Follow Us:

Matt Wojcik (at left) describes OVAL to a visitor at the 2003 SANS conference.

For years, computer hackers have exploited a systemic weakness in information security: Because of the many potential pathways into computer networks, it's nearly impossible to detect and patch every security flaw. Just checking for vulnerabilities can be a monumental task. Fortunately, MITRE's Matt Wojcik and his colleagues are introducing a new community-wide standard that should make the intruders' jobs a lot harder.

Wojcik, a senior information security engineer, helps maintain OVAL (Open Vulnerability Assessment Language), a new information security community effort for standardizing vulnerability assessments that MITRE formally rolled out in December 2002. OVAL gives security experts a common vocabulary for discussing how to automatically test for weak spots in their systems, enabling them to take action.

Wojcik explains why an effort like OVAL is so valuable, especially for organizations with large information technology components. "Often, a software company's security bulletin will mention a potential vulnerability but won't give you enough detail to help you decide if you need to install a security patch. What if you have hundreds of machines to check? What if the patch might interfere with other software? And what if you don't have the vulnerability at all? Network administrators can be reluctant to download patches to all their machines.

"Some commercial software does check for vulnerabilities, but the network administrator doesn't know why it's working, because the tools are closed," he adds. "Even open-source programs usually are inconsistent from one another because they use their own terminology and syntax and are hard to understand. This is very frustrating, and there's a real lack of confidence in the answers." OVAL sidesteps many of these stumbling blocks since its analyses are based on local system characteristics and configurations, not on features of proprietary software code.

OVAL uses an SQL (structured query language)-based system for identifying possible security defects. The queries rely mainly on definitions and descriptions from the Common Vulnerabilities and Exposures (CVE) List, the increasingly popular IT resource developed and managed by MITRE with the cooperation of the worldwide security community. Once a query is submitted to OVAL, it's discussed and reviewed in an e-mail forum. After the discussion period, the query moves past the draft and interim stages and an accepted query is released to the public for use as a system diagnostic. (The entire process can be found at the Open Vulnerability Assessment Language Web site.) OVAL is maintained by MITRE and offered to the public for free.

Wojcik first came to MITRE in 1995 as a co-op student from Northeastern University in Boston; he became a permanent employee in 1999, focusing mainly on information security systems. Besides the satisfaction he's gained from working in a vital technology area, MITRE has been a good fit for him personally. Because his home in southeastern Vermont is a four-hour roundtrip from his Bedford office, Wojcik telecommutes as many as two to three days a week, serving as OVAL's listserve discussion moderator and editor.

Accommodating his need for a flexible working schedule isn't the only reason Wojcik finds MITRE to be special, however. For one thing, he believes only a place like MITRE could have produced OVAL.

"I'm not sure OVAL could have happened at a commercial company," he says. "MITRE has opened doors among other companies in the security community that otherwise might not have communicated with each other. That's been really gratifying for me as a participant.

"Creating OVAL is an opportunity not only for MITRE to work in the public interest, but also to get these issues out in the open and get the security community talking," he says. "The word 'open' in OVAL is meant to be just that—open debate, open discussion. And the content is freely available."