Matt Wojcik (at left)
describes OVAL to a visitor at the 2003 SANS conference.
Tough on Computer Intruders: OVAL Helps IT Professionals
Identify System Security Flaws
For years, computer hackers have exploited a systemic weakness
in information security: Because of the many potential pathways
into computer networks, it's nearly impossible to detect and patch
every security flaw. Just checking for vulnerabilities can be a
monumental task. Fortunately, MITRE's Matt Wojcik and his colleagues
are introducing a new community-wide standard that should make the
intruders' jobs a lot harder.
Wojcik, a senior information security engineer, helps maintain
OVAL (Open Vulnerability
Assessment Language), a new information security community effort
for standardizing vulnerability assessments that MITRE formally
rolled out in December 2002. OVAL gives security experts a common
vocabulary for discussing how to automatically test for weak spots
in their systems, enabling them to take action.
Wojcik explains why an effort like OVAL is so valuable, especially
for organizations with large information technology components.
"Often, a software company's security bulletin will mention a potential
vulnerability but won't give you enough detail to help you decide
if you need to install a security patch. What if you have hundreds
of machines to check? What if the patch might interfere with other
software? And what if you don't have the vulnerability at all? Network
administrators can be reluctant to download patches to all their
"Some commercial software does check for vulnerabilities, but the
network administrator doesn't know why it's working, because the
tools are closed," he adds. "Even open-source programs usually are
inconsistent from one another because they use their own terminology
and syntax and are hard to understand. This is very frustrating,
and there's a real lack of confidence in the answers." OVAL sidesteps
many of these stumbling blocks since its analyses are based on local
system characteristics and configurations, not on features of proprietary
OVAL uses an SQL (structured query language)-based system for identifying
possible security defects. The queries rely mainly on definitions
and descriptions from the Common
Vulnerabilities and Exposures (CVE) List, the increasingly popular
IT resource developed and managed by MITRE with the cooperation
of the worldwide security community. Once a query is submitted to
OVAL, it's discussed and reviewed in an e-mail forum. After the
discussion period, the query moves past the draft and interim stages
and an accepted query is released to the public for use as a system
diagnostic. (The entire process can be found at the Open
Vulnerability Assessment Language Web site.) OVAL is maintained
by MITRE and offered to the public for free.
Wojcik first came to MITRE in 1995 as a co-op student from Northeastern
University in Boston; he became a permanent employee in 1999, focusing
mainly on information security systems. Besides the satisfaction
he's gained from working in a vital technology area, MITRE has been
a good fit for him personally. Because his home in southeastern
Vermont is a four-hour roundtrip from his Bedford office, Wojcik
telecommutes as many as two to three days a week, serving as OVAL's
listserve discussion moderator and editor.
Accommodating his need for a flexible working schedule isn't the
only reason Wojcik finds MITRE to be special, however. For one thing,
he believes only a place like MITRE could have produced OVAL.
"I'm not sure OVAL could have happened at a commercial company,"
he says. "MITRE has opened doors among other companies in the security
community that otherwise might not have communicated with each other.
That's been really gratifying for me as a participant.
"Creating OVAL is an opportunity not only for MITRE to work in
the public interest, but also to get these issues out in the open
and get the security community talking," he says. "The word 'open'
in OVAL is meant to be just thatopen debate, open discussion.
And the content is freely available."