Skip to content

Home  |   FAQ  |   Contact  |   Privacy & Use

customize

US-CERT and OVAL

  

Open Vulnerability Assessment Language (OVAL™) is sponsored by National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. OVAL provides its vulnerability content to US CERT and US-CERT uses this information and the CVE names upon which OVAL definitions are based to incorporate into its security advisories when possible.

What is the OVAL?

OVAL is the common language for security experts to discuss and agree upon technical details about how to check for the presence of vulnerabilities on computer systems. The vulnerabilities are identified using gold-standard tests—OVAL vulnerability definitions in Extensible Markup Language (XML) and queries in Structured Query Language (SQL)—that can be utilized by end users or implemented in scanning tools.

Members of the information security community participate in the OVAL project by writing, reviewing, and discussing definitions on the OVAL Community Forum email list. This means OVAL vulnerability content reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals.

An OVAL Board of representatives from industry, academia, and government organizations approves OVAL's baseline schema and evaluates and reviews definitions.

OVAL is

  • an international, information security community baseline standard for how to check for the presence of vulnerabilities and configuration issues on computer systems.
  • a three-leveled vulnerability handling method consisting of a characteristics schema for collecting configuration data from systems for testing; a set of definitions to test for the presence of specific vulnerabilities, configuration issues, and/or patches; and an schema for reporting the results from the evaluated systems.
  • Free to the public on the OVAL Web site

OVAL Compatible Products and Services

Types of products include vulnerability definitions that determine the presence of system vulnerabilities: patch definitions that determine whether or not a particular patch is system-appropriate; compliance definitions that test whether the configuration settings of a system meet standardize system presentation data; system characteristics schema that standardize systems' data collection; and results schema that vulnerability assessment and remediation;

Reference Vulnerability Definition Interpreters, created to show how information can be collected from a computer to evaluate and carry out the OVAL definitions for a platform, are available now from the Downloads section

Platforms Supported

OVAL supports Windows, UNIX, and Linux. Numerous definitions are available for each platform as well as Definition Interpreters that can test a system for vulnerabilities. Definitions and downloads are updated regularly.

Other Links to OVAL Information

About   |   FAQ   |   Editorial Board   |   Products and Services   |   Compatibility