Search This Blog

Friday, March 12, 2010

NIST Publishes Open Vulnerability and Assessment Language (OVAL)

John Banghart, Stephen Quinn, David Waltermire (eds), NIST Report

An announcement from Pat O'Reilly of NIST's Computer Security Division
reports on the publication of a Draft NIST Interagency Report (IR)
7669: "Open Vulnerability and Assessment Language (OVAL) Validation
Program Test Requirements." The report defines the requirements and
associated test procedures necessary for products to achieve one or
more Open Vulnerability and Assessment Language (OVAL) Validations.
Validation is awarded based on testing a defined set of OVAL
capabilities by independent laboratories that have been accredited
for OVAL testing by the NIST National Voluntary Laboratory
Accreditation Program (NVLAP).

Open Vulnerability and Assessment Language (OVAL) is an information
security community standard to promote open and publicly available
security content, and to standardize the transfer of this information
across security tools and services. The OVAL Language is an XML
specification for exchanging technical details on how to check systems
for security-related software flaws, configuration issues, and patches.

The OVAL Language standardizes the three main steps of the assessment
process: representing configuration information of systems for testing;
analyzing the system for the presence of the specified machine state
(vulnerability, configuration, patch state, etc.); and reporting the
results of the assessment. In this way, OVAL enables open and publicly
available security content and standardizes the transfer of this content
across the entire spectrum of information security tools and services.
OVAL is maintained by the MITRE Corporation...

The NIST OVAL Validation Program is designed to test the ability of
products to use the features and functionality defined in the OVAL
Language. An information technology (IT) product vendor can obtain
one or more OVAL Validations for a product. These validations are
based on the test requirements defined in this document, which cover
four distinct but related validations based on product functionality..." more detail

1 comment:

Nikita Rana said...

First of all I'd like to commend you on your extremely informative article. Coming to my query, I would like to know the exact working of the OVAL Interpreter. Could you please provide me with some informative links on the inner workings of the OVAL Interpreter.