The OVAL Standard

OVAL (Open Vulnerability and Assessment Language) is an international and open information security standard that standardizes the transfer of information between various security services and solutions. This language standardizes the three main stages in the evaluation process: the representation of information on the configurations of the systems to be tested; the analysis of the system in relation to the desired state of the machine (vulnerability, settings, state of the patches, among others); and the representation of the results of this analysis.

The OVAL community developed three schemes written in Extensible Markup Language (XML) to serve as the framework and vocabulary for OVAL. These schemes are directly associated with stages in the evaluation process, namely: Definition, System Characteristics, and Results.

The OVAL Definition scheme is used to define the XML framework for writing the following: definitions of vulnerability, defining the conditions that must exist in a machine for the specific vulnerability to be present; definitions of patches, defining the conditions in a machine in order to determine whether a specific patch is appropriate for the system; and definitions of compliance, defining the necessary conditions of a machine which determine whether or not it complies with a certain configuration policy.

 

 

The OVAL System Characteristics scheme defines the default XML format for representing the system configuration information. This information includes the parameters of the operating system and installed applications, as well as other relevant configuration values. The purpose of this scheme is to provide a database of system characteristics, which will be compared to the OVAL Definitions in order to analyze the system in search of vulnerabilities, configuration problems, and patches.

The OVAL Results scheme defines a default XML format for storing the results of a system evaluation. The Results information contains the current configurations of a system compared to a set of OVAL Definitions. The scheme allows applications to read this data, interpret it, and then take the necessary actions to resolve vulnerabilities and problems in the configurations.

For details on the OVAL standard, please visit http://oval.mitre.org/.