Open Vulnerability And Assessment Language
   HOME

TheInfoList



Click Here for Items Related To - Open Vulnerability And Assessment Language
OR:
Open Vulnerability And Assessment Language on:   [Wikipedia]   [Google]   [Amazon]

{{Short description, International information security community standard Open Vulnerability and Assessment Language (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: # representing configuration information of systems for testing; # analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and # reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. The OVAL community has developed three schemas written in Extensible Markup Language (
XML Extensible Markup Language (XML) is a markup language and file format for storing, transmitting, and reconstructing arbitrary data. It defines a set of rules for encoding documents in a format that is both human-readable and machine-readable ...
) to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment. Content written in the OVAL Language is located in one of the many repositories found within the community. One such repository, known as the OVAL Repository, is hosted by The
MITRE The mitre (Commonwealth English) (; Greek: μίτρα, "headband" or "turban") or miter (American English; see spelling differences), is a type of headgear now known as the traditional, ceremonial headdress of bishops and certain abbots in ...
Corporation. It is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Each definition in the OVAL Repository determines whether a specified software vulnerability, configuration issue, program, or patch is present on a system. The information security community contributes to the development of OVAL by participating in the creation of the OVAL Language on the OVAL Developers Forum and by writing definitions for the OVAL Repository through the OVAL Community Forum. An OVAL Board consisting of representatives from a broad spectrum of industry, academia, and government organizations from around the world oversees and approves the OVAL Language and monitors the posting of the definitions hosted on the OVAL Web site. This means that the OVAL, which is funded by
US-CERT The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of C ...
at the
U.S. Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terr ...
for the benefit of the community, reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals worldwide. OVAL is used by the
Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Fed ...
(SCAP).


OVAL Language

Th
OVAL Language
standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment.


OVAL Interpreter

Th

is a freely available reference implementation created to show how data can be collected from a computer for testing based on a set of OVAL Definitions and then evaluated to determine the results of each definition. The OVAL Interpreter demonstrates the usability of OVAL Definitions, and can be used by definition writers to ensure correct syntax and adherence to the OVAL Language during the development of draft definitions. It is not a fully functional scanning tool and has a simplistic user interface, but running the OVAL Interpreter will provide you with a list of result values for each evaluated definition.


OVAL Repository

Th

is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Other repositories in the community also host OVAL content, which can include OVAL System Characteristics files and OVAL Results files as well as definitions. The OVAL Repository contains all community-developed OVAL Vulnerability, Compliance, Inventory, and Patch Definitions for supported operating systems. Definitions are free to use and implement in information security products and services. The OVAL Repository Top Contributor Award Program grants awards on a quarterly basis to the top contributors to the OVAL Repository. The Repository is a community effort, and contributions of new content and modifications are instrumental in its success. The awards serve as public recognition of an organization’s support of the OVAL Repository and as an incentive to others to contribute. Organizations receiving the award will also receive a

logo indicating the quarter of the award (e.g., 1st Quarter 2007) that may be used as they see fit. Awards are granted to organizations that have made a significant contribution of new or modified content each quarter.


OVAL Board

The OVAL Board is an advisory body, which provides valuable input on OVAL to the Moderator (currently MITRE). While it is important to have organizational support for OVAL, it is the individuals who sit on the OVAL Board and their input and activity that truly make a difference. The Board’s primary responsibilities are to work with the Moderator and the Community to define OVAL, to provide input into OVAL’s strategic direction, and to advocate OVAL in the Community.


See also

*
MITRE The mitre (Commonwealth English) (; Greek: μίτρα, "headband" or "turban") or miter (American English; see spelling differences), is a type of headgear now known as the traditional, ceremonial headdress of bishops and certain abbots in ...
The MITRE Corporation * Common Vulnerability and Exposures (index of standardized names for vulnerabilities and other security issues) *
XCCDF The Extensible Configuration Checklist Description Format (XCCDF) is an XML format specifying security checklists, benchmarks and configuration documentation. XCCDF development is being pursued by NIST, the NSA, The MITRE Corporation, and the ...
- eXtensible Configuration Checklist Description Format *
Security Content Automation Protocol The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Fed ...
uses OVAL


External links


OVAL web siteGideon Technologies (OVAL Board Member) Corporate Web Sitewww.itsecdb.com
Portal for OVAL definitions from several sources
oval.secpod.com
SecPod OVAL Definitions Professional Feed Computer security procedures Mitre Corporation