News and Events - 2008 Archive

December 22, 2008

OVAL Adoption Program Timeline Updated

The rollout timeline on the OVAL Adoption Program page for OVAL and NIST’s new OVAL Adoption/Validation Programs has been updated. Any product that is currently listed as OVAL-Compatible for a capability that will be tested in the new SCAP Validation Program for OVAL will now be grandfathered for one year beginning on April 1, 2009.

See the OVAL Adoption Program page for additional information and the complete timeline.

Back to top
December 4, 2008

MITRE Presents Making Security Measurable White Paper at MILCOM 2008 on November 19

MITRE Principal Engineer Robert A. Martin presented a white paper entitled "Making Security Measurable and Manageable" at MILCOM 2008 on November 19, 2008 in San Diego, California, USA. The paper introduces MITRE’s Making Security Measurable effort by explaining in detail how information security data standards such as OVAL, CPE, CVE, CCE, CAPEC, CWE, and others facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar page for information on this and other upcoming events.

OVAL Mentioned in MITRE News Release about Recommendation Tracker

OVAL was mentioned in a December 1, 2008 MITRE news release entitled "MITRE Releases New Security Software" about its new, open source "Recommendation Tracker" software that "facilitates development of automated security benchmarks." "System administrators use benchmarks-essentially a set of recommendations-to securely configure an operating system or software application and then set up automatic testing to ensure proper configuration."

OVAL is mentioned when the release notes that Recommendation Tracker is "the latest tool developed by MITRE in the last 10 years to help the security community produce automated, standardized benchmarks" and that four MITRE-run information security data standards — OVAL, CCE, CPE, and CVE — are among the six existing standards used in the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to enable automated vulnerability management, measurement, and policy compliance evaluation.

The release also mentions MITRE’s free one-day Benchmark Development Course that instructs attendees how to use MITRE’s OVAL, CCE, Recommendation Tracker, and Benchmark Editor, as well as other information assurance standards and tools, to help vendors and security content developers produce good benchmarks more efficiently.

Back to top
November 7, 2008

OVAL Adoption Program Timeline Announced

A rollout timeline has been posted on the OVAL Adoption Program page for OVAL and NIST’s new OVAL Adoption/Validation Programs. Any product that is currently listed as OVAL-Compatible for a capability that will be tested in the new SCAP Validation Program for OVAL will be grandfathered for one year beginning April 1, 2009. NIST is currently reviewing the list of OVAL-Compatible products and will contact all participating vendors and let them know if their products are being grandfathered and how the changes in the validation program will impact them.

See the OVAL Adoption Program page for additional information and the complete timeline.

OVAL Board Teleconference Minutes Posted

Meeting minutes for the OVAL Board teleconference held on Monday, October 20, 2008 have been posted on the Discussion Archives page.

Back to top
October 16, 2008

OVAL Interpreter Updated to Version 5.5.4

The OVAL Interpreter has been updated to Version 5.5.4. Specific updates to the OVAL Interpreter included: adding support for the new wuaupdatesearcher_test, correcting some minor bugs, and adding support for RedHat EL5.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

Back to top
October 1, 2008

Version 5.5 of OVAL Now Available

Version 5.5 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files on the SourceForge.net Web site at http://sourceforge.net/projects/ovaldi/ have also been updated.

Version 5.5 is a minor version change and includes the following: add a new PIX OS schema; add a new WUA Update Searcher test in the Windows schema; add a new line test to the CatOS schemaadd table to show how evaluation works related to the ExistenceEnumeration; add schematron to make the var_check attribute required when var_ref used; restrict operation via schematron for <xpath> entity to just equals; incorrect schematron mapping between default and string datatype; clarify version datatype documentation related to the use of different delimeter characters; ensure minoccurs or maxoccurs appears in element dictionaries; afix error in entity names in user_sid_test; clarify intention of a .* pattern match with a trustee_sid entity; remove stale object_ref mention from ItemType documentation in SC schema; document what value the instance entity of a textfilecontent54_test starts at; document what happens if an individual component of a local_variable returns multiple values; enhance documentation related to illegal datatype casting; update definition of DatatypeEnumeration to base datatypes on XML Schema types; add a function for comparing date-time strings; add a function for capturing a substring based on a regex; modification of the ios version_test; modification of the catos version test; add functions to support add, subtract, divide, and multiply arithmetic operations; fix errors found in schematron; and update the documentation. This minor version change Version 5.5 will not invalidate existing content that currently validates against Version 5.4. See the OVAL Language Releases page for more information.

The following have been updated to Version 5.5:

The following are also available for using Version 5.5:

The previous versions of the OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.5.

OVAL Interpreter Updated for Version 5.5

The OVAL Interpreter has been updated to Version 5.5. Specific updates to the OVAL Interpreter included: addition of support for Version 5.5 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

OVAL Repository Announces Top Contributors Awards for Q3-2008

Secure Elements, Inc. and Hewlett-Packard received the "OVAL Repository Top Contributors Awards" for Q3-2008. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL-Related Workshops and "Making Security Measurable" Table Booth at Security Automation Conference 2008, September 23-25

The OVAL Team contributed to OVAL-related workshops and MITRE hosted a Making Security Measurable table booth at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results.

OVAL and NIST also recently announced a partnership to facilitate community adoption of OVAL with two independent but complementary efforts, a "OVAL Adoption Program" managed by MITRE and a "Security Content Automation Protocol (SCAP) Validation Program" managed by NIST. Refer to the OVAL Adoption Program page for additional information.

Visit the OVAL Calendar for information on this and other events.

Back to top
September 10, 2008

OVAL Version 5.5 in Release Candidate Stage

Version 5.5 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on October 1, 2008. Version 5.5 will be a minor version update to add new functions to the variable section of the core definition schema, a new schema for PIX OS (submitted by Hewlett-Packard), modifications to the version test in both the IOS schema and the CatOS schema, WUA Update Searcher test in the Windows schema, modified tests for catos, updated schematron related to datatypes, and to update the documentation. As this is a minor version change Version 5.5 will not invalidate existing content that currently validates against Version 5.4, the current official version of OVAL. A complete list of changes for Version 5.5 is available on the Upcoming Minor Version page.

Back to top
September 4, 2008

OVAL and NIST Partner to Create New OVAL Adoption/Validation Programs

OVAL has partnered with the U.S. National Institute of Standards and Technology (NIST) to replace the OVAL Compatibility program with two independent but complementary efforts, an "OVAL Adoption Program" managed by MITRE and the "Security Content Automation Protocol (SCAP) Validation Program" managed by NIST.

NIST will provide additional details about the new programs at its Security Automation Conference & Workshop 2008 on September 23-24, 2008 in Gaithersburg, Maryland, USA.

During the coming months the OVAL Web site will be updated to reflect the new program. Products currently listed in the OVAL Compatibility section will be moved into a new OVAL Adoption section. Additional information is available on the OVAL Adoption Program page.

Draft 2 of OVAL Version 5.5 Now Available

Draft 2 of Version 5.5 of the OVAL Language is now available. Version 5.5, currently in the Draft stage, is scheduled to be moved to the Release Candidate stage on September 10, 2008 and the Official stage on October 1, 2008.

Draft 2 includes the proposed WUA Update Searcher test in the Windows schema as well as modifications to the Version test in both the IOS schema and the CatOS schema. In addition, new functions were added to the variable section of the core definition schema.

As this is a minor version change Version 5.5 will not invalidate existing content that currently validates against Version 5.4, the current official version of OVAL. A complete list of changes for Version 5.5 is available on the Upcoming Minor Version page.

Back to top
August 14, 2008

OVAL Version 5.5 in Draft Stage

Version 5.5 of the OVAL Language is currently in the Draft stage and is scheduled to be moved to the Official stage on September 18, 2008. Version 5.5 will be a minor version update to add a new schema for PIX OS (submitted by Hewlett-Packard), add modified tests for catos, update schematron related to datatypes, and to update the documentation. As this is a minor version change Version 5.5 will not invalidate existing content that currently validates against Version 5.4, the current official version of OVAL. A complete list of changes for Version 5.5 is available on the Upcoming Minor Version page.

Coverage of Cisco IOS Added to OVAL Repository

The OVAL Repository now includes coverage for the Cisco IOS operating system, in addition to coverage for UNIX and Windows. Hewlett-Packard contributed 110 OVAL Definitions for IOS on July 30, 2008.

OVAL Included as Topic at Security Automation Conference 2008, September 23-25

OVAL will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) Security Automation Conference & Workshop 2008 on September 23-25, 2008 in Gaithersburg, Maryland, USA. The OVAL Team is also scheduled to contribute to the OVAL-related workshops.

NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.

Visit the OVAL Calendar for information on this and other events.

OVAL Participates in "Making Security Measurable" Booth at Black Hat Briefings 2008

OVAL participated in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Visit the OVAL Calendar for information on this and other events.

Back to top
July 24, 2008

OVAL Repository Announces Top Contributors Awards for Q2-2008

GFI Software Ltd., Hewlett-Packard, and Secure Elements, Inc. received the "OVAL Repository Top Contributors Awards" for Q2-2008. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

Maitreya Security Ltd. Co. Makes Declaration of OVAL Compatibility

Maitreya Security Ltd. Co. declared that the Dharma Repository will be OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

Back to top
July 10, 2008

OVAL to Participate in "Making Security Measurable" Booth at Black Hat Briefings 2008 on August 6-7

OVAL is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2008 on August 6-7, 2008 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.

Visit us at Booth A and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Visit the OVAL Calendar for information on this and other events.

Back to top
June 26, 2008

MITRE Hosts "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19

MITRE hosted a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the OVAL Calendar for information on this and other events.

Back to top
June 5, 2008

OVAL Included in Ubuntu 8.04

Version 5.3 of the OVAL Interpreter was included in the April 21, 2008 release of Ubuntu 8.04. Information about the inclusion of OVAL was posted for the public at http://packages.ubuntu.com/hardy/admin/ovaldi.

OVAL Developer Days 2008 Meeting Minutes Now Available

Meeting minutes from this year’s OVAL Developer Days conference held on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA are now available on the OVAL Developer Days page.

MITRE Presents "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4

CVE Compatibility Lead/CWE Program Manager Robert A. Martin presented a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.

Visit the OVAL Calendar for more information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CRF, CVE, CCE, CPE, CEE, CAPEC, CWE, and/or Making Security Measurable at your event.

MITRE Presents "Making Security Measurable" Briefing and a Half-Day Tutorial at AusCERT 2008 on May 18-23

CVE Compatibility Lead/CWE Program Manager Robert A. Martin and CVE Technical Lead/CWE Technical Lead Steven M. Christey presented a Making Security Measurable briefing and hosted a half-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia.

The conference exposed the OVAL, CRF, CVE, CCE, CEE, CPE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

Back to top
May 15, 2008

Secure Elements Issues News Release Announcing Receipt of Q1-2008 OVAL Repository Top Contributor Award

OVAL was the main topic of an April 30, 2008 news release by Secure Elements, Inc. entitled "Secure Elements Receives OVAL Repository Top Contributor Award for Advancing Open Information Security Content Standard."

The release explains OVAL and the OVAL Repository and includes a quote by OVAL Program Lead Jon Baker, who states: "The OVAL Repository Top Contributor Award is reserved for organizations that assist in making the OVAL Repository a gold standard for open information security content. Secure Elements is recognized today for their invaluable content submissions of new definitions and enhancements to existing Repository content."

The release also includes a quote by Secure Elements’ Chief Security Architect Scott Carpenter, who states: "Secure Elements is proud to support the OVAL community by offering our expertise to accelerate availability of vulnerability checks during the monthly Patch Tuesday exercise. This recognition reflects our commitment to author and contribute to industry leading, publicly available security content initiatives such as the OVAL Repository and for the NIST Information Security Automation Program (ISAP), where we have contributed content for auditing the Federal Desktop Core Configuration (FDCC) for Microsoft Windows XP and Windows Vista. As the first and only vendor that has become NIST SCAP Validated for providing a Vulnerability Database, Secure Elements is recognized as the authoritative "go to" source for content, products, and services during this time of critical federal cyber-initiatives."

Secure Elements, Inc. is a member of the OVAL Board and its C5 Compliance Platform Version 3.0 is listed on the OVAL Web site as "Officially OVAL-Compatible."

OVAL Developer Days 2008 Slides Now Available

Briefing slides from this year’s OVAL Developer Days conference held on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA are now available on the OVAL Developer Days page.

MITRE Scheduled to Present "Making Security Measurable" Briefing and a Full-Day Tutorial at AusCERT 2008 on May 18-23

CVE Compatibility Lead/CWE Project Manager Robert A. Martin and CVE Technical Lead/CWE CVE Technical Lead Steven M. Christey are scheduled to present a Making Security Measurable briefing and host a full-day Making Security Measurable tutorial at AusCERT 2008 on May 18-23, 2008 at Royal Pines Resort in Gold Coast, Australia.

The conference exposed the OVAL, CRF, CVE, CCE, CEE, CPE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

MITRE Scheduled to Present "Making Security Measurable" Briefing at 4th Annual GFIRST Conference on June 2-4

CVE Compatibility Lead/CWE Project Manager Robert A. Martin is scheduled to present a briefing about Making Security Measurable at the 4th Annual GFIRST Conference on June 2-4, 2008 at the Caribe Royale Hotel in Orlando, Florida, USA.

Visit the OVAL Calendar for information on this and other events.

MITRE Scheduled to Host "Making Security Measurable" Booth at 2008 Cyberspace Symposium on June 16-19

MITRE is scheduled to host a Making Security Measurable booth at the 2008 Cyberspace Symposium on June 16-19, 2008 at the Best Westin Royal Plaza Hotel and Trade Center in Marlborough, Massachusetts, USA.

Visit the OVAL Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13

CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing at 2008 IEEE Conference on Technologies for Homeland on May 12-13, 2008 at the Westin Hotel in Waltham, Massachusetts, USA.

Visit the OVAL Calendar for information on this and other events.

Back to top
May 1, 2008

MITRE Hosts OVAL Developer Days 2008 on April 28-29

The OVAL Team hosted this year’s OVAL Developer Days conference on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA. The event included 36 participants from 12 organizations and focused on the development of Version 6 of the OVAL Language.

Specific talks included What Goes Into a Major Version, Merging the <affected> Element into the Criteria Section for Version 6, Definitions as the Focal Point, Reusing Content Across External Repositories, Supporting Network Devices, Repository and Reference Implementation Transition, Status of Stand-Alone Objects, Choice Structure, Agility in the OVAL Language, Future of OVAL Compatibility, Regular Expression Syntax, OVAL’s XML Footprint, and What Is Needed in a Remediation Language.

Meeting minutes and slides will be posted on the OVAL Developer Days page once they are available.

TMC y Cia Makes Declaration of OVAL Compatibility

TMC y Cia declared that its vulnerability analysis service, FAV - Falcon Análisis de Vulnerabilidades, is OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

MITRE Presents "Making Security Measurable" Briefing at CSI Security Exchange 2008 on April 27

CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Security Measurement and Management for Compliance" at CSI Security Exchange 2008 on April 27, 2008 at Mandalay Bay Convention Center in Las Vegas, Nevada, USA.

The conference exposed the OVAL, CRF, CVE, CCE, CEE, CPE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

MITRE Presents "Making Security Measurable" Briefing at GOVSEC on April 24

CVE Compatibility Lead/CWE Project Manager Robert A. Martin presented a Making Security Measurable briefing entitled "Architecting Your IT Security Standards to Secure your Enterprise" at GOVSEC on April 24, 2008 at Walter E. Washington Convention Center in Washington, D.C., USA.

Visit the OVAL Calendar for information on this and other events.

MITRE Hosts "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE hosted a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference exposed the OVAL, CVE, CCE, CPE, CAPEC, CWE, CRF, CEE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

See photos below:

RSA 2008 RSA 2008 RSA 2008
RSA 2008 RSA 2008 RSA 2008
RSA 2008
Back to top
April 10, 2008

Version 5.4 of OVAL Now Available

Version 5.4 OVAL has been moved to the "Official" stage and is now available on the OVAL Language Releases page. The OVAL Interpreter, Interpreter Source Code, and Data Files on the SourceForge.net Web site at http://sourceforge.net/projects/ovaldi/ have also been updated.

Version 5.4 is a minor version change and includes the following: added sql test to the independent schema; changed the datatype of the comment attribute to not accept empty strings; added include_group and resolve_group behaviors to the windows accesstoken_object; modified the schematron of the rpminfo_state to allow ‘version’ as a valid datatype for the <release> and <version> entities; added new privileges to the windows accesstoken_test; added an optional mask attribute; fixed a schema error that had a_time, c_time, and m_time defined as strings, changed to ints; added the audit event policy subcategories test to the windows schema; added a schematron rule in certain places to validate that an int value was supplied when a datatype of int was declared; added a share permission test to the windows schema; added a printer effective rights test; changed the trustee_name entity to trustee_sid for existing effective rights and audit permission tests, deprecated the original tests; added a check_existence attribute to and OVAL Test; added the ‘none satisfy’ value to the existing check attribute of an OVAL Test; added a ONE operator to the criterion element; added a user access control test; modified the hp-ux patch test; and updated the documentation. This minor version change Version 5.4 will not invalidate existing content that currently validates against Version 5.3. See the OVAL Language Releases page for more information.

The following have been updated to Version 5.4:

The following are also available for using Version 5.4:

The previous versions of the OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.4.

OVAL Interpreter Updated for Version 5.4

The OVAL Interpreter has been updated to Version 5.4. Specific updates to the OVAL Interpreter included: addition of support for Version 5.4 of the OVAL Language and fixing some minor issues reported by the OVAL Community.

The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.

Back to top
March 27, 2008

MITRE Scheduled to Host "Making Security Measurable" Booth at RSA 2008, April 7-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at RSA 2008 on April 7-11, 2008 at the Moscone Center in San Francisco, California, USA.

The conference will expose the OVAL, CRF, CVE, CCE, CME, CEE, CPE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

Draft Agenda for OVAL Developer Days 2008 Now Available

A draft agenda has been posted on the OVAL Developer Days page. MITRE is scheduled to host our OVAL Developer Days conference on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA. This two-day conference will be technical in nature and focus on the development of OVAL Version 6.

Back to top
March 24, 2008

OVAL Interpreter — 5.3 Build 68 Released

The OVAL Interpreter has been updated to address several bugs found by Lumension Security, Inc. and others. A complete list of updates and fixes is available in the various downloads. This should be the final release to support version 5.3 of the OVAL Language. The next release will support version 5.4 of the OVAL Language when it becomes the official version.

Back to top
March 7, 2008

OVAL Version 5.4 in Release Candidate Stage

Version 5.4 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on March 28, 2008. Version 5.4 will be a minor version update to add new community-requested tests, fix some errors found in the Windows component schemas, and to update the documentation. As this is a minor version change Version 5.4 will not invalidate existing content that currently validates against Version 5.3, the current official version of OVAL. A complete list of changes for Version 5.4 is available on the Upcoming Minor Version page.

OVAL Mentioned in Government Computer News Article about SCAP

OVAL was mentioned in a March 3, 2008 article entitled "SCAP narrows security gap" in Government Computer News. The main topic of the article is the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) program, which is "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements."

OVAL is mentioned as one of the "more mature standards" of the six SCAP includes: "Open Vulnerability and Assessment Language, also from Mitre, a standard Extensible Markup Language for security testing procedures and reporting."

Three of the other standards the author references as mature are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities. The author also notes the two "less mature" standards SCAP uses: Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; and Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming.

SCAP is an expansion of NIST’s U.S. National Vulnerability Database (NVD) that is based upon the CVE List, and NVD, CVE, and OVAL are all sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security.

Back to top
February 21, 2008

MITRE to Host OVAL Developer Days 2008 on April 28-29

MITRE is scheduled to host our OVAL Developer Days conference on April 28-29, 2008 at MITRE Corporation in Bedford, Massachusetts, USA. This two-day conference will be technical in nature and focus on the development of OVAL Version 6.

The OVAL Community has identified a number of areas in the current version of the OVAL Language that need improvement. By bringing together the lead proponents within the OVAL Community, we hope to foster a rich and technical environment that will help kick start development of the new major version.

All members of the OVAL Community are welcome to attend. Please let us know by April 14th about your intention to attend by sending email to oval@mitre.org.

See the OVAL Developer Days page for conference details.

Lieberman Software Corporation Makes Declaration of OVAL Compatibility

Lieberman Software Corporation declared that its system security reporting, management, and remediation product, User Manager Pro, will be OVAL-Compatible. To review all products and services participating in the compatibility program, visit OVAL-Compatible Products and Services and Declarations to Be OVAL-Compatible.

MITRE to Host "Making Security Measurable" Booth at InfoSec World 2008, March 10-11

MITRE is scheduled to host a Making Security Measurable exhibitor booth at InfoSec World Conference & Expo 2008 on March 10-11, 2008 at the Rosen Shingle Creek Resort in Orlando, Florida, USA.

The conference will expose the OVAL, CRF, CVE, CCE, CPE, CME, CEE, CAPEC, CWE, and Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events.

Back to top
February 1, 2008

OVAL Interpreter Moved to SourceForge.net

The OVAL Interpreter and data files will now be hosted on the SourceForge.net Web site at http://sourceforge.net/projects/ovaldi/. The transition was made to provide better access to the OVAL Interpreter, its source code, and related documentation.

In particular, the move provides for the first time public access to bug tracking and feature request tracking for the Interpreter. There will also now be better support for community code contributions, increased accessibility to the Interpreter source and binaries, better maintenance of past versions of the Interpreter and its source code, and better Interpreter documentation.

The OVAL Interpreter Page on SourceForge includes the following:

  • Bug and Feature Request Tracking - replaces our internal MITRE-run SourceForge project.
  • File Distribution - replaces the downloads section of the OVAL Interpreter Download Page on the OVAL Web site.
  • SVN Repository - replaces our internal MITRE-run SourceForge project’s SVN Repository. External users will now be allowed anonymous read-only access to the repository.
  • Wiki - a primary source for information about the OVAL Interpreter.
  • Help Forum - the target for all Interpreter -related email help requests.

The OVAL Interpreter page on the OVAL Web site will now point visitors to the new location. Please send any comments or concerns to oval@mitre.org.

OVAL Mentioned in eWeek Article about the Federal Desktop Core Configuration

OVAL was mentioned in a January 13, 2008 article entitled "PC Lockdown in the Government and Beyond" in eWeek Magazine. The main topic of the article is the U.S. Office of Management and Budget (OMB)-mandated Federal Desktop Core Configuration (FDCC) for Windows XP and Vista.

OVAL is mentioned when the author states: "The [U.S. National Institute of Standards and Technology (NIST)]-developed [Security Content Automation Program (SCAP)] is the technical glue holding the FDCC effort together. SCAP content is security checklist data that is communicated in XML formats and provides data about vulnerability, configuration, compliance and asset information in Extensible Configuration Checklist Description Format and Open Vulnerability and Assessment Language."

MITRE Hosts "Making Security Measurable" Booth at 2008 Information Assurance Workshop, January 28 - February 1

MITRE hosted a Making Security Measurable exhibitor booth at the 2008 Information Assurance Workshop on January 28 - February 1, 2008 at the Philadelphia Marriott Downtown in Philadelphia, Pennsylvania, USA.

The conference exposed the OVAL, CRF, CVE, CCE, CPE, CME, CEE, CAPEC, CWE, and/or Making Security Measurable efforts to information security professionals from government and industry. Visit the OVAL Calendar for information on this and other events

OVAL Board Teleconference Minutes Posted

Meeting minutes for the OVAL Board teleconference held on Monday, January 14, 2008 have been posted on the Discussion Archives page.

Back to top
January 17, 2008

OVAL Repository Announces Top Contributors Awards for Q4-2007

Hewlett-Packard and Maitreya Security Ltd. Co. received the "OVAL Repository Top Contributors Awards" for Q4-2007. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.

Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.

OVAL Interpreter Updated

The OVAL Interpreter has been updated to incorporate several bug fixes and community code contributions, including updating linux makefile to better support building in various Linux environments, adding support for the textfilecontent_test, and adding support for the dpkginfo_test.

The list of updates and fixes is also available in the download bundle. See Download the OVAL Interpreter for the latest release and to review the Terms of Use.

OVAL Board Holds Teleconference

The OVAL Board held a teleconference on Monday, January 14, 2007 with 20 members participating. Topics of discussion included status updates on OVAL Version 5.4, the updated OVAL Interpreter, guidelines for external repositories, and planning for RSA Conference 2008 and OVAL Developer Days 2008.

Back to top
January 3, 2008

MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2008

MITRE has announced its initial Making Security Measurable calendar of events for the first half of 2008. Details regarding MITRE’s scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.

Other events will be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CRF, CVE, CCE, CPE, CME, CEE, CAPEC, CWE, and/or Making Security Measurable at your event.

Back to top

Page Last Updated: March 05, 2013