News and Events - 2006 Archive
OVAL Version 5.2 in Planning Stage
Version 5.2 of the OVAL Language is currently in the Planning stage and is scheduled to be moved to the Official stage on January 31, 2007. Version 5.2 will be a minor version update to fix some minor bugs in the Windows Component Schemas and to update the documentation. As this is a minor version change Version 5.2 will not invalidate existing content that currently validates against Version 5.1, the current official version of OVAL. A complete list of changes for Version 5.2 is available on the Upcoming Minor Version page.
OVAL-Related Work Page Added to OVAL Web Site
An OVAL-Related Work page has been added to the OVAL Web site. The new page provides information of about work in the community that is related to or directly involves OVAL. The first item is OVAL Board member PatchLink Corporation's Service Oriented Architecture (SOA), which is built around OVAL and is intended to encourage cooperative development and interoperability between vendor products.
OVAL Presents Briefing at 22nd Annual Computer Security Applications Conference
OVAL presented a briefing that included OVAL entitled "Host Based Security Assessment: Standards to Implementations" at the 22nd Annual Computer Security Applications Conference at the Miami Beach Resort & Spa in Miami Beach, Florida, USA on December 11, 2006. The purpose of the conference itself was to provide "security professionals from government, academia, and the computer security industry the opportunity to exchange practical solutions to real world security problems."
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL/CVE/CCE/CWE/CME, and/or other vulnerability management topics at your event.
Configuresoft, Inc. Makes Declaration of OVAL Compatibility
Configuresoft, Inc. declared that its configuration discovery, management, compliance, and remediation product, Enterprise Configuration Manager, will be compatible with Version 5.1 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
OVAL Scheduled to Present Briefing at 22nd Annual Computer Security Applications Conference
OVAL is scheduled to present a briefing that will include OVAL entitled "Host Based Security Assessment: Standards to Implementations" at the 22nd Annual Computer Security Applications Conference at the Miami Beach Resort & Spa in Miami Beach, FL on December 11, 2006. The purpose of the conference itself, which runs December 11th-15th, is to provide "security professionals from government, academia, and the computer security industry the opportunity to exchange practical solutions to real world security problems."
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL/CVE/CCE/CWE/CME, and/or other vulnerability management topics at your event.
OVAL Holds Compatibility Correctness Testing Session on November 16th
MITRE held an OVAL Compatibility Correctness Testing session on November 16, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.1 of OVAL. Organizations participating included MMG Security, Inc. for its Sussen vulnerability assessment and policy compliance product. Compatibility results will be posted on the OVAL–Compatible Products and Services page as they are available.
Organizations with compatibility declarations interested in participating in future sessions may register by contacting oval@mitre.org.
'Red Hat Network' Now Including Direct Links to OVAL Definitions
Red Hat, Inc. announced on November 8, 2006 that the security advisories on its public Red Hat Network will now contain direct links to relevant OVAL Definitions. The announcement references an example and includes a link to their Red Hat and OVAL Compatibility page.
Red Hat, Inc. is a founding member of the OVAL Board and its Red Hat Errata security advisories are listed on the Other Repositories and the OVAL-Compatible Products and Services pages.
OVAL Interpreter Updated
The OVAL Interpreter was updated to Version 5.1 on November 6, 2006. Specific updates to the OVAL Interpreter included: addition of support for Version 5.1 of the OVAL Language; fixed several minor issues reported by the OVAL Community; enabled the Interpreter to generate evaluation results in customizable html; improved the data collection processes to greatly reduce the number of error results generated during evaluation; repackaged Red Hat distributions to address installation errors reported by the OVAL Community; and cleaned up the Linux source distribution.
The list of updates and fixes is also available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.
Version 5.1 of OVAL Now Available
Version 5.1 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files have also been updated.
Version 5.1 is a minor version change and includes the following: added an OVAL Variables Schema, FreeBSD portinfo_test, slackwarepkginfo_test, xinetd_test, new entities to the windows file state, REG_NONE to the registry type enumeration, <xsd:any> to system information, optional comments to individual objects and states, optional comments to individual collected objects, optional xml signature elements to the element, and optional xml signature to the test, object, state, and variable; fixed the type associated with <trustee_sid> and the type associated with <end> function; made the <interfaces>element of system info optional;and improved Schematron for full/thin results. This minor version change Version 5.1 will not invalidate existing content that currently validates against Version 5.0. See the Version 5.1 page for more information.
The following have been updated to Version 5.1:
• OVAL
Definition schema
• OVAL
System Characteristics schema
• OVAL
Results schema
The following are also available for using Version 5.1:
• OVAL
Interpreter
• Interpreter
Source Code
• Data
Files
• Bulk
Content Download
The previous versions of the OVAL schemas, definitions, OVAL Interpreter, Interpreter source code, and data files have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.1.
OVAL to Hold Compatibility Correctness Testing Session on November 15th
MITRE will hold an OVAL Compatibility Correctness Testing session on November 15, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.1 of OVAL. Organizations with compatibility declarations interested in participating should register by contacting oval@mitre.org.
Top OVAL Repository Contributors Now Recognized on the OVAL Web Site
Active participation is important to the success of OVAL. Leading contributors to the OVAL Repository are now listed on the OVAL Repository Statistics page, including both individuals and organizations that have either created new definitions or modified existing definitions. The number of definitions for each person or organization is also included. Major contributors to the Repository, as well as to the Language, are listed on the Major Contributors page in the OVAL Community section.
RSS Feeds Now Available for Latest OVAL News Articles and OVAL Repository Updates
OVAL is now offering RSS Feeds of the latest OVAL News and of updates to the OVAL Repository. RSS (Really Simple Syndication) is an XML-based format for sharing and distributing Web content to RSS Readers (also called a News Reader or an RSS Aggregator). To subscribe to either feed, follow the directions on the RSS Feeds page or look for the orange graphic in the left main menu and copy the URL then paste it into your RSS Reader. Please also read our RSS FAQs and RSS Terms of Use.
OVAL Hosts Booth at FIAC 2006
MITRE hosted an OVAL/CVE/CCE/CWE/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25–26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference exposed OVAL, CVE, CCE, CWE, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.
Visit the OVAL Calendar page for information about this and other upcoming events.
OVAL Presents Briefing at Tactical Information Assurance 2006
OVAL presented a briefing about OVAL/CVE/CWE entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference introduced OVAL, CVE, and CWE to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.
MMG Security, Inc. Makes Declaration of OVAL Compatibility
MMG Security, Inc. declared that its vulnerability assessment and policy compliance product, Sussen, is compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
OVAL to Present Briefing at Tactical Information Assurance 2006
OVAL is scheduled to present a briefing about OVAL/CVE/CWE entitled "Securing The IA Perimeter: Automated IAVA & STIG Compliance Through Standards" at Tactical Information Assurance 2006 on October 25, 2006 at the Westin Arlington Gateway in Arlington, Virginia, USA. The conference will introduce OVAL, CVE, and CWE to information technology and security professionals and decision-makers from the U.S. military, defense agencies, industry contractors, and technology service providers.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.
OVAL Holds Compatibility Correctness Testing Session on October 4th
MITRE held an OVAL Compatibility Correctness Testing session on October 4, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.0 of OVAL. Organizations participating included BigFix, Inc. for its BigFix Enterprise Suite; PatchLink Corp. for its PatchLink OVAL Add-In (Special Edition), Version 6.3; and KACE Networks, Inc. for its KBOX 1000 Series Systems Management Appliances. Compatibility results will be posted on the OVAL–Compatible Products and Services page as they are available.
Another session is currently scheduled for November 15, 2006. Organizations with compatibility declarations interested in participating may register for either session by contacting oval@mitre.org.
OVAL to Host Booth at FIAC 2006
MITRE is scheduled to host an OVAL/CVE/CCE/CWE/CME exhibitor booth at Federal Information Assurance Conference (FIAC) 2006, October 25–26, 2006, at the Inn and Conference Center, University of Maryland University College, in Adelphi, Maryland, USA. The conference will expose OVAL, CVE, CCE, CWE, and CME to network and systems administrators, security practitioners, acquisition and procurement officials, systems security officers, federal managers, accreditors, and certifiers from numerous agencies of the U.S. federal government.
Visit the OVAL Calendar page for information about this and other upcoming events.
OVAL Included in News Release about ThreatGuard, Inc.'s Free FISMA Compliance Product
OVAL was included in a September 19, 2006 news release from ThreatGuard, Inc. entitled "ThreatGuard Releases FISMA Scout Compliance & Remediation System." The main focus of the release is ThreatGuard's FISMA Scout compliance and remediation system that consumes "… the automated checklist content from the National Institute of Standards and Technology (NIST) and perform[s] compliance assessments, remediation activities, and scoring." In addition to being included throughout the list of the product's features, OVAL is mentioned in a quote by ThreatGuard's Chief Technology Officer Randal Taylor, who states: "NISTs adoption of XCCDF and OVAL for their checklist content dramatically shifts the industry in a way that is good for the end-user. We are very excited to release FISMA Scout." ThreatGuard's FISMA Scout is free to download.
ThreatGuard, Inc. is a member of the OVAL Board and its ThreatGuard 4.5, ThreatGuard OEM Integration Kit 1.0, ThreatGuard On Demand 1.0, and ThreatGuard Traveler 4.5 products are listed in the OVAL-Compatible Products and Services section.
OVAL Included in News Release about Secure Elements' "Zero-Cost Public Service License" for Public Sector and Non-Profit Organizations
OVAL was included in a September 19, 2006 news release from Secure Elements, Inc. entitled "Secure Elements Announces Public Service License." The main focus of the release is Secure Elements' announcement that they now offer "a zero-cost Public Service License to approved organizations public sector and non-profit public service entities." OVAL is mentioned in a description of their C5 EVM product, which is "built upon several key XML Standards: Open Vulnerability Assessment Language (OVAL 5.0), and the eXtensible Configuration Checklist Description Format (XCCDF) as promoted by the Department of Homeland Security (DHS), the National Security Agency (NSA), the National Institute of Standards and Technology (NIST), the Defense Information Systems Agency (DISA), and others. In response to the Cyber Security Research and Development Act of 2002, NIST developed the Security Configuration Checklists Program for IT Products, for which they are now publishing checklists in the XCCDF format."
Secure Elements, Inc. is a member of the OVAL Board and its product C5 EVM product is listed in the OVAL-Compatible Products and Services section.
OVAL Hosts Booth at IT Security World 2006
MITRE hosted an OVAL/CVE/CCE/CWE/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference exposed CME, CVE, CCE, CWE, and OVAL to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.
OVAL to Hold Compatibility Correctness Testing Session on October 4th
MITRE will hold an OVAL Compatibility Correctness Testing session on October 4, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.0 of OVAL. For those unable to attend, another session is currently scheduled for November 15, 2006. Organizations with compatibility declarations interested in participating should register by contacting oval@mitre.org.
OVAL a Main Topic of NIST's National Security Content Automation Initiative Conference
OVAL was a main topic of the U.S. National Institute of Standards and Technology's (NIST) National Security Content Automation Initiative Conference on September 18-19, 2006 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, on September 19th MITRE participated in a Q&A panel discussion about OVAL, presented a briefing about OVAL, and participated in a briefing about XCCDF. OVAL was also included in Secure Elements, Inc.'s briefing about XCCDF and was the main topic of product presentations byThreatGuard, Inc. and Citadel Security Software, Inc.
The purpose of the workshop was to present "projects and integration efforts that proposes to automate certain technical aspects of security by converting English text contained in various publications (configuration guides, checklists, and the National Vulnerability Database) into machine readable format (XML/XCCDF and OVAL) such that the various audiences (scanning vendor, checklist/configuration guide, auditors, etc.) will be operating in the same semantic context. The end result will allow organizations to use COTS tools to automatically check their security and map to technical compliance requirements."
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.
nCircle Network Security, Inc. Makes Declaration of OVAL Compatibility
nCircle Network Security, Inc. declared that its vulnerability management system, IP360 Vulnerability Management System, and its real-time threat prioritization system, nTellect for Cisco Intrusion Detection System (IDS)/Intrusion Prevention System (IPS), will be compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
OVAL Interpreter Updated
The OVAL Interpreter has been updated to add support for data collection of several Windows objects to enable the Interpreter to properly process OVAL Vulnerability and Compliance Definitions for Windows. A list of updates and fixes is available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.
OVAL Board Holds Teleconference
The OVAL Board held a teleconference on Thursday, August 31, 2006, with 16 Board members and others participating. Topics included an OVAL status update; NIST's upcoming "National Security Automation Conference & Workshop" and its OVAL and XCCDF focus, Board member roles and responsibilities, and OVAL cross-marketing opportunities. You may also read the complete meeting minutes.
OVAL a Main Topic of NIST's National Security Content Automation Initiative Conference, September 18th -19th
OVAL will be a main topic of the upcoming U.S. National Institute of Standards and Technology's (NIST) National Security Content Automation Initiative Conference on September 18-19, 2006 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, on September 19th MITRE will participate in a Q&A panel discussion about OVAL, present a briefing about OVAL, and participate in a briefing about XXCDF. OVAL will also be the main topic of product presentations by ThreatGuard, Inc. and Citadel Security Software, Inc.
The purpose of the workshop itself is to present "projects and integration efforts that proposes to automate certain technical aspects of security by converting English text contained in various publications (configuration guides, checklists, and the National Vulnerability Database) into machine readable format (XML/XCCDF and OVAL) such that the various audiences (scanning vendor, checklist/configuration guide, auditors, etc.) will be operating in the same semantic context. The end result will allow organizations to use COTS tools to automatically check their security and map to technical compliance requirements."
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CWE, CME, and/or other vulnerability management topics at your event.
Assuria Limited Makes Declaration of OVAL Compatibility
Assuria Limited declared that its vulnerability assessment and policy compliance product, Assuria Auditor, will be compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
PatchLink Corporation Makes Declaration of OVAL Compatibility
PatchLink Corporation declared that its enterprise patch management system, PatchLink Update, will be compatible with Version 5.0 of OVAL. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
NIST Releases Beta Version of OVAL/XCCDF Content
The U.S. National Institute of Standards and Technology's (NIST) has released a beta version of OVAL/Extensible Configuration Checklist Description Format (XCCDF) content for its Security Content Automation Project, which "integrates several currently independent government sponsored initiatives to standardize both format and data content with respect to vulnerability identification and remediation."
According to the NIST Web site, for the Beta version of the XML files, "... information that is programmatically ascertainable is confined to the OVAL XML file (i.e., Major patch level, architecture (32, 64, sparc, etc.) This academic separation was conscious so that OVAL compliant product vendors could use the content without adopting the XCCDF standard. Although the OVAL content is offered in this 'self-contained' format, the XCCDF counterpart provides the grouping of OVAL definitions into NIST Special Publication 800-53 technical controls." In addition, the "XCCDF XML only contains policy information (information that is not programmatically ascertainable) and follows the same template for all NIST produced documents. We will couple the environment as defined in the SP800-68 (Standalone, Enterprise, SSLF, and legacy) with the FIPS-199 impact rating of the system (Low, Moderate, or High) as defined in 800-53 to determine the applicability of settings, patches, add-on software, etc."
See NIST
Security Content Automation Project on the NIST Web site for more
information and to access the download.
OVAL to Host Booth at IT Security World 2006
We are scheduled to host an OVAL/CVE/CWE/CME exhibitor booth at MISTI's IT Security World 2006 on September 25-27, 2006 at the Fairmont Hotel in San Francisco, California, USA. The conference will expose OVAL, CVE, CCE, CWE, and CME to security professionals from industry, government, and academia charged with developing and running their organizations' information security programs.
Visit the OVAL Calendar
page for information on this and other upcoming events.
OVAL Interpreter Updated
The OVAL Interpreter has been updated to add support for external variables, a type of variable commonly used in OVAL Compliance Definitions that allow values to be provided at run time from an external source. Some minor bug fixes have also been addressed. A list of updates and fixes is available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.
Photos of OVAL Booth at Black Hat 2006
MITRE hosted an OVAL, CVE, CWE, CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 in Las Vegas, Nevada, USA. Photos from the event are included below:
Visit the OVAL Calendar page for information on this and other upcoming events.
OVAL Hosts Booth at Black Hat Briefings 2006
MITRE hosted an OVAL/CVE/CWE/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event exposed OVAL, CVE, CWE, and CME to a diverse audience of information security-focused attendees from around the world.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL/CVE/CWE/CME, and/or other vulnerability management topics at your event.
Meeting Minutes from OVAL Developer Days Now Available
Meeting minutes from the OVAL Developer Days conference on July 11-12, 2006 at MITRE Corporation in Bedford, Massachusetts, USA are now available. 33 members of the OVAL community from 15 organizations attended the event. The original briefing slides are also available.
ThreatGuard, Inc. Registers Two Additional Products as Officially "OVAL-Compatible"
ThreatGuard, Inc. declared that its on-demand auditing and compliance management product, ThreatGuard On Demand, and its libraries for building OVAL Compatibility into third-party systems product, ThreatGuard OEM Integration, are OVAL-compatible. ThreatGuard also posted an OVAL Compatibility Questionnaire for ThreatGuard On Demand and an OVAL Compatibility Questionnaire for ThreatGuard OEM Integration Kit for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing for both products. ThreatGuard On Demand and ThreatGuard OEM Integration are now registered as "Officially OVAL-Compatible." ThreatGuard’s ThreatGuard and ThreatGuard Traveler products were previously registered as compatible.
For additional information about these and other compatible products, visit OVAL–Compatible Products and Services and Declarations to Be OVAL–Compatible.
Secure Elements, Inc. Product Now Registered as Officially "OVAL-Compatible"
Secure Elements, Inc. has posted an OVAL Compatibility Questionnaire for C5 Enterprise Vulnerability Management (EVM) for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. C5 Enterprise Vulnerability Management (EVM) is now registered as "Officially OVAL-Compatible."
For additional information about this and other compatible products, visit OVAL–Compatible Products and Services and Declarations to Be OVAL–Compatible.
New OVAL Board Member
Scott Carpenter of Secure Elements, Inc. has joined the OVAL Board. Andrew Bove also represents Secure Elements.
New OVAL Board Member
N. Reddy Velagala of netForensics has joined the OVAL Board.
OVAL Interpreter Updated
The OVAL Interpreter has been updated to address some minor bug fixes. A list of the fixes is available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.
OVAL Mentioned in Article about Information Security Standards Efforts in Healthcare Informatics Online
OVAL was mentioned in an article entitled “The 411 on CVE” in the July 2006 issue of Healthcare Informatics Online. The main focus of the article is the success of the Common Vulnerabilities and Exposures (CVE) standard and of the U.S. National Vulnerability Database (NVD) that is built upon CVE identifiers and includes OVAL-IDs as references.
OVAL is mentioned with regard to “automated compliance checking and configuration … [that] could be accomplished using OVAL (Open Vulnerability and Assessment Language) — also being developed by MITRE and XCCDF (Extensible Configuration Checklist Description Format) — the XML-based checklist technology developed by NIST and the National Security Agency.” OVAL is mentioned again when the author states: “the Department of Defense has taken the formal step of requiring that information assurance vendors supply CVE- and OVAL-capable products, and MITRE engineers have outlined the way these technologies would interact with XCCDF in automated machine-to-machine vulnerability mitigation operations.”
OVAL, CVE, and NVD are sponsored by the U.S Department of Homeland Security.
OVAL Hosts Second OVAL Developer Days, July 11th - 12th
OVAL hosted our second OVAL Developer Days (PDF, 141K) conference on July 11-12, 2006 at MITRE Corporation in Bedford, Massachusetts, USA. 33 members of the OVAL Community from 15 organizations attended the event.
Developer Days was a success and brought together numerous members of the OVAL Community to discuss, in technical detail, the more difficult issues facing the current and future versions of OVAL and to derive solutions that benefit all concerned parties and continue the development of the OVAL Language. Specific talks included: A look at Version 5, OVAL Repository Quality, XCCDF-P, OVAL Compatibility, and FISMA Turning Toward OVAL. Review the briefing slides.
The meeting minutes will be available soon. An announcement will be posted on this News page when they are available, or you may sign-up for OVAL's free e-Newsletters to receive this and other news about OVAL.
Photos from the event are included below:
OVAL Holds Compatibility Correctness Testing Session on July 13th
MITRE held an OVAL Compatibility Correctness Testing session on July 13, 2006 at MITRE in Bedford, Massachusetts, USA to test products against Version 5.0 of OVAL. Organizations participating included ThreatGuard, Inc. for its ThreatGuard 3.0 and ThreatGuard Traveler products; Red Hat, Inc. for its Red Hat Errata; and Secure Elements, Inc. for its C5 Enterprise Vulnerability Management (EVM) system. All four passed and are now listed as "Officially OVAL-Compatible" with Version 5.0 on the OVAL–Compatible Products and Services page.
OVAL Mentioned in Product Review in InfoWorld Magazine
OVAL was mentioned in a product review entitled "Kace offers IT automation sized right for SMBs" in the July 7, 2006 issue of InfoWorld. OVAL is mentioned when the author states: "On the vulnerability testing front, KBOX supports OVAL (Open Vulnerability and Assessment Language), [an aspect of which is] a common vulnerability assessment infrastructure also found in offerings from the SEM heavyweights. This common description language for security events standardizes the assessment process, and it's nice to see it in an SMB appliance."
KACE Networks, Inc. and its KBOX IT Management Suite are listed on the OVAL–Compatible Products and Services page.
OVAL a Main Topic of NIST's National Security Content Automation Initiative Conference, September 18th-19th
OVAL will be a main topic of the upcoming U.S. National Institute of Standards and Technology's (NIST) National Security Content Automation Initiative Conference on September 18-19, 2006 in Gaithersburg, Maryland, USA. In addition to contributing throughout the workshop, MITRE will present a briefing about OVAL and will participate in a briefing about XXCDF on September 19th.
The purpose of the workshop itself is to present "projects and integration efforts that proposes to automate certain technical aspects of security by converting English text contained in various publications (configuration guides, checklists, and the National Vulnerability Database) into machine readable format (XML/XCCDF and OVAL) such that the various audiences (scanning vendor, checklist/configuration guide, auditors, etc.) will be operating in the same semantic context. The end result will allow organizations to use COTS tools to automatically check their security and map to technical compliance requirements."
Visit the OVAL Calendar
for information or contact oval@mitre.org
to have OVAL present a briefing or participate in a panel discussion
about OVAL, CVE,
CWE, CME,
and/or other vulnerability management topics at your event.
Scalable Software, LLC Makes Declaration of OVAL Compatibility
Scalable Software, LLC declared that its security configuration and policy compliance checker, Command Center (CC) Examiner, will be OVAL-compatible. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
OVAL to Host Booth at Black Hat Briefings 2006
MITRE is scheduled to host a OVAL/CVE/CWE/CME exhibitor/meeting booth at Black Hat Briefings 2006 on August 2nd - 3rd, 2006 at Caesars Palace in Las Vegas, Nevada, USA. The event will expose OVAL, CVE, CWE, and CME to a diverse audience of information security-focused attendees from around the world.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CWE, CME, and/or other vulnerability management topics at your event.
OVAL Compatibility Main Topic of News Release by Red Hat, Inc.
Red Hat, Inc. issued a news release on June 21, 2006 entitled "Red Hat Announces OVAL Security Compatibility." The release announces that its Red Hat Enterprise Linux 3 and 4 security advisories are officially OVAL-Compatible and that "Red Hat will now produce and support OVAL patch definitions to provide a structured and machine-readable version of advisories, allowing OVAL-compatible tools to accurately test for the presence of vulnerabilities."
The release also includes a quote from OVAL Board member and Red Hat Security Response Team Lead Mark J. Cox, who states: "As a founding member of the OVAL Board, we've been working with the MITRE Corporation on OVAL for many years. Just as the MITRE CVE project has become common for dealing with vulnerability patches, we expect the same rapid adoption for the OVAL project. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards."
Red Hat is a founding member of the OVAL Board and its Red Hat Errata security advisories are listed on the Other Repositories and OVAL-Compatible Products and Services pages.
OVAL Mentioned in Article about Information Security Standards Efforts in IEEE Distributed Systems Online
OVAL was mentioned in an article about security standards efforts entitled "Functionality Meets Terminology to Address Network Security Vulnerabilities" in the June 2006 issue of IEEE Distributed Systems Online. The main focus of the article is the success of the Common Vulnerabilities and Exposures (CVE) standard and of the U.S. National Vulnerability Database (NVD), which is built upon CVE identifiers and includes OVAL-IDs as references.
OVAL is mentioned in a section entitled "New efforts round out the landscape" as a follow-on standards effort that "standardizes vulnerability queries in a three step XML-based process that eliminates the time-consuming and mistake-laden need for network administrators to interpret a panoply of text-based information from various vendors, public agencies, and consultants." The article concludes with a quote by OVAL Compatibility Program Lead Robert A. Martin who comments on the purpose behind these other information security standards efforts: "People are so used to selecting the vendor and that's kind of the core they build out from. What we want them to do is get married to enabling standards and then build around that."
OVAL, CVE, and NVD are sponsored by the U.S Department of Homeland Security.
Version 5 of OVAL Now Available
Version 5.0 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files have also been updated.
Version 5.0 is a major version change and includes the following: addition of a schema for Apache; addition of a common core schema that is used by the Definition, System Characteristic, and Results schema as it defines common types; use of Schematron to perform validation beyond schema validation; addition of a runlevel test for UNIX; addition of xsd:any tag in metadata to allow organization-specific information not found in OVAL; removal of the software and configuration sections of the criteria; allow nested logic inside a definition criteria; new object/state format broken out from the tests; completely new results format allowing results from multiple systems; addition of directives in results schema to control content; split the path element into path and filename elements in tests; changed the windows file version from a complex type with <major>, <minor>, <build>, <private> child elements to a delimited version string; addition of a level attribute to the message element in the System Characteristic schema; new family test part of the independent schema; addition of a var_check attribute to the base entity; and creation of a filemd5 test, among other changes. See the Version 5.0 page for a complete list.
The following have been updated to Version 5.0:
The following are also available for using Version 5.0:
The previous versions of the OVAL schemas, definitions, OVAL Interpreter, Interpreter source code, and data files have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.0.
Red Hat, Inc. Now Registered as Officially "OVAL-Compatible"
Red Hat, Inc. declared that its security update advisories, Red Hat Errata, are OVAL-compatible. In addition, Red Hat posted an OVAL Compatibility Questionnaire for Red Hat Errata for Phase 2 of the OVAL Compatibility Program and has completed the Phase 3 correctness testing. Red Hat Errata is now registered as "Officially OVAL-Compatible."
For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
Secure Elements, Inc. Makes Declaration of OVAL Compatibility
Secure Elements, Inc. declared that its C5 Enterprise Vulnerability Management (EVM) solution is OVAL-compatible. For additional information about this and other compatible products, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.
OVAL Web Site Updated for Version 5
The OVAL Web site has been updated to coincide with Version 5.0 of OVAL. The most significant change is dedicated sections for the OVAL Language and OVAL Repository. The OVAL Compatibility section has also been updated to coincide with Version 5.0.
The main changes to the site are outlined below:
OVAL Language section - includes a new Language Releases page with access to current, future, and archived versions of the OVAL Language. Also included are new supporting information such as Language Use Cases, Structure of the Language, Versioning, Validating an OVAL Document, and a Definition Tutorial.
OVAL Repository section - includes a new main page with access to Downloads, Basic Search, and an Advanced Search. New supporting information includes a new About the OVAL Repository page, an updated Latest Repository Updates page, and updated guidelines for community members to Submit an OVAL Definition.
OVAL Compatibility section - in addition to updating the Compatibility Program and Compatibility Requirements to adhere to Version 5.0, other changes include the addition of an OVAL Supporters page and discontinuation of OVAL-ID compatibility.
Community Participation section -includes a new Major Contributors page to recognize those organizations that have made significant contributions to the development of OVAL.
Many of these changes are a direct result of feedback from users and vendors. We welcome any comments about OVAL, or these revisions, at oval@mitre.org.
Release Candidate 3 of the Version 5 OVAL Schemas Now Available
Release Candidate 3 of the Version 5.0 OVAL Schemas are now available on the Upcoming OVAL Schema Changes - Version 5.0 page. This update includes changes to the schema documentation to clarify how pieces of the language should be interpreted and updates to how content is validated. The Beta 2 version of the reference OVAL Interpreter was also updated to the new release candidate. A complete list of updates is available in the Status Reports on the Version 5 Schema section.
The Version 5 Schemas are currently scheduled to move to the Official stage on June 16, 2006. Vendors should begin their migration now to the new version. Visit the Upcoming OVAL Schema Changes - Version 5.0 page to for the latest information on the Schemas, OVAL Interpreter, Interpreter Source Code, and Data Files for Version 5.
OVAL Board Holds Teleconference
The OVAL Board held a teleconference on Friday, May 5, 2006 with representatives from eight member organizations and others participating. Topics included the upcoming transition to OVAL Version 5 in June, how the transition affects the OVAL Repository and compatibility, and the OVAL Developer Days Conference currently planned for this summer. You may also read the complete meeting minutes.
OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins
New OVAL definitions have been posted in the OVAL Definitions Repository to address the recent security bulletins issued by Microsoft Corporation on May 9, 2006.
- CVE-2006-0024 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-018: Cumulative Security Update for Outlook Express (911567)." Tests for the vulnerability include OVAL1894 and OVAL1922.
- CVE-2005-2628 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-020: Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)." Tests for the vulnerability include OVAL1987 and OVAL1557.
- CVE-2006-0034 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-018: Cumulative Security Update for Outlook Express (911567)." Tests for the vulnerability include OVAL1222, OVAL1908, and OVAL1477.
- CVE-2006-1184 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-018: Cumulative Security Update for Outlook Express (911567)." Tests for the vulnerability OVAL1990, OVAL1295, OVAL1912, and OVAL1779.
- CVE-2006-0027 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-019: Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)." Tests for the vulnerability include OVAL1818, OVAL2035, and OVAL1996.
All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.
Version 5.0 OVAL Interpreter Beta 2 Now Available
A second beta version of the reference OVAL Interpreter for the Version 5.0 Release Candidates is now available. This second beta adds support for Red Hat Linux, includes the addition of objects for Windows and UNIX, and restructures the source tree to better mirror the OVAL Schema. Data Files that include a partial sample of the definitions and schemas for Version 5.0 are also available for use with the Interpreter release candidate.
Visit the Upcoming OVAL Schema Changes - Version 5.0 page to download the Interpreter and Data Files and for the latest information on Version 5, which is scheduled to move to the Official stage on June 16, 2006.
OVAL Presents Briefing at GFIRST National Conference 2006
OVAL Technical Lead Matthew N. Wojcik and CME Program Manager Julie Connolly presented a briefing on May 3, 2006 entitled "Vulnerability, Secure Configuration, and Malware Information Exchange Using CVE, OVAL, and CME" at the Government Forum of Incident Responders and Security Teams (GFIRST) second annual "GFIRST National Conference 2006" in Orlando, Florida, USA.
The presentation examined MITRE's three DHS-sponsored security information exchange initiatives — Open Vulnerability and Assessment Language (OVAL), Common Malware Enumeration (CME), and Common Vulnerabilities and Exposures (CVE) — including the purpose of each effort, its goals, participants, future plans, and how each effort benefits the incident response community.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL Presents Briefing at DOD System and Software Technology Conference
OVAL Compatibility Lead Robert A. Martin presented a briefing on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" in Salt Lake City, Utah, USA.
The purpose of the conference was to help "government, industry, and academia [to] collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.
Visit the OVAL Calendar page for information on this and other upcoming events.
Version 5.0 Release Candidate Data Files Updated
The sample Data Files for the Version 5.0 OVAL Schema Release Candidates have been updated. These samples may be used with the beta version of the Version 5.0 reference OVAL Interpreter. They should also be reviewed and tested by vendors as part of their migration to the new version of OVAL scheduled for release on June 16, 2006.
The V5 Data File updates include the addition of three new sample files:
- All Windows definitions in the Definitions Repository converted to V5.
- All Red Hat Linux definitions in the Definitions Repository converted to V5.
- A set of Solaris definitions converted to V5.
Visit the Upcoming OVAL Schema Changes - Version 5.0 page to download the Data File samples, Interpreter, and for the latest information on Version 5.
ThreatGuard, Inc. Contributes Its 500th OVAL Definition
To-date OVAL community member ThreatGuard, Inc. has contributed 536 OVAL Vulnerability Definitions to the initiative for various platforms, all of which are posted in the OVAL Definitions Repository. ThreatGuard continues to support OVAL by contributing definitions on a regular basis.
ThreatGuard also previously contributed the HP-UX Component Schema to Version 4.2 of OVAL released on December 2, 2005 (see "Two Organizations Contribute Component Schemas for Version 4.2"), as well as the first-ever OVAL definitions for HP-UX on December 22, 2005. OVAL community participation is important for the development of new definitions and new component schemas, and such contributions help the OVAL effort to further build the repository of OVAL definitions and to add support for more platforms.
Organizations and individuals are encouraged to participate in the OVAL Initiative. You may email us at oval@mitre.org for more information, or subscribe to our OVAL Community Forum for discussing and submitting definitions and our OVAL Developer's Email List for contributing to the development of the schemas. We welcome your participation.
OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins
New OVAL definitions have been posted in the OVAL Definitions Repository to address the recent security bulletins issued by Microsoft Corporation on April 11, 2006.
- CVE-2006-0014 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-016: Cumulative Security Update for Outlook Express (911567)." Tests for the vulnerability include OVAL812, OVAL1611, OVAL1682, OVAL1769, OVAL1771, OVAL1780, and OVAL1791.
- CVE-2006-0012 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-015: Vulnerability in Windows Explorer Could Allow Remote Code Execution (908531)." Tests for the vulnerability include OVAL1191, OVAL1448, OVAL1679, OVAL1764, and OVAL1743.
- CVE-2006-0003 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-014: Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)." Tests for the vulnerability include OVAL1204, OVAL1323, OVAL1511, OVAL1742, and OVAL1778.
- CVE-2006-1185 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability OVAL787, OVAL1677, and OVAL1711.
- CVE-2006-1186 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL791, OVAL1446, OVAL1589, OVAL1651, and OVAL1704.
- CVE-2006-1189 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL792, OVAL1020, and OVAL1484.
- CVE-2006-1190 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL965, OVAL1541, OVAL1735, and OVAL1783.
- CVE-2006-1359 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL985, OVAL1178, OVAL1657, OVAL1678, and OVAL1702.
- CVE-2006-1188 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL1144, OVAL1290, OVAL1296, and OVAL1773.
- CVE-2006-1191 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL1251 and OVAL1710.
- CVE-2006-1192 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL1336, OVAL1498, OVAL1645, OVAL1725, and OVAL1740.
- CVE-2006-1245 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL1451, OVAL1569, OVAL1599, OVAL1632, and OVAL1766.
- CVE-2006-1388 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL1591, OVAL1642, OVAL1676, OVAL1724, and OVAL1774.
- CVE-2006-0015 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-013: Cumulative Security Update for Internet Explorer (912812)." Tests for the vulnerability include OVAL1748.
All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.
"OVAL Compatibility" Section Updated
The OVAL Compatibility section of the OVAL Web site has been reorganized and updated to place more emphasis on the products and services that are Officially OVAL-Compatible and to provide more information about how the community benefits from the compatibility program. In addition, we have modified the OVAL Compatibility Process by separating products or services that are compatible with OVAL technical data from those that only include OVAL-IDs. The changes are outlined below:
OVAL Compatibility Main Page - provides dashboard access to the section and an overview of current statistics including number of officially compatible products and services, products declaring that they will be compatible, organizations participating, and declarations to include OVAL-IDs.
Compatibility Process - updated to focus solely on compatibility with the OVAL schemas and OVAL definitions. Products that only include OVAL-IDs are no longer eligible for the compatibility program but can be listed on the new "Declarations to Include OVAL-IDs" page (see below).
Compatibility Requirements - updated to focus solely on compatibility with the OVAL schemas and/or OVAL definitions. A new subsection, "Section 9. Declarations to Include OVAL-IDs" provides instructions about how a capability can be listed on the new "Declarations to Include OVAL-IDs" page (see below).
Compatibility Benefits - a new page the explains how adopting OVAL-compatible products and services benefits those organizations working to secure their enterprises, and how providing compatible products benefits the vendors that help them do it.
Compatible Products and Services - a complete list of all products and services to date that have been certified "Officially OVAL-Compatible."
Declarations to Be OVAL-Compatible - a list of products and services from organizations in the process of working towards OVAL compatibility.
- Organizations Participating - a list of all organizations participating in the program, including those that are compatible and those working towards compatibility.
- By Product - a tabular list of all products and services in the program, including those that are compatible and those working towards compatibility, organized alphabetically by product name.
- By Country - a tabular list of all products and services in the program, including those that are compatible and those working towards compatibility, organized by country.
- By Capability - a tabular list of all products and services in the program, including those that are compatible and those working towards compatibility, organized by capability.
Declarations to Include OVAL-IDs - a new page focusing on products and services that are not compatible with OVAL technical data but do include OVAL-IDs. If a tool, Web site, database, archive, or security advisory includes OVAL-IDs as part of the information it conveys about a security issue, and provides for searching by OVAL-ID with potential linkage back to the source definition of the OVAL-ID, it can be listed with "Verified," "Available," or "Planned" status on this new page. (See Section 9. Declarations to Include OVAL-IDs of the OVAL Compatibility Requirements document for a detailed list of the requirements for being verified for including OVAL-IDs, and how to make a declaration.)
Make a Declaration - instructions on how vendors can begin the process for declaring their product or service OVAL-compatible.
Other pages in the section, including What it Means to Be OVAL-Compatible and the Introduction to OVAL Compatibility, have also been updated. Many of the changes are a direct result of feedback from vendors and users. We welcome any comments about OVAL, OVAL compatibility, or these revisions at oval@mitre.org.
Photos from OVAL Booth at InfoSec World 2006
MITRE hosted an OVAL/CVE/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th in Orlando, Florida, USA. Photos from the event are included below:
Visit the OVAL Calendar page for information on this and other upcoming events.
Release Candidate 2 of the Version 5 OVAL Schemas Now Available
Release Candidate 2 of the Version 5.0 OVAL Schemas are now available on the Upcoming OVAL Schema Changes - Version 5.0 page. This update includes the addition of a combined Linux Schema. A complete list of updates is available in the Status Reports on the Version 5 Schema section.
The Version 5 Schemas are currently scheduled to move to the Official stage on June 16, 2006. Vendors should begin their migration now to the new version. Visit the Upcoming OVAL Schema Changes - Version 5.0 page to for the latest information on the Schemas, OVAL Interpreter, Interpreter Source Code, and Data Files for Version 5.
New OVAL Board Member
Gary Miliefsky of NetClarity has joined the OVAL Board.
OVAL to Present Briefing at GFIRST National Conference 2006 on May 3rd
OVAL Technical Lead Matthew N. Wojcik and CME Program Manager Julie Connolly are scheduled to present a briefing on May 3, 2006 entitled "Vulnerability, Secure Configuration, and Malware Information Exchange Using CVE, OVAL, and CME" at the Government Forum of Incident Responders and Security Teams (GFIRST) second annual "GFIRST National Conference 2006" at the Doubletree Hotel in Orlando, Florida, USA.
The presentation will examine MITRE's three DHS-sponsored security information exchange initiatives: Common Vulnerabilities and Exposures (CVE), Open Vulnerability and Assessment Language (OVAL), and Common Malware Enumeration (CME). The presentation will start with the most established project, CVE, move to OVAL, the increasingly popular language for specifying system state information, and finish with the newest initiative for malware, CME. The purpose of each effort, its goals, participants, and future plans will be reviewed. How each effort benefits the incident response community will also be reviewed.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL to Present Briefing at DOD System and Software Technology Conference on May 4th
OVAL Compatibility Lead Robert A. Martin is scheduled to present a briefing on May 4, 2006 entitled "Bringing Standards to Software Source Code Security Assessment" at the U.S. Department of Defense (DOD) Joint Service's "18th Annual System and Software Technology Conference" at the Salt Palace Convention Center in Salt Lake City, Utah, USA.
The purpose of the conference is to help "government, industry, and academia [to] collaborate more closely in all aspects of systems and software engineering — designing, building, and managing complex "systems of systems" in support of DOD.
Visit the OVAL Calendar page for information on this and other upcoming events.
OVAL Hosts Booth at MISTI's InfoSec World 2006
MITRE hosted an OVAL/CVE/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference exposed OVAL, CVE, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Organizations listed in the OVAL-Compatible Products and Services section also exhibited.
Visit the OVAL Calendar page for information on this and other upcoming events.
OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins
New OVAL definitions have been posted in the OVAL Definitions Repository to address the recent security bulletins issued by Microsoft Corporation on March 17, 2006.
- CVE-2006-0023 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-011: Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)." Tests for the vulnerability include OVAL1696 and OVAL1671.
- CVE-2006-0028 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)." Tests for the vulnerability include OVAL1158, OVAL1411, OVAL1509, and OVAL1635.
- CVE-2006-0029 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)." Tests for the vulnerability include OVAL1633, OVAL1522, OVAL1579, and OVAL1570.
- CVE-2006-0030 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)." Tests for the vulnerability include OVAL1401, OVAL1666, OVAL1630, and OVAL1510.
- CVE-2006-0031 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)." Tests for the vulnerability include OVAL1327, OVAL763, OVAL1750, and OVAL1525.
- CVE-2006-0009 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-012: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (905413)." Tests for the vulnerability include OVAL1553, OVAL798, OVAL1504, and OVAL1653.
All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.
FrSIRT Includes OVAL-IDs in Security Advisories
French Security Incident Response Team (FrSIRT) issued a security advisory on February 2, 2006 that referenced OVAL670, OVAL677, OVAL1339, OVAL1493, OVAL1494, OVAL1514, OVAL1562, and OVAL1625. Numerous other FrSIRT security advisories also include OVAL-IDs.
Release Candidates of the Version 5.0 OVAL Schemas Now Available
Version 5.0 of the OVAL Definition Schema, System Characteristics Schema, and Results Schema are now in the Release Candidate stage and are available for review on the Upcoming OVAL Schema Changes - Version 5.0 page. Vendors should begin their migration now to the new version in preparation for its move to the Official stage on June 16, 2006.
Version 5 is a major version change. For a complete list of changes, visit the Upcoming OVAL Schema Changes - Version 5.0 page.
OVAL Interpreter Updated for Version 5.0 Release Candidates
A beta version of the reference OVAL Interpreter is now available for the Version 5.0 OVAL Schema Release Candidates. Data Files that include a partial sample of the definitions and schemas for Version 5.0 are also available for use with the Interpreter release candidate.
Visit the Upcoming OVAL Schema Changes - Version 5.0 page to download the Interpreter and Data Files and for the latest information on Version 5.
OVAL Presents Briefing at MISTI's FISMA Risk Management & Compliance Training Symposium on March 14th
OVAL Compatibility Lead Robert A. Martin presented a briefing that includes OVAL entitled "Program Automation and Standards: The Key to Economic FISMA Compliance" at MIS Training Institute's (MISTI) "FISMA Risk Management & Compliance Training Symposium" on March 14, 2006 in Washington, D.C., USA. FISMA is the Federal Information Security Management Act of 2002, which provides the framework for securing the U.S. government's information technology.
Topics covered in the briefing session included standards-based vulnerability and remediation capabilities; Open Vulnerability and Assessment Language (OVAL); standards-compliant test rules to drive assessment and reporting using commercial products; leveraging OVAL-compliant versions of the DISA STIGS or CIS benchmarks with commercial tools; improving reporting of vulnerability and configuration status for FISMA; and leveraging automation and standards to make FISMA reporting economical.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL Initiative Surpasses 1,500+ Definitions
OVAL has achieved a milestone with 1,506 OVAL Definitions now posted on the OVAL Web site. As of this site update, there are 1,450 Accepted, 38 Interim, and 18 Draft vulnerability and compliance definitions available for the Windows, Solaris, Red Hat Linux, and HP-UX operating systems.
Active participation is important to the success of the OVAL Initiative. Join the OVAL Community Forum to submit or comment on the development of OVAL definitions, then visit How to Participate for the specific and detailed ways in which you or your organization may help the effort.
OVAL to Host Booth at MISTI's InfoSec World 2006
MITRE is scheduled to host an OVAL/CVE/CME exhibitor booth at MISTI's InfoSecWorld 2006 Conference & Expo on April 3rd - 4th at the Coronado Springs Resort in Orlando, Florida, USA. The conference will expose OVAL, CVE, and CME to a diverse audience of attendees from the banking, finance, real estate, insurance, and health care industries, among others. The conference is targeted to information security policy and decision makers from these and other industries, as well as directors and managers of information security, CIOs, network and systems security administrators, IT auditors, systems planners and analysts, systems administrators, software and application developers, engineers, systems integrators, strategic planners, and other information security professionals. Please stop by Booth 436 and say hello. In addition, organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL to Present Briefing at MISTI's FISMA Risk Management & Compliance Training Symposium on March 14th
OVAL Compatibility Lead Robert A. Martin is scheduled to present a briefing that includes OVAL entitled "Program Automation and Standards: The Key to Economic FISMA Compliance" at MIS Training Institute's (MISTI) "FISMA Risk Management & Compliance Training Symposium" on March 14, 2006 in Washington, D.C., USA. FISMA is the Federal Information Security Management Act of 2002, which provides the framework for securing the U.S. government's information technology.
Topics that will be covered in the briefing session include standards-based vulnerability and remediation capabilities; Open Vulnerability and Assessment Language (OVAL); standards-compliant test rules to drive assessment and reporting using commercial products; leveraging OVAL-compliant versions of the DISA STIGS or CIS benchmarks with commercial tools; improving reporting of vulnerability and configuration status for FISMA; and leveraging automation and standards to make FISMA reporting economical.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL Compatibility Main Topic of News Release by KACE Networks
KACE Networks, Inc. issued a news release on February 15, 2006 entitled "KACE Awarded Certificate of OVAL Compatibility for Automated Security Auditing For Mid-Market Networks." The release announces KACE's receipt of an Official Certificate of OVAL Compatibility at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA for its KBOX IT Management Suite. The release also describes what OVAL is and that it is sponsored by U.S. Computer Emergency Readiness Team (US-CERT) at the U.S. Department of Homeland Security.
The release includes a quote by Rob Meinhardt, CEO of KACE, who states: "OVAL is rapidly gaining widespread adoption in the industry because it helps IT organizations deal with the very real security and productivity threats that have escalated dramatically in the last five years. The KBOX is the easiest way for Windows administrators to manage security threats today and we're committed to working with standards like OVAL to ensure that Windows security can be managed easily in the future."
For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL Compatibility Process and Declarations of OVAL Compatibility.
Four Certificates of OVAL Compatibility Awarded to Qualys, Inc.
Qualys, Inc. was recently presented with four Official Certificates of OVAL Compatibility for its QualysGuard Consultant, QualysGuard Enterprise, QualysGuard Express, and QualysGuard MSP products. MITRE presented the awards at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA.
For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL Compatibility Process and Declarations of OVAL Compatibility.
Certificate of OVAL Compatibility Awarded to BigFix, Inc.
BigFix, Inc. was recently presented with an Official Certificate of OVAL Compatibility for its BigFix Enterprise Suite product. MITRE presented the award at RSA Conference 2006 on February 14, 2006 in San Jose, California, USA.
For additional information about OVAL compatibility and to review all products and services listed, visit the OVAL Compatibility Process and Declarations of OVAL Compatibility.
OVAL Participates on Discussion Panel about "Open XML Formats for Security Guidance and Remediation" at RSA 2006
OVAL Team Member Drew Buttner participated on a panel discussion on February 14, 2006 at RSA Conference 2006 in San Jose, California, USA entitled "OVAL and XCCDF: Open XML Formats for Security Guidance and Remediation." OVAL Board member David Waltermire of the Center for Internet Security also participated on the panel. The purpose of the session was to "present two community XML formats designed to give a common, vendor-independent framework for security guidance, vulnerability testing, remediation, and scoring. XCCDF supports construction of structured benchmarks, tailoring and fixes [and] OVAL is a specification for checking vulnerabilities and security configuration issues on computer and network systems."
The session was successful and met the stated objectives for attendees, which was to "Illustrate the structure and capabilities of the Open Vulnerability Assessment Language (OVAL) and the Extensible Configuration Checklist Description Format (XCCDF). Show how the formats fit together and contribute to a vision of inter-operable, timely, automated security management. Explain how the formats can be used by tool vendors, security guidance authors, and auditors."
Additional information about XCCDF can be found on the U.S. National Institute of Technology's (NIST) Computer Security Resource Center Web site.
OVAL Hosts Booth at RSA Conference 2006, February 13-17
MITRE hosted an OVAL/CVE/CME exhibitor booth at RSA Conference 2006 on February 13-17, 2006 at the McEnery Convention Center, in San Jose, California, USA. The RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event introduced OVAL, CVE, and CME to security professionals from industry, government, and academia from around the world. Organizations listed in the OVAL-Compatible Products and Services section also exhibited.
Photos from the event are included below:
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL and CVE Main Topics of MITRE Digest Article
OVAL and CVE were the main topics of a February 2006 MITRE Digest article on the MITRE Corporation Web site entitled "Information Assurance Industry Uses CVE and OVAL to Identify Vulnerabilities." The article describes how "as the number of software vulnerabilities continues to increase, MITRE's CVE and OVAL initiatives are becoming standards in the information assurance industry." The article further describes how the growing list of CVE names "ensures enhanced interoperability and security for enterprises" and describes how "OVAL identifies vulnerabilities and configuration issues."
The article concludes with a section on how "MITRE is leveraging the CVE and OVAL Initiatives to help the [U.S.] Department of Defense (DoD) transform its enterprise incident and remediation management efforts" and how "as a result, the DoD will be fundamentally changing the way it deals with vulnerabilities and configuration issues in the commercial and open source components of its infrastructure and mission systems."
6 Additional Information Security Products/Services Now Registered as Officially "OVAL-Compatible"
Six information security products and services from three organizations have achieved the final stage of MITRE's formal OVAL Compatibility Process and are now officially "OVAL-Compatible." Each product is now eligible to use the OVAL-Compatible Product/Service logo, and their completed and reviewed "OVAL Compatibility Requirements Evaluation" questionnaires are posted as part of their product listings in the Compatible Products and Services section on the OVAL Web site.
The following products are now registered as officially "OVAL-Compatible":
• | BigFix, Inc. | - | BigFix Enterprise Suite |
• | KACE Networks, Inc. | - | KBOX IT Management Suite |
• | Qualys, Inc. | - | QualysGuard Consultant |
- | QualysGuard Enterprise | ||
- | QualysGuard Express | ||
- | QualysGuard MSP |
Use of the official OVAL-Compatible Product/Service logo by these organizations will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises. The compatibility process questionnaires will help end-users compare how different products satisfy the OVAL compatibility requirements, and therefore which specific implementations are best for their networks and systems.
OVAL Compatibility certificates were awarded on Tuesday, February 14, 2006 at RSA Conference 2006 in San Jose, CA, USA, to the organizations that have achieved this final phase. All three organizations received certificates at the event, including BigFix, Inc., KACE Networks, Inc., and Qualys, Inc.
For additional information about OVAL compatibility and to review all products and services listed, visit Introduction to OVAL Compatibility, OVAL Compatibility Process, and Declarations of OVAL Compatibility.
BigFix, Inc. Posts OVAL Compatibility Questionnaire
BigFix, Inc. has achieved the second phase of the OVAL Compatibility Process by posting an OVAL Compatibility Questionnaire for BigFix Enterprise Suite. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL Compatibility Process page and the Declarations of OVAL Compatibility.
KACE Networks, Inc. Posts OVAL Compatibility Questionnaire
KACE Networks, Inc. has achieved the second phase of the OVAL Compatibility Process by posting an OVAL Compatibility Questionnaire for KBOX IT Management Suite. In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL Compatibility Process page and the Declarations of OVAL Compatibility.
OVAL Called "Extremely Cool" in Opinion Article in SC Magazine
OVAL was mentioned in an opinion article entitled "Innovation Still Exists" in the January 20, 2006 issue of SC Magazine. OVAL is mentioned as one of the projects the author was most impressed with at the 32nd Annual CSI Computer Security Conference: "Next stop was MITRE's [CVE/OVAL/CME] booth. I've been a fan of CVE for as long as it's been in existence. Their big news is OVAL (Open Vulnerability and Assessment Language). This is an extremely cool way to manage vulnerabilities and vulnerability assessments. Again, my team is working with this and merging it with ProDiscover IR using ProScript to do automated host-based vulnerability assessment as part of incident response." The article was written by Peter Stephenson of Norwich University.
Updated Version 5.0 Draft OVAL Schemas Now Available
Sixth drafts of the Version 5.0 OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.
Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.2. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Developer's List.
OVAL to Host Booth at RSA Conference 2006, February 13-17
MITRE is scheduled to host an OVAL/CVE/CME exhibitor booth at RSA Conference 2006 on February 13-17, 2006 at the McEnery Convention Center, in San Jose, California, USA. The RSA Conference provides a forum for information security professionals and visionaries to "exchange and collaborate in a dynamic, authoritative setting." The event will introduce OVAL, CVE, and CME to security professionals from industry, government, and academia from around the world. Organizations listed in the OVAL-Compatible Products and Services section will also be exhibiting. Please stop by Booth 1743, or any of these booths, and say hello.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL Hosts Booth at IA Conference Workshop, January 30 - February 1
MITRE hosted an OVAL/CVE/CME exhibitor booth at the 10th annual U.S. Department of Defense (DOD) Information Assurance (IA) Conference Workshop on January 30 - February 1, 2006 at the Philadelphia Marriott Downtown, in Philadelphia, Pennsylvania, USA. The purpose of the workshop, which is hosted by the U.S. Defense Information Systems Agency, National Security Agency, Joint Staff, and the United States Strategic Commands, was to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of DOD IA strategy. The event introduced OVAL, CVE, and CME to representatives of the DOD and other Federal Government employees and their sponsored contractors. Organizations listed in the OVAL-Compatible Products and Services section also exhibited.
Visit the OVAL Calendar for more information about this and other events.
OVAL Hosts Compatibility Testing Session
The OVAL Initiative hosted an OVAL Compatibility Testing Session on January 24, 2006 at MITRE Corporation in Bedford, Massachusetts, USA. Three organizations from the OVAL Community—BigFix, Inc., Qualys, Inc., and Kace, Inc.—participated in the event.
The purpose of the testing session is to ensure that organizations, and their capabilities, use OVAL as defined by the OVAL community. Refer to the OVAL-Compatible Products and Services section for additional information, or send questions regarding compatibility and compatibility testing to oval@mitre.org.
Qualys, Inc. Posts Four OVAL Compatibility Questionnaires
Qualys, Inc. has achieved the second phase of the OVAL Compatibility Process by posting an OVAL Compatibility Questionnaire for QualysGuard Consultant, OVAL Compatibility Questionnaire for QualysGuard Enterprise, OVAL Compatibility Questionnaire for QualysGuard Express, and an OVAL Compatibility Questionnaire for QualysGuard MSP.
In Phase 2 of the compatibility process the organization's completed compatibility requirements evaluation questionnaire is posted on the OVAL Web site while it is evaluated by MITRE as the final step towards the product or service being registered as "Officially OVAL-Compatible."
For additional information and to review the complete list of all products and services participating in the compatibility program, visit the OVAL and OVAL-ID Compatibility Process page and the Declarations of OVAL Compatibility.
Updated Version 5.0 Draft OVAL Schemas Now Available
Fifth drafts of the Version 5.0 OVAL Definition Schema, System Characteristics Schema, and Results Schema have been posted for review and comment on the Upcoming OVAL Schema Changes - Version 5 page. A complete list of the updates is available in the Status Reports on the Version 5 Schema section.
Version 5 is posted with "Draft" status; the current "Official" version of OVAL is Version 4.2. Comments on the draft Version 5 OVAL Schemas are welcome on the OVAL Developer's List.
Photographs from Recent OVAL Exhibitor Booths
MITRE hosts an OVAL exhibitor booth at various events throughout the year. Below are photographs of events from autumn 2005:
OVAL to Host Booth at IA Conference Workshop, January 30 - February 1
MITRE is scheduled to host an OVAL/CVE/CME exhibitor booth at the 10th annual U.S. Department of Defense (DOD) Information Assurance (IA) Conference Workshop on January 30 - February 1, 2006 at the Philadelphia Marriott Downtown, in Philadelphia, Pennsylvania, USA. The purpose of the workshop, which is hosted by the Defense Information Systems Agency (DISA), National Security Agency (NSA), Joint Staff, and the United States Strategic Commands, is to provide a forum in which the IA community can provide updates and work issues on relevant IA topics that have been aligned with the goals of DOD IA strategy. The event will introduce OVAL, CVE, and CME to representatives of the DOD and other Federal Government employees and their sponsored contractors. Please stop by Booth 207 and say hello.
Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
OVAL Hosts Booth at Homeland Security for Networked Industries 2006 Conference & Expo
MITRE hosted an OVAL/CVE/CME exhibitor booth at Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo on January 9-11, 2006 at Walt Disney World Resort, in Orlando, Florida, USA. In addition, organizations with OVAL and OVAL-ID Compatible Products and Services also exhibited at the expo.
Visit the OVAL Calendar for information about this and other events.
OVAL-IDs Now Available for CVE-2005-4560
New and modified OVAL definitions have been submitted to address CVE-2005-4560, the recent high-profile vulnerability in the handling of WMF/EMF image files in Windows Operating systems.
On January 5, 2006 Microsoft Corporation released "Microsoft Security Bulletin MS06-001: Vulnerability in Graphics Rendering Engine Could Allow Remote Code Execution (912919)" with updated information about this vulnerability, including the availability of patches for Windows 2000, Windows XP, and Windows Server 2003.
ThreatGuard, Inc. has submitted six new and updated OVAL definitions to test for this issue. They are: OVAL1431 for Windows 2000; OVAL1433 for Windows XP SP2; OVAL1460 for Windows 2003 SP1; OVAL1492 for Windows XP SP1, 64-bit edition; OVAL1564 for Windows XP SP1, 32-bit edition; and OVAL1612 for Windows 2003 Gold.
OVAL-IDs Now Available for Most Recent Microsoft Security Bulletins
New OVAL definitions have been submitted to address the recent security bulletins issued by Microsoft Corporation on January 10, 2006.
- CVE-2006-0010 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-002: Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution (908519)." Tests for the vulnerability include OVAL698, OVAL714, OVAL1126, OVAL1185, OVAL1462, and OVAL1491.
- CVE-2006-0002 has been assigned to the vulnerability described in "Microsoft Security Bulletin MS06-003: Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)." Tests for the vulnerability include OVAL624, OVAL1082, OVAL1165, OVAL1316, OVAL1456, and OVAL1485.
All of the vulnerability definitions noted above were submitted by ThreatGuard, Inc. See View Definitions to review these and all definitions in the OVAL Definitions Repository.
OVAL Announces Initial 'Calendar of Events' for 2006
The OVAL effort has announced its initial calendar of events for the first half of 2006. Details regarding MITRE's scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
- Homeland Security for Networked Industries (HSNI) 2006 Conference & Expo, January 9-11, 2006
- DOD IA Conference Workshop, January 30 - February 1, 2006
- RSA Conference 2006, February 13-17, 2006
- MISTI's InfoSec World 2006 Conference & Expo, April 3-4, 2006
Other events will be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CME, and/or other vulnerability management topics at your event.
Page Last Updated: June 17, 2013