News and Events - 2012 Archive
Subscribe to the OVAL News feed to get notifications of our latest headlines.
Institute for Information Industry — CyberTrust Technology Institute Makes Declaration to Adopt OVAL
Institute for Information Industry — CyberTrust Technology Institute declared that its vulnerability assessment, configuration management, auditing, and centralized audit validation product, Crystal Security Keeper (CSK), incorporates OVAL.
For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Celebrates 10 Years!
OVAL began 10 years ago this month as a new community standard for how vulnerabilities could be identified on local computers. Since that time, OVAL has grown significantly as an international, information security community effort to standardize how to assess and report upon the machine state of computer systems through a language that encodes system details, and numerous content repositories held throughout the community. Highlights of our progress are noted below.
OVAL Language
When OVAL began it was SQL-based and queries were written against a standardized database schema. In late 2003, at the request of the community and because of the limits of SQL, XML Schema was adopted as the official format for expressing the OVAL Language and all SQL queries were converted into XML-based definitions written against the new XML Schema. The OVAL Language has also grown from a single schema for writing definitions into three separate schemas, one for each step of the overall process: an OVAL System Characteristics Schema for representing machine state, OVAL Definition Schema for expressing a specific machine state, and OVAL Results Schema for presenting the results of an assessment. Individual definitions are standardized, machine-readable XML that can check for vulnerable versions of software, compliance with a policy, software inventory, and if patches should be applied. Definitions are hosted in the OVAL Repository and in other community repositories. We are now on Version 5.10.1 of the OVAL Language, and are working on Version 5.11.
We also created the OVAL Interpreter, an open-source reference implementation for the Windows, Red Hat Linux, Solaris, and Mac OSX platforms that demonstrates how OVAL Definitions can be evaluated. Specifically, it shows how to collect machine state information from a system, evaluate it against OVAL Definitions for that platform, and present the results of the evaluation. Builds are now also available for Debian; Fedora 7 and 8; SUSE_Linux, openSUSE, and SLE; and Ubuntu. Now hosted on the SourceForge.net Web site, the OVAL Interpreter has been downloaded 30,997 times.
OVAL Repository
In the beginning, the OVAL Repository focused only on checks for vulnerabilities, each of which was based on a CVE Identifier from Common Vulnerabilities and Exposures (CVE®). The 5.0 version of the OVAL Language added support for other types of tests, which allowed the OVAL Repository to expand its scope to include OVAL Vulnerability, Compliance, Inventory, and Patch Definitions. These community-developed Definitions check the machine state of computer systems for the presence of software vulnerabilities, configuration issues, programs, and patches. Currently, there are 14,022 Definitions in the OVAL Repository now available to the public for incorporation into information security products and services for the UNIX, Windows, Cisco IOS, Mac OS X, and Cisco PIX platforms. New Definitions are always being added. Towards that end, we launched an "OVAL Repository Top Contributors Awards Program" in February 2007 that grants awards on a quarterly basis to the top contributors to the OVAL Repository. The awards serve as public recognition of an organization's support of the OVAL Repository and as an incentive to others to contribute.
There are also currently 11 other publicly accessible OVAL repositories. These include the Red Hat, Inc. repository of OVAL content created in May 2006; U.S. National Institute of Standards and Technology’s Security Content Automation Protocol (SCAP) repository created in January 2007; Novell, Inc.’s SUSE Linux Enterprise OVAL Information database created in July 2010; Debian Project repository of OVAL content created in August 2010; IT Security Database collection of OVAL Definitions created in November 2010; SecPod Technologies SCAP Feed and Repository created in December 2010; Security-Database Web site mirror of the OVAL Repository created in February 2012; Altx-Soft repository of OVAL content created in February 2012; Positive Technologies repository of OVAL content created in May 2012; Defense Information Systems Agency Field Security Operations’ (DISA FSO) SCAP STIG Automated Content Repository created in May 2012; and Cisco Systems, Inc.’s Cisco Security Intelligence Operations repository created in September 2012.
Community Participation
Since the beginning OVAL has been industry-endorsed via the OVAL Board and through community participation on the OVAL Repository Forum and OVAL Developer’s Forum, ensuring that the OVAL Definitions and OVAL Language reflect the combined expertise of the broadest possible group of security and system administration professionals worldwide. Community endorsement is further emphasized by the numerous organizations that are listed on Official OVAL Adopters and Declarations to Adopt OVAL pages.
Significant participation by the OVAL Community also includes the contribution of component schemas for the OVAL Language by the Center for Internet Security, ThreatGuard, Inc.; VMware, Inc.; Red Hat, Inc.; MITRE; and Cisco Systems, Inc.. In addition, numerous organizations have contributed and/or made modifications to OVAL Definitions in the OVAL Repository including SecPod Technologies; Maitreya Security; SCAP.com, LLC; DTCC; MITRE; ThreatGuard, Inc.; Hewlett-Packard; Symantec Corporation; G2, Inc.; Secure Elements, Inc.; and Telos Corporation. Visit the Community Participation page to see the specific ways in which you or your organization can contribute.
OVAL Board
The OVAL Board includes members from major operating system vendors, commercial information security tool vendors, academia, government agencies, and research institutions from around the world. The Board’s primary responsibilities are to work with the OVAL moderator and the OVAL Community to define OVAL, provide input into OVAL’s strategic direction, and advocate OVAL in the community. The Board began with 17 members from 13 organizations and has since grown to 39 members from 28 organizations.
OVAL in Use
In July 2004, we added an OVAL-Compatible Products and Services program, which in 2010 became the OVAL Adoption Program for those organizations wishing to incorporate OVAL into their products or services. The formal process includes the posting of questionnaires citing how the organizations have satisfied the Requirements and Recommendations for OVAL Adoption and Use document, and a branding program with an Official OVAL Adopter logo for vendors to include with their products. This program, which ultimately includes publication of the organization’s statement on the OVAL Web site along with the use of the Official OVAL Adopter logo, allows end users and prospective customers of Products and Services Including OVAL to compare how the products satisfy the adoption requirements and to more easily determine which specific implementations are best for their networks and systems.
To-date 20 products and services from 15 organizations are Official OVAL Adopters, and another 35 products from 27 organizations have Declarations to Adopt OVAL.
Separate from the success of OVAL Adoption Program, OVAL is the default configuration checking technology for U.S. National Institute of Standards and Technology’s (NIST) Extensible Configuration Checklist Description Format (XCCDF), and OVAL-IDs are or have been included as references in the U.S. National Vulnerability Database (NVD), Common Vulnerabilities and Exposures (CVE®) List, Open Source Vulnerability Database (OSVDB), SecuritySpace.com information security databases, as well as in security advisories from French Security Incident Response Team (FrSIRT) and Slovenian Computer Emergency Response Team (SI-CERT).
OVAL is also one of the 10 (initially six) community initiatives that NIST’s Security Content Automation Protocol (SCAP) has used since its inception in 2007 for enumerating, evaluating, and measuring the impact of software problems and reporting results as part of it method to enable "automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance)". There are also several tools that incorporate OVAL that are currently listed on the NIST Web site as being "SCAP-Validated."
Our 10-Year Anniversary
We thank all of you who have in any way helped promote OVAL, used the OVAL Language and OVAL Repository, and/or adopted Products or Services including OVAL for your enterprise. We would also like to thank our sponsor throughout these 10 years, the National Cyber Security Division of the U.S. Department of Homeland Security, as well as our current sponsor the office of Cybersecurity and Communications at DHS, for their funding and support.
We welcome any comments or feedback about the OVAL effort at oval@mitre.org.
Pivotal Security LLC Makes Declaration to Adopt OVAL
Pivotal Security LLC declared that its Security Scanning SDK product incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Board Holds Teleconference Meeting
The OVAL Board held a teleconference meeting on October 15, 2012. Discussion topics included status updates on the OVAL Language, OVAL Repository, and OVAL Interpreter; release planning for upcoming minor release OVAL Version 5.11; an OVAL Interpreter licensing review; and a follow-up on the OVAL-related sessions held at Security Automation Developer Days 2012 and IT Security Automation Conference 2012. Read the meeting minutes.
The OVAL Board held a follow-up teleconference meeting on October 19, 2012 to finish OVAL Interpreter license review discussion. Read the meeting minutes.
OVAL Interpreter Page Updated
The OVAL Interpreter page on the OVAL Web site has been updated to help further clarify that the OVAL Interpreter, which is offered under a BSD License, is not an enterprise scanning tool but a simplistic command-line interface that has the ability to execute OVAL content on an end system. Explanations of the five use cases for the OVAL Interpreter — Reference Implementation of the OVAL Language, Language Quality testing, Content Testing, used in the NIST Validation Program, and as an Educational Tool — are also included.
The OVAL Interpreter and its source code, which are free to download and use, are hosted on SourceForge.net.
OVAL/Making Security Measurable Booth at IT Security Automation Conference 2012
MITRE hosted an OVAL/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
In addition, OVAL was the main topic of a briefing on October 3 entitled "Malware Hunting with OVAL and MAEC."
Visit the OVAL Calendar for information on this and other events.
OVAL Repository Announces Top Contributors Awards for Q3-2012
G2, Inc. and SecPod Technologies received the "OVAL Repository Top Contributors Awards" for Q3-2012. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
Cisco Systems, Inc. Now Listed on "Other Repositories" Page
Cisco Systems, Inc. is now listed on the Other Repositories page in the OVAL Repository section for its repository Cisco IOS Security Advisories in the standardized Common Vulnerability Reporting Format (CVRF) that include OVAL Vulnerability Definitions.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
GCP Global Makes Declaration to Adopt OVAL
GCP Global declared that its Web-based Governance, Risk, and Compliance (GRC) solution, ORCA, incorporates OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Interpreter Updated to Version 5.10.1.3
The OVAL Interpreter and its source code have been updated to Version 5.10.1.3. Specific updates to the OVAL Interpreter included adding support for the ind-def:environmentvariable58_test, the language entity in the win-def:file_test, the has_extended_acl entity in the unix-def:file_test, the last_login_time entity in the win-def:user_test, the last_write_time entity in the win-def:registry_test, and fixing some issues reported by the OVAL Community.
A detailed list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest information.
OVAL Test Content Updated
A new release of the OVAL Test Content is now available on the OVAL Test Content Page on SourceForge.net. This release includes content for the ind-def:environmentvariable58_test and the windows_view behavior in the win-def:file_test and win-def:registry_test.
The OVAL Test Content is a set of OVAL Definitions that provides a simple way to test the capability of OVAL Definition Evaluators. After running the OVAL Test Content through an OVAL Definition Evaluator, the OVAL Results will show you which tests are properly supported by that tool. This allows unit testing of tools against the language. Over time, the OVAL Test Content will cover the basic behavior of all tests and capabilities in the OVAL Language. Developers may use this content to help guide the development of new tools, users may use this content as part of their evaluation of competing products, and content authors may use the content as a reference for writing new content.
Visit the OVAL Test Content page to learn more and for downloads.
OVAL Utilities Updated
A new release of the OVAL Utilities is now available on the OVAL Utilities Page on SourceForge.net. This release fixes a bug in the XSL transform that extracts and creates files for the individual components in an SCAP 1.2 datastream.
The OVAL Utilities are a set of utilities for manipulating content written in the OVAL Language. These are general utilities that will assist anyone in using OVAL content, and currently include the following: OVAL Checker, OVAL Merge, OVAL Splitter, OVAL Normalizer, XCCDF Splitter, and XSL Transforms.
Visit the OVAL Author’s Resources page for descriptions and access to all currently available OVAL utilities.
National Institute of Advanced Industrial Science and Technology (AIST) Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter
AIST achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for SIX OVAL.
In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.
A total of 20 products to-date have been recognized as Official OVAL Adopters.
For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.
OVAL/Making Security Measurable Booth at IT Security Automation Conference 2012
OVAL/Making Security Measurable booth at IT Security Automation Conference 2012 on October 3-5, 2012 at Baltimore Convention Center in Baltimore Inner Harbor, Maryland, USA. In addition, OVAL will be the main topic of a briefing on October 3 entitled "Malware Hunting with OVAL and MAEC."
Visit the OVAL Calendar for information on this and other events.
Meeting Minutes from Security Automation Developer Days 2012 Now Available
Meeting minutes from the Security Automation Developer Days 2012 conference held on July 9-13, 2012 at MITRE Corporation in Bedford, Massachusetts, USA are now available on the Making Security Measurable Web site, and includes those from the four OVAL-focused sessions.
MITRE Hosts OVAL/Making Security Measurable Booth at 2012 Information Assurance Expo
MITRE hosted an OVAL/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, STIX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
Lunarline, Inc. Makes Declaration to Adopt OVAL
Lunarline, Inc. declared that its SCAP content repository and API, SCAP Sync, will incorporate OVAL. For additional information about this and other products using OVAL, visit the OVAL Adoption Program section.
New OVAL Board Member
Adam Montville of Tripwire, Inc. has joined the OVAL Board.
OVAL/Making Security Measurable Booth at 2012 Information Assurance Expo, August 27-30
MITRE will host an OVAL/Making Security Measurable booth at 2012 Information Assurance Expo on August 27-30, 2012 at Gaylord Opryland Resort and Convention Center in Nashville, Tennessee, USA. Please visit us at Booth 217 and say hello!
Visit the OVAL Calendar for information on this and other events.
MITRE Hosts OVAL/Making Security Measurable Booth at Black Hat Briefings 2012
MITRE hosted an OVAL/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Attendees learned how information security data standards such as CVE®, CCE™, CPE™, CWE™, CWSS™, CAPEC™, MAEC™, CybOX™, CEE™, OVAL®, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
Defense Information Systems Agency Field Security Operations (DISA FSO) Makes Declaration to Adopt OVAL
Defense Information Systems Agency Field Security Operations (DISA FSO) declared that its DoD SCAP Content Repository incorporates OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
Defense Information Systems Agency Field Security Operations (DISA FSO) Now Listed on "Other Repositories" Page
Defense Information Systems Agency Field Security Operations (DISA FSO) is now listed on the Other Repositories page in the OVAL Repository section for its repository of OVAL content.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
OVAL Briefing Slides from Security Automation Developer Days 2012 Now Available
4 briefing presentations from the OVAL-focused sessions at the Security Automation Developer Days 2012 conference on July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA are now available for download on the Developer Days page on the OVAL Web site.
OpenVAS Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter
OpenVAS achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for OpenVAS.
In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.
A total of 19 products to-date have been recognized as Official OVAL Adopters.
For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.
OVAL Repository Announces Top Contributors Awards for Q2-2012
G2, Inc., SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q2-2012. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
eIQnetworks, Inc. Makes Declaration to Adopt OVAL
eIQnetworks, Inc. declared that its unified situational awareness platform, SecureVue, incorporates OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
OVAL Board Holds Teleconference Meeting
The OVAL Board held a teleconference meeting on July 2, 2012. Discussion topics included status updates on the OVAL Language, OVAL Repository, and OVAL Interpreter; release planning for upcoming minor release OVAL Version 5.11; and a quick summary and update of the OVAL-related sessions for Security Automation Developer Days 2012 being held at MITRE Corporation on July 9-13. Read the meeting minutes.
MITRE to Host OVAL/Making Security Measurable Booth at Black Hat Briefings 2012
MITRE will host an OVAL/Making Security Measurable booth at Black Hat Briefings 2012 on July 25-26, 2012 at Caesars Palace Las Vegas in Las Vegas, Nevada, USA. Please visit us at Booth 216 and say hello!
Visit the OVAL Calendar for information on this and other events.
DISA STIGs SCAP Content and Tools Updated
The U.S. Defense Information Systems Agency (DISA) has added additional Security Technical Implementation Guides (STIGs) in support of Security Content Automation Protocol (SCAP) Content and Tools. OVAL is one of ten existing standards SCAP employs to enable automated vulnerability management, measurement, and policy compliance evaluation.
STIGs and the National Security Agency (NSA) Security Guides are the configuration standards for the U.S. Department of Defense (DoD) Information Assurance (IA) and IA-enabled devices and systems. "Since 1998, DISA Field Security Operations (FSO) has played a critical role enhancing the security posture of DoD’s security systems by providing the Security Technical Implementation Guides (STIGs). The STIGs contain technical guidance to "lock down" information systems/software that might otherwise be vulnerable to a malicious computer attack. DISA FSO is in the process of moving the STIGs towards the use of the [U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP)] in order to be able to "automate" compliance reporting of the STIGs."
SCAP Content is now available for the following STIGs: AIX 6.1; HP-UX 11.31; Microsoft Internet Explorer 8, Windows 2008 R2, Windows 2003, Windows 7, Windows XP, Windows Vista, Red Hat 5; and Solaris 10 SPARC. Also available are the following SCAP tools and resources: Policy Auditor/STIG Viewer Operational Guidance; SCAP Implementation Process Guidance; and SCC 3.0.1 for RHEL i686, RHEL x86 64, Solaris i386, Solaris SPARC, Windows, SCC DEBIAN i386, and DEBIAN AMD64.
For downloads and additional information visit: http://iase.disa.mil/stigs/scap/index.html.
Registration Now Closed for MITRE’s Security Automation Developer Days 2012 on July 9-13
Registration is now closed for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA. For the event agenda, lodging, and other conference details please visit the conference details page.
Agenda Now Available for MITRE’s Security Automation Developer Days 2012 on July 9-13
The agenda for MITRE’s free Security Automation Developer Days 2012 conference scheduled for July 9-13, 2012 at MITRE in Bedford, Massachusetts, USA is now available at https://register.mitre.org/devdays/agenda.pdf.
For registration, lodging, and other conference details visit the conference registration page. Please note that registration will close on June 15.
New OVAL Board Member
Amaresh Shirsat of Symantec Corporation has joined the OVAL Board.
Positive Technologies Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter
Positive Technologies CJSC achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for Positive Technologies OVAL Repository.
In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.
A total of 18 products to-date have been recognized as Official OVAL Adopters.
For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.
Positive Technologies Makes Declaration to Adopt OVAL
Positive Technologies CJSC declared that its Positive Technologies OVAL Repository incorporates OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
Positive Technologies Now Listed on "Other Repositories" Page
Positive Technologies CJSC is now listed on the Other Repositories page in the OVAL Repository section for its repository of OVAL content.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
Registration Now Open for Security Automation Developer Days 2012 on July 9-13
MITRE Corporation will host the fourth Security Automation Developer Days conference on July 9-13, 2012, at MITRE in Bedford, Massachusetts, USA. This five-day conference is technical in nature and will focus on the U.S. National Institute of Standards and Technology’s (NIST) Security Content Automation Protocol (SCAP).
The purpose of the event is for the community to discuss SCAP — and those existing standards upon which it is based including Open Vulnerability and Assessment Language (OVAL®), Common Configuration Enumeration (CCE™), Common Platform Enumeration (CPE™), Extensible Configuration Checklist Description Format (XCCDF) — in technical detail and to derive solutions that benefit all concerned parties. All current and emerging SCAP standards are addressed at this workshop.
MITRE first hosted Developer Days in 2005 and has been running them annually ever since. The model for these technical exchanges has since been adopted as the format used by the Security Automation community.
An agenda will be available soon. For registration, lodging, and other conference details, please visit: https://register.mitre.org/devdays/.
OVAL Interpreter Updated to Version 5.10.1.2
The OVAL Interpreter and its source code have been updated to Version 5.10.1.2. Specific updates to the OVAL Interpreter included adding support for the windows_view behavior in registry-based tests and fixing some issues reported by the OVAL Community.
A detailed list of updates and fixes is available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest information.
OVAL Board Holds Teleconference Meeting
The OVAL Board held a teleconference meeting on April 9, 2012. Discussion topics included status updates on the OVAL Language, OVAL Repository, and OVAL Interpreter; the recently launched OVAL Language Sandbox; OVAL and mobile devices; a recap of the recent IETF SACM meeting held in Paris, France; and early planning for the OVAL track of the upcoming Security Automation Developer Days 2012 conference that will be held at MITRE Corporation in July. Read the meeting minutes.
OVAL Language "Sandbox" Now Available
The OVAL Language Sandbox is now available on GitHub.com. The OVAL Language Sandbox provides a collaborative environment for the community to propose, experiment with, and fully investigate and implement new capabilities before including them in an official release of the language. This ensures that only mature and implementable constructs are added to the OVAL Language.
The OVAL Language Sandbox includes the following:
- Issue Tracking — enter and track bugs, bug fixes, and new feature requests
- File Distribution — for all OVAL Language Sandbox downloads
- Git Repository — anonymous, read-only access
- Wiki — the primary source for information about the OVAL Language Sandbox
- OVAL-Developer-List — for all OVAL Language Sandbox-related help requests
An OVAL Language Sandbox introductory page has also been added to the OVAL Language section of the OVAL Web site with an overview and details about the Sandbox development and migration processes, or visit the OVAL Language Sandbox now at https://github.com/OVALProject/Sandbox.
Draft of OVAL Language UNIX Component Data Model Specification Now Available
A working draft of the OVAL Language UNIX Component Data Model Specification document is now available for community review and comment on the OVAL Version 5.10.1 page in the OVAL Language section. The specification is the platform-specific extension of the OVAL Language Data Model for UNIX operating systems.
Please submit comments or questions about the current draft directly to the OVAL Developer’s Forum email list.
OVAL Repository Announces Top Contributors Awards for Q1-2012
Depository Trust & Clearing Corporation (DTCC), G2, Inc., SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q1-2012. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
New OVAL Board Member
Noah Salzman of IBM Corporation has joined the OVAL Board.
MITRE Hosts OVAL/Making Security Measurable Booth at InfoSec World 2012
MITRE hosted an OVAL/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees learned how information security data standards such as OVAL, CVE, CCE, CPE, CWE, CAPEC, MAEC, CEE, CybOX, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Visit the OVAL Calendar for information on this and other events.
MITRE to Host OVAL/Making Security Measurable Booth at InfoSec World 2012, April 2-4
MITRE will host an OVAL/Making Security Measurable booth at InfoSec World Conference & Expo 2012 at Disney’s Contemporary Resort in Orlando, Florida, USA, on April 2-4, 2012. Attendees will learn how information security data standards such as OVAL, CVE, CCE, CPE, CWE, CAPEC, MAEC, CEE, CybOX, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Members of the OVAL Team will be in attendance. Please stop by Booth 513 and say hello!
Visit the OVAL Calendar for information on this and other events.
OVAL Mentioned in Article about Updates to Guidelines for Adopting and Using Security Content Automation Protocol (SCAP) on GCN
OVAL is mentioned in a January 9, 2012 article entitled "Getting the most out of automated IT security management" on Government Computer News.com. The main topic of the article is the National Institute of Standards and Technology (NIST) updating its guidelines for using Security Content Automation Protocol (SCAP) "for checking and validating security settings on IT systems" by releasing "Special Publication 800-117, Guide to Adopting and Using the Security Content Automation Protocol Version 1.2, Revision 1."
OVAL is mentioned when the author explains how SCAP combines several existing community standards created and maintained by several different organizations "including MITRE Corp., the National Security Agency, and the Forum for Incident Response and Security Teams", and that the "specifications making up SCAP are divided into languages, reporting formats, enumerations, measurement and scoring systems, and integrity protection." The author then lists the 11 SCAP components, with OVAL included under Languages. The other MITRE initiatives listed are Common Vulnerabilities and Exposures (CVE), Common Platform Enumeration (CPE) and Common Configuration Enumeration (CCE), all under Enumerations. The article concludes with a summary of the updates to the guidelines.
Photos from OVAL/Making Security Measurable Booth at RSA 2012
MITRE hosted an OVAL/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 – March 2, 2012. Attendees learned how information security data standards such as OVAL, CVE, CCE, CPE, CWE, CAPEC, MAEC, CEE, CybOX, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Making Security Measurable booth photos:
Visit the OVAL Calendar for information on this and other events.
SECURITY DATABASE Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter
SECURITY DATABASE achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for Security-Database OVAL Repository. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.
For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.
SECURITY DATBASE Now Listed on "Other Repositories" Page
SECURITY DATBASE is now listed on the Other Repositories page in the OVAL Repository section for its repository of OVAL content.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
ALTX-SOFT Posts OVAL Adoption Questionnaire to Become Official OVAL Adopter
ALTX-SOFT achieved the second phase of the OVAL Adoption Process by submitting an OVAL Adoption Questionnaire for Altx-Soft Ovaldb. In Phase 2 of the adoption process the organization’s completed adoption requirements evaluation questionnaire, which includes detailed technical information of how the organization has incorporated OVAL into its product or service per the current best-practice usages of OVAL as described in the "OVAL Technical Use Cases Guide," is posted on the OVAL Web site and the product is now eligible to use the Official OVAL Adopter product/service logo.
For additional information and to review the complete list of all products and services participating in the adoption program, visit the OVAL Adoption Program section.
Cisco Systems, Inc. Makes Declaration to Adopt OVAL
Cisco Systems, Inc. declared that its repository of OVAL content, Cisco Global Government Certifications and Best Practice Recommendations/Cisco Product Security Incident Response Team Security Advisory and Vulnerability Disclosure, will incorporate OVAL.
For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
Altx-Soft Makes Declaration to Adopt OVAL
Altx-Soft declared that its Web-based OVAL Repository Database, Altx-Soft Ovaldb, incorporates OVAL. For additional information about these and other products using OVAL, visit the OVAL Adoption Program section.
Altx-Soft Now Listed on "Other Repositories" Page
Altx-Soft is now listed on the Other Repositories page in the OVAL Repository section for its repository of OVAL content.
Visit the Other Repositories page for a complete list of all of the repositories of OVAL content held across the community.
MITRE to Host OVAL/Making Security Measurable Booth at RSA 2012, February 27 – March 2
MITRE is scheduled to host an OVAL/Making Security Measurable booth at RSA Conference 2012 at the Moscone Center in San Francisco, California, USA, on February 27 – March 2, 2012. Attendees will learn how information security data standards such as OVAL, CVE, CCE, CPE, CWE, CAPEC, MAEC, CEE, CybOX, etc., facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.
Members of the OVAL Team will be in attendance. Please stop by Booth 2617 and say hello!
Visit the OVAL Calendar for information on this and other events.
Version 5.10.1 of OVAL Now Available
Version 5.10.1 of OVAL has been moved to the "Official" stage and is now available on the OVAL Language page. This is an update version change, per the revised OVAL Language Versioning Policy, that fixes a critical issue discovered in Version 5.10 of the OVAL Language. The OVAL Interpreter and OVAL Repository have also been updated to Version 5.10.1.
Version 5.10.1 includes the following: updated the GeneratorType and DeprecatedInfoType to align with the new three-component version identifier in the OVAL Language Versioning Policy; added the missing extended_name entity to the linux-def:rpmverifypackage_state; and changed the minOccurs attribute on the entities in the linux-def:rpmverifypackage_object and linux-def:rpmverifyfile_object from "0" to "1".
The previous versions of OVAL have been archived. Visit the OVAL Language Releases page for the latest information on Version 5.10.1.
OVAL Interpreter Updated for Version 5.10.1
The OVAL Interpreter and its source code have been updated to OVAL Version 5.10.1. Specific updates to the OVAL Interpreter included: addition of support for Version 5.10.1 of the OVAL Language and fixing some minor issues reported by the OVAL Community.
The list of updates and fixes is also available in the download bundle. See the OVAL Interpreter Page on SourceForge for the latest release and to review the terms of use.
OVAL Repository Updated for Version 5.10.1
The OVAL Repository has been updated to OVAL Version 5.10.1. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services, per the Terms of Use.
Draft of OVAL Language Windows Component Data Model Specification Now Available
A working draft of the OVAL Language Windows Component Data Model Specification document is now available for community review and comment on the OVAL Version 5.10.1 page in the OVAL Language section. The specification is the platform-specific extension of the OVAL Language Data Model for the Microsoft Windows operating systems.
Please submit comments or questions about the current draft directly to the OVAL Developer’s Forum email list.
Release Candidate 2 of OVAL Version 5.10.1 Now Available
Release Candidate 2 of Version 5.10.1 of the OVAL Language is now available on the OVAL Web site. Version 5.10.1 is scheduled to be moved to the Official stage on January 20, 2012. This is an update version change, per the revised OVAL Language Versioning Policy, that fixes a critical issue discovered in Version 5.10 of the OVAL Language.
Additional information about Version 5.10.1 is available on the Version 5.10.1 Upcoming Version page.
OVAL Board Holds Teleconference Meeting
The OVAL Board held a teleconference meeting on January 9, 2012. Discussion topics included status updates on the OVAL Language, OVAL Repository, and OVAL Adoption; the update version release of OVAL 5.10.1; the updated Versioning Policy document; OVAL Interpreter; and the OVAL Language Sandbox proposal. Read the meeting minutes.
MITRE Announces Initial "Making Security Measurable" Calendar of Events for 2012
MITRE has announced its initial Making Security Measurable calendar of events for 2012. Details regarding MITRE’s scheduled participation at these events are noted on the OVAL Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.
- RSA Conference 2012, February 27-March 2, 2012
- InfoSec World Conference & Expo 2012, April 2-4, 2012
- Black Hat Briefings 2012, July 25-26, 2012
- Information Assurance Expo 2012, August 27-30, 2012
- Black Hat Briefings 2012, November 1-2, 2012
Other events may be added throughout the year. Visit the OVAL Calendar for information or contact oval@mitre.org to have MITRE present a briefing or participate in a panel discussion about OVAL, CVE, CCE, CPE, CAPEC, CybOX, CWE, MAEC, CEE, Software Assurance, and/or Making Security Measurable at your event.
Two New OVAL Board Members
Anthony Busciglio and Omar Santos of Cisco Systems, Inc. have joined the OVAL Board.
OVAL Repository Announces Top Contributors Awards for Q4-2011
Depository Trust & Clearing Corporation (DTCC), G2, Inc., SecPod Technologies, and Symantec Corporation received the "OVAL Repository Top Contributors Awards" for Q4-2011. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute.
Refer to the OVAL Repository Top Contributors Awards Program page for more information and a list of past recipients.
Page Last Updated: April 28, 2015