Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > Information Security Management > What Is OVAL?
What Is OVAL?
Source: US-Cert (Last updated July 2008)

What Is OVAL?

Platforms Supported

 

OVAL is sponsored by National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. OVAL provides its vulnerability content to US CERT and US-CERT uses this information and the CVE names upon which OVAL definitions are based to incorporate into its security advisories when possible.

 

What Is OVAL?

 

Open Vulnerability Assessment Language (OVAL) is the common language for security experts to discuss and agree upon technical details about how to check for the presence of vulnerabilities on computer systems. The OVAL Web site displays each posted vulnerability definition in both XML and SQL format under a single OVAL-ID. OVAL is sponsored by US-CERT is industry-endorsed, ensuring that OVAL definitions reflect the combined expertise of the broadest possible group of security and system administration professionals.

 

OVAL provides a baseline method for performing vulnerability assessments on local computer systems. Common Vulnerabilities and Exposures (CVE®) has already improved the process by establishing a common name for each vulnerability or exposure so that security assessment tools are checking for the same issue. However, the ways in which the various tools perform the checks are different for each tool.

 

OVAL definitions characterize exactly which systems are susceptible to a given vulnerability. System characteristics include operating system (OS) installed, settings in the OS, software applications installed, and settings in applications, while configuration attributes include registry key settings, file system attributes, and configuration files.

 

OVAL definitions are based primarily on Common Vulnerabilities and Exposures (CVE®), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures developed by The MITRE Corporation in cooperation with the international security community.

 

An OVAL-compliant assessment or scanning tool determines which vulnerabilities exist on your system and issues reports. (You may also use the OVAL definitions themselves to perform this function manually.)

 

Based on these reports, you may then obtain appropriate software patches and fix information for remediation from the security assessment tools, your vendors or from vulnerability research databases and Web sites, and make the repairs.

 

This process enables a consistent and repeatable approach for vulnerability assessment, leading to a more secure system.

 

Back to top

 

Platforms Supported

 

OVAL supports Windows, UNIX, and Linux. Numerous definitions are available for each platform, as well as Definition Interpreters that can test a system for vulnerabilities. Definitions and downloads are updated regularly

              

Download or search OVAL vulnerability definitions.

 

Back to top