusses the appointment of Gerhard Eschelbeck of Qualys, Inc. to the OVAL Board, and that Qualys will be making its products OVAL-compatible.

Back to top

Page Last Updated: January 18, 2011