About Us Our Work Employment News & Events
MITRE Remote Access for MITRE Staff and Partners Site Map
News & Events
What's New at MITRE
Media Relations
MITRE Publications
Social Networking, Mobile Apps, and RSS Feeds

Follow Us:
Visit MITRE on Facebook
Visit MITRE on Twitter
Visit MITRE on Linkedin
Visit MITRE on YouTube
View MITRE's RSS Feeds
View MITRE's Mobile Apps
Home > News & Events > Media Relations > News Releases > 2002 >

MITRE Announces New Standard for Computer Vulnerability Assessment

FOR IMMEDIATE RELEASE

MITRE Contacts:

Karina H. Wright
(703) 983-6125


Eryn L. Gallagher
(781) 271-3782

Bedford, Massachusetts, December 10, 2002 — The MITRE Corporation announced today the availability of Open Vulnerability Assessment Language (OVAL), a new community-wide standard for how computer vulnerabilities are identified on local systems.

Computer vulnerabilities are the entry points for hackers, and if not fixed can result in significant recovery expenses in the event of a compromise. A preview of OVAL was displayed at the recent SANS Network Security 2002 conference and received an enthusiastic response from the technical audience in attendance.

The OVAL effort addresses the problem of how security assessment tools check for software vulnerabilities in different ways. If a computer is compared to a building and a vulnerability a way to get into the building, while one tool checks for doors and declares every door it finds a vulnerability, another tool checks to see whether the door is open or closed before declaring it a vulnerability, and yet another tool looks for large window as well as doors. These differences make it difficult to determine if any particular vulnerability is truly present.

OVAL builds upon Common Vulnerabilities and Exposures (CVE), a dictionary of standardized names and descriptions for publicly known information security vulnerabilities and exposures, developed by MITRE in cooperation with the international security community. The OVAL effort was initiated by MITRE, and involves representatives from a broad spectrum of industry, academia, and government organizations, including operating system and security tool vendors. Windows NT 4.0, Windows 2000, and Solaris 7 and 8, are OVAL's initial supported platforms. Red Hat Linux is supported in draft form.

"Rather than requiring any specific implementations for vulnerability assessment, OVAL provides a consistent, reliable, and common language for security experts to discuss the technical details of how to check for vulnerabilities on local computers," said Peter S. Tasker, executive director of MITRE's security and information operations division. "The end results of the discussions are collaboratively developed queries, which are an application of the OVAL language and perform the checks."

Queries are written in Structured Query Language (SQL) and can be reviewed individually by hand or incorporated into security tools. Each OVAL query is based on one or more CVE entries, and uses a community-developed schema. The query development process involves the submission of draft OVAL queries to a public forum that includes system administrators, software vendors, and security analysts for review, debate, and refinement. The resulting vulnerability content, in the form of approved OVAL queries for the supported platforms, is freely available over the Internet, and maintained by MITRE on the OVAL Web site (oval.mitre.org).

"OVAL solves the consistency problem," said Matthew N. Wojcik, MITRE senior information security engineer. "The queries provide a baseline for performing vulnerability assessments, and each query reflects the combined expertise of the broadest possible collection of security and system administration professionals. The widespread availability of OVAL queries will provide the means for standardized vulnerability assessment and result in consistent and reproducible information assurance metrics from systems."

"We're excited about OVAL's downstream potential," said Tasker. "This new effort will lead to enhanced vulnerability assessment tools and further innovations in information security."

MITRE (www.mitre.org) is a not-for-profit company that provides systems engineering, research and development, and information technology support to the government. Chartered to work in the public interest, MITRE operates federally funded research and development centers for the Department of Defense, the Federal Aviation Administration, and the Internal Revenue Service, with principal locations in Bedford, Massachusetts, and McLean, Virginia.

 

Page last updated: March 8, 2004   |   Top of page

Homeland Security Center Center for Enterprise Modernization Command, Control, Communications and Intelligence Center Center for Advanced Aviation System Development

 
 
 

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.
IDG's Computerworld Names MITRE a "Best Place to Work in IT" for Eighth Straight Year The Boston Globe Ranks MITRE Number 6 Top Place to Work Fast Company Names MITRE One of the "World's 50 Most Innovative Companies"
 

Privacy Policy | Contact Us