search

Open Vulnerability Assessment Language (OVAL)

hashtag
Open Vulnerability Assessment Language (OVAL)

Open Vulnerability Assessment Language (OVAL)arrow-up-right is a publicly available information security international standard used to evaluate and detail the system's current state and issues. OVAL is also co-supported by the office of Cybersecurity and Communications from the U.S. Department of Homeland Security. OVAL provides a language to understand encoding system attributes and various content repositories shared within the security community. The OVAL repository has over 7000+ definitions for public use. Additionally, OVAL is also used by the U.S. National Institute of Standards and Technology's (NIST) Security Content Automation Protocol (SCAP) which brings together community ideas for automating vulnerability management, measurement, and ensuring systems meet policy compliance.

hashtag
OVAL Process

Security policy compliance flowchart: Desired security settings and new information in XML are assessed for policy compliance. If compliant, the system is policy compliant. If not, implement changes using remediation strategies. Adapted from the original graphic found herearrow-up-right.

The goal of the OVAL language is to have a three-step structure during the assessment process that consists of:

  • Identifying a system's configurations for testing

  • Evaluating the current system's state

  • Disclosing the information in a report

The information can be described in various types of states, including: Vulnerable, Non-compliant, Installed Asset, and Patched.

hashtag
OVAL Definitions

The OVAL definitions are recorded in an XML format to discover any software vulnerabilities, misconfigurations, programs, and additional system information taking out the need to exploit a system. By having the ability to identify issues without directly exploiting the issue, an organization can correlate which systems need to be patched in a network.

The four main classes of OVAL definitions consist of:

  • OVAL Vulnerability Definitions: Identifies system vulnerabilities

  • OVAL Compliance Definitions: Identifies if current system configurations meet system policy requirements

  • OVAL Inventory Definitions: Evaluates a system to see if a specific software is present

  • OVAL Patch Definitions: Identifies if a system has the appropriate patch

Additionally, the OVAL ID Format consist of a unique format that consists of "oval:Organization Domain Name:ID Type:ID Value". The ID Type can fall into various categories including: definition (def), object (obj), state (ste), and variable (var). An example of a unique identifier would be oval:org.mitre.oval:obj:1116.

Scanners such as Nessus have the ability to use OVAL to configure security compliance scanning templates.

PreviousCommon Vulnerabilities and Exposures (CVE)NextReporting

Last updated