MITRE Issues New Standard for Computer Vulnerability Assessment
December 16, 2002
The MITRE Corporation recently unveiled Open Vulnerability Assessment Language (OVAL), a new communitywide standard for identifying computer vulnerabilities on local systems.
Computer vulnerabilities are an entry points for hackers. If not fixed they can result in significant recovery expenses in the event of a compromise. A preview of OVAL was displayed at the recent SANS Network Security 2002 conference.
The OVAL effort addresses the problem of how security assessment tools check for software vulnerabilities in different ways. It builds on the Common Vulnerabilities and Exposures (CVE), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures developed by MITRE in cooperation with the international security community.
The OVAL effort was initiated by MITRE, and involves representatives from a broad spectrum of industry, academia, and government organizations, including operating system and security tool vendors.
Initially, OVAL will support Windows NT 4.0, Windows 2000, and Solaris 7 and 8. Red Hat Linux is also supported in draft form.
Queries are written in SQL and can be reviewed individually by hand or incorporated into security tools. Each OVAL query is based on one or more CVE entries and uses a community-developed schema. The query development process involves the submission of draft OVAL queries to a public forum that includes system administrators, software vendors, and security analysts for review, debate, and refinement. The resulting vulnerability content, in the form of approved OVAL queries for the supported platforms, is freely available over the Internet. It is maintained by MITRE on the OVAL Web site.