Industry News Coverage - 2011 Archive
Below is a comprehensive monthly review of the news and other media’s coverage of OVAL. A brief summary of each news item is listed with its title, author (if identified), date, and media source.
SANS Website, June 1, 2011
OVAL was included in the 2011 Chief Information Officer Federal Information Security Management Act Reporting Metrics document issued on June 1, 2011 by the U.S. Department of Homeland Security and National Institute of Standards and Technology. The document provides cybersecurity status reporting metrics for government agencies under the Federal Information Security Management Act (FISMA) that focus on the ability to automate system monitoring and security controls. OVAL is included as a reporting requirement in Section 12, Software Assurance, subsection 12.1b., which states: "Provide the number of the information systems above (12.1a) where the tools generated output compliant with: 12.1b (1). Common Vulnerabilities and Exposures (CVE) 12.1b (2). Common Weakness Enumeration (CWE) 12.1b (3). Common Vulnerability Scoring System (CVSS) 12.1b (4). Open Vulnerability and Assessment Language (OVAL)."
InfoSec Island, April 8, 2011
OVAL is the main topic of a blog article on 4/8 entitled "Detecting Vulnerable Software Using SCAP/OVAL" on InfoSec Island. In the article the author demonstrates "how to use an SCAP capable scanner using vendor-maintained OVAL patch definitions." The article was written by Jamie Adams.
DHS Web Site, March 23, 2011
OVAL was included in the U.S. Department of Homeland Security (DHS) "Enabling Distributed Security in Cyberspace" white paper published on March 23, 2011 on the DHS Web site Blog. The main topic of the white paper is "how prevention and defense can be enhanced through three security building blocks: automation, interoperability, and authentication. If these building blocks were incorporated into cyber devices and processes, cyber stakeholders would have significantly stronger means to identify and respond to threats — creating and exchanging trusted information and coordinating courses of action in near real time."
The paper defines Interoperability as already being "enabled through an approach that has been refined over the past decade by many in industry, academia, and government. It is an information-oriented approach, generally referred to as [cyber] security content automation …" and is comprised of (1) Enumerations "of the fundamental entities of cybersecurity" and lists CVE, CCE, CPE, CWE, and CAPEC; (2) Languages and Formats that "incorporate enumerations and support the creation of machine-readable security state assertions, assessment results, audit logs, messages, and reports" and lists OVAL, CEE, and MAEC; and (3) Knowledge Repositories that "contain a broad collection of best practices, benchmarks, profiles, standards, templates, checklists, tools, guidelines, rules, and principles, among others" that are based upon or incorporate data from these standards.
The paper also states that these eight established community enumeration and language standards that have been in use within the community for years can be further leveraged moving forward because they are "standards [that] build upon themselves to expand functionality over time", and projections of that expanding utility are provided through 2014.
The white paper is available to view or download at http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf.
Government Computer News, March 16, 2011
OVAL was mentioned in a March 17, 2011 article entitled "NIST aids the cause of real-time security: Technical specs updated for the latest version of SCAP support automation" on Government Computer News. The main focus of the article is the release of Version 1.1 of Security Content Automation Protocol (SCAP). OVAL is mentioned as one of the seven existing community standards SCAP uses — along with CVE, CCE, CPE, OVAL, XCCDF, OCIL, and CVSS — to enable automated vulnerability management, measurement, and policy compliance evaluation. OVAL is also mentioned when the author states: "Major changes from SCAP Version 1.0 to 1.1 include the addition of Open Checklist Interactive Language and an upgrade to Open Vulnerability and Assessment Language Version 5.8." The article was written by William Jackson.
Page Last Updated: January 03, 2012