Open Vulnerability and Assessment Language: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 08:31, 12 January 2015 edit Sadeq (talk \| contribs) 226 edits m Formatting a list ← Previous edit		Latest revision as of 14:59, 14 July 2025 edit undo RankASea (talk \| contribs) Extended confirmed users 983 edits Link suggestions feature: 2 links added. Tags: Visual edit Mobile edit Mobile web edit Newcomer task Suggested: add links
(14 intermediate revisions by 13 users not shown)
Line 1: {{Short description\|International information security community standard}} '''Open Vulnerability and Assessment Language''' ('''OVAL''') is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: ▼ {{Redirect\|OVAL\|the shape\|Oval}} # representing configuration information of systems for testing; ▼ ▲'''Open Vulnerability and Assessment Language''' ('''OVAL''') is an international, [[information security]], community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details, and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: # analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and ▼ ▲# representing configuration information of systems for testing; ▲# analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and # reporting the results of this assessment. The repositories are collections of publicly available and open content that utilize the language. The OVAL community has developed three schemas written in Extensible [[Markup language\|Markup Language]] ([[XML]]) to serve as the framework and vocabulary of the OVAL Language. These schemas correspond to the three steps of the assessment process: an OVAL System Characteristics schema for representing system information, an OVAL Definition schema for expressing a specific machine state, and an OVAL Results schema for reporting the results of an assessment. Content written in the OVAL Language is located in one of the many repositories found within the community. One such repository, known as the OVAL Repository, is hosted by The [[MITRE]] Corporation. It is the central meeting place for the OVAL Community to discuss, analyze, store, and disseminate OVAL Definitions. Each definition in the OVAL Repository determines whether a specified software vulnerability, configuration issue, program, or patch is present on a system. Line 17 ⟶ 19: == OVAL Interpreter == The [http://oval.mitre.org/language/download/interpreter/index.html OVAL Interpreter] is a freely available [[reference implementation]] created to show how data can be collected from a computer for testing based on a set of OVAL Definitions and then evaluated to determine the results of each definition. The OVAL Interpreter demonstrates the usability of OVAL Definitions, and can be used by definition writers to ensure correct syntax and adherence to the OVAL Language during the development of draft definitions. It is not a fully functional scanning tool and has a simplistic user interface, but running the OVAL Interpreter will provide you with a list of result values for each evaluated definition. Line 29 ⟶ 31: == OVAL Board == The OVAL Board is an advisory body, which provides valuable input on OVAL to the Moderator (currently MITRE). While it is important to have organizational support for OVAL, it is the individuals who sit on the OVAL Board and their input and activity that truly make a difference. The Board’s primary responsibilities are to work with the Moderator and the Community to define OVAL, to provide input into OVAL’s strategic direction, and to advocate OVAL in the Community. ~~== OVAL Adoption Program ==~~ The OVAL Adoption Program was established to educate vendors on best practices regarding the use and implementation OVAL, to provide vendors with an opportunity to make formal self-assertions about how their products utilize OVAL, and to help MITRE gain deeper insights into how OVAL is or could be utilized so that the standard can continue to evolve as needed by the community. The relationships between the different capabilities in the OVAL Adoption Program are illustrated below. Click on "Products" to see a list of products that have adopted OVAL for that capability, or "Implement" to view the requirements that must be met to adopt OVAL for that capability. ==See also== [[MITRE]] The MITRE Corporation [[Common Vulnerabilities and Exposures\|Common Vulnerability and Exposures]] (index of standardized names for vulnerabilities and other security issues) [[Common Platform Enumeration]] (index of standardized names for platforms) [[Common Configuration Enumeration]] (index of security-related system configuration issues) [[XCCDF]] - eXtensible Configuration Checklist Description Format [[Security Content Automation Protocol]] uses OVAL ==External links== [~~http~~https://oval.~~mitre~~cisecurity.org/ OVAL web site] [http://www.gideontechnologies.com/ Gideon Technologies (OVAL Board Member) Corporate Web Site] [http://www.itsecdb.com/ www.itsecdb.com] Portal for OVAL definitions from several sources [http://oval.secpod.com oval.secpod.com] SecPod OVAL Definitions Professional Feed *[http://ovaldb.altx-soft.ru ovaldb.altx-soft.ru] Altex-Soft Ovaldb Web-Based OVAL Repository Database [[Category:Computer security procedures]]