News and Events - 2010 Archive
SecPod Technologies Makes Declaration to Adopt OVAL
SecPod Technologies declared that its definitions repository, SecPod OVAL Definitions Professional Feed, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL OVAL Adoption Program section.
Critical Watch Makes Declaration to Adopt OVAL
Critical Watch declared that its FusionVM Enterprise Vulnerability Management System incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
eEye Digital Security Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter
eEye Digital Security has achieved the second phase of the OVAL Adoption Process by submitting a OVAL Adoption Questionnaire for Retina Network Security Scanner. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site.
For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.
OVAL/Making Security Measurable Briefing at ITU-T Security Workshop
OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about OVAL/Making Security Measurable entitled "Vendor Neutral Security Measurement & Management with Standards" at ITU-T security workshop "Addressing Security Challenges on a Global Scale" on December 6-7, 2010 in Geneva, Switzerland.
Visit the OVAL Calendar for information on this and other events.
OVAL/Making Security Measurable Briefing at Rethinking Cyber Security: A Systems-Based Approach Conference
OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about OVAL/Making Security Measurable and the Common Weakness Enumeration (CWE) at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16-17, 2010 in Charlottesville, Virginia, USA.
Visit the OVAL Calendar for information on this and other events.
Serkan Özkan Makes Declaration to Adopt OVAL
Serkan Özkan declared that its repository of OVAL Definitions from multiple sources, IT Security Database, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
IT Security Database Now Listed on "Other Repositories" Page
IT Security Database is now listed on the Other Repositories page in the OVAL Repository section for its repository of OVAL content.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
OVAL/Making Security Measurable Briefing at Rethinking Cyber Security: A Systems-Based Approach Conference, November 16-17
OVAL Team Member and CWE Program Manager Robert A. Martin will present a briefing about OVAL/Making Security Measurable and the Common Weakness Enumeration (CWE) at Rethinking Cyber Security: A Systems-Based Approach Conference on November 16-17, 2010 in Charlottesville, Virginia, USA.
Visit the OVAL Calendar for information on this and other events.
OVAL Board Meeting Minutes Now Available
Meeting minutes for the OVAL Board teleconference meeting held on Monday, October 18, 2010 have been posted in the Community section.
Tripwire, Inc. Makes Declaration to Adopt OVAL
Tripwire, Inc. declared that its compliance assessment product, Tripwire Enterprise, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Interpreter Updated to Version 5.8.2
The OVAL Interpreter and its source code have been updated to Version 5.8.2. Specific updates to the OVAL Interpreter included fixing some minor issues reported by the OVAL Community.
A detailed list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest information.
OVAL/SCAP Briefing at 2010 Federal Cybersecurity Conference and Workshop
OVAL Program Manager Jonathan Baker presented a briefing about OVAL/Security Content Automation Protocol (SCAP) at 2010 Federal Cybersecurity Conference and Workshop on October 20, 2010 in Washington, D.C., USA. In addition, CWE/CAPEC Co-Founder and Architect Sean Barnum presented a briefing about the Common Weakness Enumeration (CWE) and Common Attack Pattern Enumeration and Classification (CAPEC) initiatives on October 21.
Visit the OVAL Calendar for information on this and other events.
OVAL Board Holds Teleconference Meeting
The OVAL Board held a teleconference meeting on October 18, 2010. Discussion topics included status updates on the OVAL Language, OVAL Repository, OVAL Interpreter, and OVAL Adoption and OVAL Validation programs; a recap of the OVAL workshops held at IT Security Automation Conference 2010 in September; and a review of the OVAL Board Membership process. Meeting minutes will be posted when available.
New OVAL Board Member
Aharon Chernin of Depository Trust & Clearing Corporation (DTCC) has joined the OVAL Board.
Three OVAL Briefings and Making Security Measurable Booth at IT Security Automation Conference 2010
MITRE hosted an OVAL/Making Security Measurable booth and the OVAL Team presented three briefings about OVAL entitled "SCAP 101-OVAL Tutorial," "Automated Specifications-OVAL," and "SCAP Workshop-OVAL Workshop" at the U.S. National Institute of Standards and Technology’s (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA.
Slides from the event include the following:
Visit the OVAL Calendar for information on this and other events.
OVAL Repository Announces Top Contributors Awards for Q3-2010
Depository Trust & Clearing Corporation, SCAP.com, LLC, SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q3-2010. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
OVAL a Topic of SCAP Discussion Panel and Making Security Measurable Booth at HSNI 2010
MITRE participated in a SCAP Panel Discussion about OVAL, CVE, CCE, CPE, XCCDF, and OCIL, and hosted a Making Security Measurable table booth, at Homeland Security for Networked Industries (HSNI) 2010 Conference and Expo on September 20-21, 2010 in Washington, D.C., USA.
Visit the OVAL Calendar for information on this and other events.
Catbird Networks, Inc. Makes Declaration to Adopt OVAL
Catbird Networks, Inc. declared that its vulnerability scanner, IDS/IPS, and firewall product, Catbird vSecurity, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
Modulo Security Solutions Makes Declaration to Adopt OVAL
Modulo Security Solutions declared that its Governance, Risk Management, and Compliance (GRC) Management product, MODSIC Project, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Repository Surpasses 10,000 Definition Milestone
The OVAL Repository surpassed the 10,000 OVAL Definition milestone on September 16, 2010 with a new grand total of 10,003 definitions now available to the public on the OVAL Web site. Of these, 8 are for All OS Families, 3 are for Cisco PIX, 126 are for Cisco IOS, 7,064 for UNIX, and 2,794 are for Windows.
This milestone was a direct result of significant participation by the OVAL Community. Numerous organizations have contributed both new and modifiied OVAL Definitions to the OVAL Repository including Maitreya Security, SCAP.com, LLC, MITRE Corporation, SecPod Technologies, ThreatGuard, Inc., Hewlett-Packard, Depository Trust & Clearing Corporation (DTCC), Secure Elements, Inc., Bastille Linux, Gideon Technologies, Inc., Symantec, Inc., National Institute of Standards and Technology (NIST), GFI Software Ltd., Opsware, Inc., McAfee, Inc., OS2A, Centennial Software, BigFix, Inc., and Security-Database.
We thank all of these organizations for their contributions.
Version 5.8 of OVAL Now Available
Version 5.8 of the OVAL Language has been moved to the "Official" stage and is now available on the OVAL Language page. The OVAL Interpreter and OVAL Repository have also been updated to Version 5.8.
Version 5.8 includes a significant refactoring of the datatype constraints on entities. These constraints were implemented on each entity as Schematron rules in previous versions of OVAL, but beginning in Version 5.8 will be expressed as a small set of XML Schema types. This change removes thousands of Schematron rules and will represent a significant improvement in content validation time. Other major highlights include the following: added support for several new tests broadening OVAL's supported platforms; numerous documentation improvements and clarifications; correct several defects related to the required or allowed datatypes; created an OVAL Directives schema to allow a tool to supply a set of directives; consolidated file behaviors in all component schemas to simplify schemas and clarify documentation; added capability to filter an object with an unbounded filter elements; and added new OVAL Results directives to allow for more tailoring of OVAL Results documents.
OVAL Interpreter Updated for Version 5.8
The OVAL Interpreter and its source code have been updated to OVAL Version 5.8. Specific updates to the OVAL Interpreter included: addition of support for Version 5.8 of the OVAL Language and fixing some minor issues reported by the OVAL Community.
The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the terms of use.
OVAL Repository Updated for Version 5.8
The OVAL Repository has been updated to OVAL Version 5.8. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services, per the Terms of Use.
Release Candidate 2 of OVAL Version 5.8 Now Available
Release Candidate 2 of Version 5.8 of the OVAL Language is now available on the OVAL Web site. Version 5.8 is scheduled to be moved to the Official stage on September 15, 2010. As this is a minor version change, Version 5.8 will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL.
A complete list of changes for Version 5.8 is available on the Upcoming Minor Version page.
eEye Digital Security Makes Declaration to Adopt OVAL
eEye Digital Security declared that its vulnerability assessment product, Retina Network Security Scanner, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
Triumfant, Inc. Makes Declaration to Adopt OVAL
Triumfant, Inc. declared that its vulnerability, patch, and compliance product, Triumfant Resolution Manager, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Version 5.8 in Release Candidate Stage
Version 5.8 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on September 15, 2010. Version 5.7 is a minor version change and will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL. A complete list of changes for Version 5.8 is available on the Upcoming Minor Version page.
OVAL Included as Topic at IT Security Automation Conference 2010, September 27-29
OVAL will be included as a topic at the U.S. National Institute of Standards and Technology’s (NIST) 6th Annual IT Security Automation Conference on September 27-29, 2010 in Baltimore, Maryland, USA. The OVAL Team is also scheduled to contribute to the OVAL-related workshops.
NIST’s Security Content Automation Protocol (SCAP) employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.
Visit the OVAL Calendar for information on this and other events.
New OVAL Board Member
Todd Dolinsky of Hewlett-Packard has joined the OVAL Board.
Debian Project Now Listed on "Other Repositories" Page
Debian Project is now listed on the Other Repositories page in the OVAL Repository section for its repository of Debian OVAL Definitions.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
Draft 6 of OVAL Version 5.8 Now Available
Draft 6 of Version 5.8 of the OVAL Language is now available on the OVAL Web site. Version 5.8 is scheduled to be moved to the Official stage on September 15, 2010. As this is a minor version change, Version 5.8 will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL.
A complete list of changes for Version 5.8 is available on the Version 5.8 Upcoming Minor Version page.
OVAL Version 5.8 to Be Released on September 15, 2010
Version 5.8 of the OVAL Language is now scheduled to be moved to the Official stage on September 15, 2010. The new release date was necessary in order to provide ample time to add new features recommended by the community. Please send any comments or concerns to oval@mitre.org.
OVAL Interpreter Updated to Version 5.7.2
The OVAL Interpreter and its source code have been updated to Version 5.7.2. Specific updates to the OVAL Interpreter included: addition of support for OVAL Language Version 5.7 directives and to fix some minor issues reported by the OVAL Community.
A detailed list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest information.
OVAL/Making Security Measurable Booth at Black Hat Briefings 2010
OVAL participated in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
Draft 5 of OVAL Version 5.8 Now Available
Draft 5 of Version 5.8 of the OVAL Language is now available on the OVAL Web site. Version 5.8 is scheduled to be moved to the Official stage on September 15, 2010. As this is a minor version change, Version 5.8 will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL.
A complete list of changes for Version 5.8 is available on the Version 5.8 Upcoming Minor Version page.
Draft 4 of OVAL Version 5.8 Now Available
Draft 4 of Version 5.8 of the OVAL Language is now available on the OVAL Web site. Version 5.8 is scheduled to be moved to the Official stage on August 18, 2010. As this is a minor version change, Version 5.8 will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL.
A complete list of changes for Version 5.8 is available on the Version 5.8 Upcoming Minor Version page.
OVAL/Making Security Measurable Booth at Black Hat Briefings 2010 on July 28-29
OVAL is scheduled to participate in a Making Security Measurable booth at Black Hat Briefings 2010 on July 28-29, 2010 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA.
Stop by Booth 65 and learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
Draft 3 of OVAL Version 5.8 Now Available
Draft 3 of Version 5.8 of the OVAL Language is now available on the OVAL Web site. Version 5.8 is scheduled to be moved to the Official stage on August 18, 2010. As this is a minor version change, Version 5.8 will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL.
A complete list of changes for Version 5.8 is available on the Version 5.8 Upcoming Minor Version page.
Novell, Inc. Makes Declaration to Adopt OVAL
Novell, Inc. declared that its database, SUSE Linux Enterprise OVAL Information, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
Novell, Inc. Now Listed on "Other Repositories" Page
Novell, Inc. is now listed on the Other Repositories page in the OVAL Repository section for its SUSE Linux Enterprise OVAL Information database, which is an index of fixed security incidents indexed by product, RPM package name and version for use in security compliance checking.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
OVAL Repository Announces Top Contributors Awards for Q2-2010
Depository Trust & Clearing Corporation, SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q2-2010. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
Instruction on Using OVAL Included in MITRE’s Free Benchmark Development Course, July 26
MITRE is scheduled to hold a Free Benchmark Development Course at MITRE Corporation in McLean, Virginia, USA on July 26, 2010. Instruction on using the OVAL Interpreter and OVAL Definitions in benchmark development is included in two sections of the course, "Automating Assessment" and "Benchmark Structuring and Tailoring." The course explains the benefits of using OVAL for standardized compliance checks in automated benchmarks, shows how to use the OVAL Interpreter, teaches how to write OVAL Definitions, and explains how OVAL works with XCCDF.
The main purpose of the course is to share MITRE’s experience and knowledge with vendors, security content developers, and others on how to use industry standards and free tools to create automatable security guidance that helps system administrators configure and operate systems securely. In addition to instruction on how to use OVAL for benchmarks, the course also explains how and why to use Extensible Configuration Checklist Description Format (XCCDF), Open Checklist Interactive Language (OCIL), Common Platform Enumeration (CPE), Open Vulnerability and Assessment Language (OVAL) Definitions, the OVAL Interpreter, Benchmark Editor, and Recommendation Tracker, among other standards and tools, to create good benchmarks that can be automated.
Visit the OVAL Calendar for information on this and other events.
OVAL Discussion Minutes from Security Automation Developer Days 2010 Now Available
Minutes from the OVAL Discussion at Security Automation Developer Days Conference 2010 that was held at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010 are now available on the Developer Days page on the OVAL Web site.
OVAL a Main Topic at MITRE’s Security Automation Developer Days Conference 2010
MITRE hosted the second Security Automation Developer Days Conference 2010 at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010. The purpose of the three-day event is for the community to discuss all current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties. A brief technical overview of software assurance efforts sponsored by the U.S. Department of Homeland Security was also provided on the third day of the conference.
Briefing slides from the OVAL portion of the event have been posted on the OVAL Developer Days page.
OVAL a Main Topic at MITRE’s Security Automation Developer Days Conference 2010, June 14-16
MITRE is scheduled to host the second Security Automation Developer Days Conference 2010 at MITRE in Bedford, Massachusetts, USA on June 14-16, 2010. The purpose of the three-day event is for the community to discuss all current and emerging Security Content Automation Protocol (SCAP) standards in technical detail and to derive solutions that benefit all concerned parties.
The U.S. National Institute of Standards and Technology’s (NIST) SCAP employs existing community standards to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)," and OVAL is one of the six open standards SCAP uses for enumerating, evaluating, and measuring the impact of software problems and reporting results. The other five standards are Common Vulnerabilities and Exposures (CVE), a dictionary of standard identifiers for security vulnerabilities related to software flaws; Common Configuration Enumeration (CCE), standard identifiers and a dictionary for system security configuration issues; Common Platform Enumeration (CPE), standard identifiers and a dictionary for platform and product naming; Extensible Configuration Checklist Description Format (XCCDF), a standard for specifying checklists and reporting results; and Common Vulnerability Scoring System (CVSS), a standard for conveying and scoring the impact of vulnerabilities.
A brief technical overview of software assurance efforts sponsored by the U.S. Department of Homeland Security will also be provided on the third day of the conference.
For conference details and to register, visit: https://register.mitre.org/devdays/.
Draft 2 of OVAL Version 5.8 Now Available
Draft 2 of Version 5.8 of the OVAL Language is now available on the OVAL Web site. Version 5.8 is scheduled to be moved to the Official stage on August 18, 2010. As this is a minor version change, Version 5.8 will not invalidate existing content that currently validates against Version 5.7, the current official version of OVAL.
A complete list of changes for Version 5.8 is available on the Version 5.8 Upcoming Minor Version page.
New OVAL Board Member
Jeff Spitulnik of BigFix, Inc. has joined the OVAL Board.
Version 5.7 of OVAL Now Available
Version 5.7 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language page. The OVAL Interpreter and OVAL Repository have also been updated to Version 5.7.
Version 5.7 is a minor version change, major highlights of which includes the following: added support for n-tuples; added the new ind-def:sql57_test, ind-def:ldap57_test, win-def:wmi57_test, and win-def:activedirectory57_test in order to leverage n-tuple support; added the win-def:dnscache_test and unix-def:dnscache_test to support checking the dns cache on a local host; made numerous Schematron rule refinements and performance focused improvements; removed the long deprecated ind-def:filemd5_test and apache-def:version_test and all their related objects, states, and items; and made significant documentation improvements throughout the OVAL Language schemas. As this is a minor version change, Version 5.7 will not invalidate existing content that currently validates against Version 5.6. See the OVAL Language page for more information.
The previous versions of OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.7.
OVAL Interpreter Updated for Version 5.7
The OVAL Interpreter and its source code have been updated to OVAL Version 5.7. Specific updates to the OVAL Interpreter included: addition of support for Version 5.7 of the OVAL Language and fixing some minor issues reported by the OVAL Community.
The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the terms of use.
OVAL Repository Updated for Version 5.7
The OVAL Repository has been updated to OVAL Version 5.7. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services, per the Terms of Use.
OVAL Version 5.8 in Draft Stage
Version 5.8 of the OVAL Language is currently in the Draft stage and is scheduled to be moved to the Official stage on August 18, 2010. As this is a minor version change Version 5.8 will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL or Version 5.7, which will be moved to the Official stage on May 12, 2010. A complete list of changes for Version 5.8 is available on the Version 5.8 Upcoming Minor Version page.
OVAL Board Holds Teleconference Meeting
The OVAL Board held a teleconference meeting on April 12, 2010. Discussion topics included an update on the release of Version 5.7 of the OVAL Language, and changes scheduled for Version 5.8; updating the OVAL Interpreter for V5.7, and ports of the Interpreter for OSX and Solaris that are available now on the OVAL Interpreter page on SourceForge.net; status updates on the OVAL Repository; status updates on the OVAL Adoption and OVAL Validation> programs; and planning for the OVAL portion of MITRE’s Developer Days Conference 2010 scheduled for June 14-16, 2010 at MITRE in Bedford, Massachusetts, USA. Read the meeting minutes.
MITRE Hosts Making Security Measurable Booth at InfoSec World 2010
MITRE hosted a Making Security Measurable booth at InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort in Orlando, Florida, USA, on April 19-21, 2010. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
Release Candidate 4 of OVAL Version 5.7 Now Available
Release Candidate 4 of Version 5.7 of the OVAL Language is now available on the OVAL Web site. Version 5.7, which is scheduled to be moved to the Official stage on May 12, 2010, is a minor version change and will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL. A complete list of changes for Version 5.7 is available on the Upcoming Minor Version page.
OVAL Version 5.7 to Be Released on May 12, 2010
Version 5.7 of the OVAL Language is now scheduled to be moved to the Official stage on May 12, 2010. The new release date was necessary in order to correct three issues related to n-tuples and to provide ample time for organizations to implement support for these changes. Please send any comments or concerns to oval@mitre.org.
Security-Database Makes Two Declarations to Adopt OVAL
Security-Database declared that its Web-based IT vulnerability and threats dashboard, IT Dashboard, and its security scanner and compliance assessment software product, SSA - Security System Analyzer, incorporate OVAL.
For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
Release Candidate 3 of OVAL Version 5.7 Now Available
Release Candidate 3 of Version 5.7 of the OVAL Language is now available on the OVAL Web site. Version 5.7, which is scheduled to be moved to the Official stage on April 14, 2010, is a minor version change and will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL. A complete list of changes for Version 5.7 is available on the Upcoming Minor Version page.
Telos Corporation Makes Three Declarations to Adopt OVAL
Telos Corporation declared that its certification and accreditation solutions, Xacta IA Manager Assessment Engine, Xacta IA Manager Continuous Assessment, and Xacta IA Manager HostInfo, incorporate OVAL.
For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
G2, Inc Makes Declaration to Adopt OVAL
G2, Inc. declared that its OVAL authoring tool, eSCAPe — Enhanced SCAP Editor, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
Greenbone Networks GmbH Makes Declaration to Adopt OVAL
Greenbone Networks GmbH declared that its vulnerability management security appliance, Greenbone Security Manager, will incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Repository Announces Top Contributors Awards for Q1-2010
Depository Trust & Clearing Corporation, Hewlett-Packard, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q1-2010. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
MITRE to Host "Making Security Measurable" Booth at InfoSec World 2010, April 19-21
MITRE is scheduled to host a Making Security Measurable booth at MIS Training Institute’s (MISTI) InfoSec World Conference & Expo 2010 at the Disney Coronado Springs Resort, in Orlando, Florida, USA, on April 19-21, 2010. Please stop by booth 319 and say hello!
Visit the OVAL Calendar for information on this and other events.
Release Candidate 2 of OVAL Version 5.7 Now Available
Release Candidate 2 of Version 5.7 of the OVAL Language is now available on the OVAL Web site. Version 5.7, which is scheduled to be moved to the Official stage on April 14, 2010, is a minor version change and will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL. A complete list of changes for Version 5.7 is available on the Upcoming Minor Version page.
New OVAL Board Member
Steve Grubb of Red Hat, Inc. has joined the OVAL Board.
New OVAL Board Member
Luis Nunez of Cisco Systems has joined the OVAL Board.
OVAL/Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum
OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin presented a briefing about OVAL/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010. The event was hosted at MITRE Corporation in McLean, Virginia, USA.
Visit the OVAL Calendar page for information on this and other upcoming events.
OVAL Version 5.7 in Release Candidate Stage
Version 5.7 of the OVAL Language is currently in the Release Candidate stage and is scheduled to be moved to the Official stage on April 14, 2010. Version 5.7 is a minor version change and will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL. A complete list of changes for Version 5.7 is available on the Upcoming Minor Version page.
Hewlett-Packard Makes Three Declarations to Adopt OVAL
Hewlett-Packard declared that its enterprise server/application lifecycle management product, HP Server Automation, application management product, HP Client Automation, and content repository, HP Live Network, incorporate OVAL.
For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
Inverse Path S.r.l. Makes Declaration to Adopt OVAL
Inverse Path S.r.l. declared that its vulnerability, patch, and compliance assessment tool, TPOL - OVAL Security Compliance, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
SAINT Corporation Makes Declaration to Adopt OVAL
SAINT Corporation declared that its SAINT Vulnerability Scanner incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL/Making Security Measurable Briefing at DHS/DoD/NIST SwA Forum, March 9-12
OVAL Team Member and CWE/CAPEC Program Manager Robert A. Martin is scheduled to present a briefing about OVAL/Making Security Measurable to the DHS/DoD/NIST SwA Forum on March 9-12, 2010 at MITRE Corporation in McLean, Virginia, USA.
Visit the OVAL Calendar page for information on this and other upcoming events. Contact oval@mitre.org to have OVAL present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CPE, CAPEC, CWE, CEE, MAEC, and/or Making Security Measurable at your event.
MITRE Hosts Making Security Measurable Booth at RSA 2010
MITRE hosted a Making Security Measurable booth at RSA 2010 at the Moscone Center in San Francisco, California, USA, on March 1-5, 2010. Attendees learned how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
ThreatGuard, Inc. Makes Three Declarations to Adopt OVAL
ThreatGuard, Inc. declared that its enterprise SCAP compliance/vulnerability management system, Secutor Magnus, its universal, integratable SCAP assessment module, Secutor Compliance Automation Toolkit (S-CAT), and its desktop compliance/vulnerability assessment tool, Secutor Prime, incorporate OVAL.
For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
SPAWAR Systems Center Atlantic Makes Declaration to Adopt OVAL
SPAWAR Systems Center Atlantic declared that its SCAP Compliance Checker incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
Red Hat, Inc. Makes Declaration to Adopt OVAL
Red Hat, Inc. declared that its product vulnerability security advisories, Red Hat Security Advisories, incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
Modulo Security Solutions Makes Declaration to Adopt OVAL
Modulo Security Solutions declared that its Web-based governance, risk management, and compliance (GRC) management system, Modulo Risk Manager, will incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
U.S. Army CERDEC Makes Declaration to Adopt OVAL
U.S. Army CERDEC declared that its configuration, vulnerability, patch, and software inventory network scanner, Armadillo, will incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
CA Inc. Makes Declaration to Adopt OVAL
CA Inc. declared that its endpoint security product, CA Total Defense, will incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
New OVAL Board Member
Michael Tan of Microsoft Corporation has joined the OVAL Board.
OVAL Launches New Web Site
OVAL has launched a new OVAL Web site that offers streamlined functionality for users, and better illustrates the impact and use of OVAL in the community. The updated Web site includes the following enhancements:
- Homepage — in addition to news headlines and a focus on column the homepage now includes a high-level list of examples of the widespread use of OVAL in the enterprise, and a badge indicating that OVAL is part of Making Security Measurable.
- OVAL in Use page — a new page highlighting how the OVAL Language and OVAL’s standardized content are used by enterprises of all sizes.
- OVAL Adoption Program — a new section highlighting those organizations participating in the new program by declaring that their products and services will include OVAL.
- About the OVAL Language page — a one-page resource list for information about the Language including links to the OVAL Language Overview, Use Cases, Language Structure, Definition Tutorial, Validating a Document, Language Revision Process, Versioning Methodology, Deprecation Policy, and Regular Expression Support pages, as well as other supporting information.
- About the OVAL Repository page — a one-page resource center of information about the Repository including links to the OVAL Repository Overview, OVAL Definition Lifecycle, Writing an OVAL Definition, Authoring Style Guide, and Submission Guidelines pages, as well as other information.
- Site Map — a high-level overview of the OVAL Web site on a single page.
Please send any comment or concerns to oval@mitre.org.
Draft 2 of OVAL Version 5.7 Now Available
Draft 2 of Version 5.7 of the OVAL Language is now available on the OVAL Web site. Version 5.7, which is currently scheduled to be moved to the Official stage on April 14, 2010, is a minor version change and will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL. A complete list of changes for Version 5.7 is available on the Upcoming Minor Version page.
OVAL Version 5.7 in Draft Stage
Version 5.7 of the OVAL Language is currently in the Draft stage and is scheduled to be moved to the Official stage on April 14, 2010. As this is a minor version change Version 5.7 will not invalidate existing content that currently validates against Version 5.6, the current official version of OVAL. A complete list of changes for Version 5.7 is available on the Upcoming Minor Version page.
MITRE Hosts "Making Security Measurable" Booth at the 2010 Information Assurance Symposium
MITRE hosted a Making Security Measurable booth at the 2010 Information Assurance Symposium in Nashville, Tennessee, USA, on February 2-5, 2010. The symposium is designed to bring together industry, government, and military information assurance professionals with "the latest Information Assurance (IA) products and solutions available to secure voice and data networks."
Visit the OVAL Calendar for information on this and other events.
OVAL Adoption Requirements Document Now Available
The Requirements and Recommendations for OVAL Adoption and Use document is now available in the OVAL Adoption Program section of the OVAL Web site. The document outlines the requirements and recommendations that need to be satisfied in order for a product or service to properly implement support for OVAL, and describes supported and recommended ways of making use of OVAL Content and other capabilities that leverage OVAL.
Two additional pages have also been added to the OVAL Adoption Program section: OVAL Technical Use Cases Guide, which details the eight uses cases currently supported by OVAL, and OVAL Adoption Program & NIST OVAL Validation Program, which explains how NIST’s OVAL Validation program interrelates with the Adoption Program and provides an overview of the entire adoption process from an adopting vendor’s perspective.
Please send any feedback on the new pages to oval@mitre.org.
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2010
MITRE has announced its initial Making Security Measurable calendar of events for 2010. Details regarding MITRE’s scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
- 2010 Information Assurance Symposium, February 2-5, 2010
- RSA Conference 2010, March 1-5, 2010
- InfoSec World Conference & Expo 2010, April 19-21, 2010
- Black Hat Briefings 2010, July 28-29, 2010
Other events may be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have MITRE present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CPE, CAPEC, CWE, MAEC, CEE, and/or Making Security Measurable at your event.
Security Automation Is Main Focus of DoD’s IAnewsletter
"Security Automation: A New Approach to Managing and Protecting Critical Information" is the main topic of the Winter 2010 issue of the Department of Defense’s (DoD) Information Assurance Technology Analysis Center’s (IATAC) IAnewsletter.
According to the newsletter, a security automation strategy will enable automation of "many security and configuration management, compliance, and network defense functions and give our [DoD] system administrators and network defenders a chance to succeed." Specific articles topics include: An Introduction to Security Automation; Security Automation: A New Approach Managing and Protecting Critical Information; Security Content Automation Protocol; Secure Configuration Management (SCM); DoD Activities Underway to Mature SCAP Standards; Why Industry Needs Federal Government Leadership to Gain the Benefits of Security Automation; and Practicing Standards-Based Security Assessment and Management.
In addition, MITRE’s CVE, CCE, CPE, and OVAL information assurance data standards are mentioned throughout the issue, especially with regard to how they are utilized by the National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP) to help enable automated, standards-based security assessment and management.
The newsletter is free to download from the IATAC Web site.
OVAL Interpreter Updated to Version 5.6.4
The OVAL Interpreter has been updated to Version 5.6, Build 4. Specific updates to the OVAL Interpreter included correcting some minor bugs.
The complete list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the Terms of Use.
OVAL Repository Announces Top Contributors Awards for Q4-2009
Depository Trust & Clearing Corporation, Gideon Technologies, Inc., Hewlett-Packard, National Institute of Standards and Technology, and SecPod Technologies received the "OVAL Repository Top Contributors Awards" for Q4-2009. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
New OVAL Board Member
Eric Walker of BigFix, Inc. has joined the OVAL Board.
Page Last Updated: March 05, 2013