What Is OVAL? A Community-Driven Vulnerability Management Brain!
OVAL helps sysadmins check endpoints for software vulnerabilities, security settings compliance, app inventory, and patch levels.
Join the DZone community and get the full member experience.Join For Free
The Open Vulnerability and Assessment Language (OVAL®) is a critical component of most enterprise’s endpoint cybersecurity operations. While OVAL doesn’t do anything itself, it enables a thriving ecosystem that IT professionals have come to depend on for endpoint vulnerability management. The ecosystem consists of:
- The OVAL is the XML language standard.
- A community of repositories holding current vulnerability assessment definitions.
- Tools and services vendors and developers who build solutions leveraging OVAL and community repositories.
Put another way: OVAL helps sysadmins check endpoints for software vulnerabilities, security settings compliance, app inventory, and patch levels.
So, Wait, Why Does OVAL Even Exist!?
Before OVAL arrived on the scene, each vendor or organization developing a vulnerability management solution used a proprietary format. The security community had no easy way to share information about the latest vulnerabilities.
OVAL provides a standard for expressing common classes of vulnerability management information. In OVAL parlance, each complete unit of information is called a definition. A collection of definitions is called a repository.
What Exactly Is an OVAL Definition?
Definitions are XML documents created using the OVAL core XML schema.
An XML schema is a definition for an XML document. The core OVAL schema (5.11.2) was committed to the repository on Dec. 13, 2016. You can get it at the OVAL GitHub. The fact that the schema hasn’t changed in over two years tells you that OVAL is an extremely stable standard, and you won’t need to spend a lot of time keeping up with it.
New definitions are being released almost constantly because that’s the whole point! OVAL is a static format in which you can get the latest vulnerability checks so you can run them against your endpoints.
An OVAL definition includes:
- Metadata: the OVAL-ID (unique ID for each definition), status (draft, interim, accepted), source (CVE or other source), author(s), and additional metadata.
- High-level summary: the OS and various information such as the file name, app version, patch status, configuration settings, etc.
- Detailed definition: the guts of the logic to satisfy the assessment.
OVAL provides for five classes of definitions:
- Vulnerability definitions check for known vulnerabilities on a system.
- Compliance definitions will verify whether or not a system’s configuration satisfies a security policy.
- Inventory definitions look for various types of software on a system, from small pieces to full apps.
- Patch definitions will test to see if a given patch is appropriate for a system.
- Miscellaneous definitions cover everything else.
Who Manages the Repositories?
A community of vendors and other organizations manages the sphere of OVAL repositories.
The Center for Internet Security (CIS) manages the official OVAL Repository.
The U.S. National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) maintains a very large repository under the Security Content Automation Protocol (SCAP) project. Red Hat maintains their own, as does Cisco. These are just a few examples. For a full list, get involved in the OVAL community. A great place to start is the OVAL Documentation GitHub.
What Operating Systems and Platforms Does OVAL Support?
OVAL does not include or exclude OSes. Each repository will have definitions for endpoints and software that match their purpose. Statistics from the primary repository from the CIS show that it holds primarily Windows and Unix/Linux definitions, followed by Cisco IOS.
Just as OVAL is OS agnostic, it is device agnostic. That is, OVAL is not limited to specific types or makes of devices. Definitions can be created for servers, desktops, laptops, mobile devices, routers, etc.
Looking Beyond Today’s OVAL Tools
Vulnerability assessment solutions tend to lack the ability to remediate vulnerabilities once they are found. For automated remediation, you may want to investigate tools like Adaptiva’s new Evolve VM. It uses OVAL definitions and other features to check a system’s health, compliance, and vulnerabilities, but where it really shines is that it can automate the remediation. Whatever tools you use, be sure to factor remediation into your VM operations. Enterprise admins need to be able to rapidly fix vulnerabilities at scale when they find them.
Join the Circle of OVAL
OVAL is a deep, deep topic, and we’ve just scratched the surface here. If you want to learn more, I recommend starting with the Oval Project GitHub FAQ. Whether you use OVAL directly or select solutions that use OVAL language and/or repositories, it’s almost certainly going to play a role in your VM future.
Opinions expressed by DZone contributors are their own.