US-CERT and OVAL

What is the OVAL?

Open Vulnerability Assessment Language (OVAL™) is sponsored by National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. OVAL provides its vulnerability content to US CERT and US-CERT uses this information and the CVE names upon which OVAL definitions are based to incorporate into its security advisories when possible. OVAL is the common language for security experts to discuss and agree upon technical details about how to check for the presence of vulnerabilities on computer systems. The vulnerabilities are identified using gold-standard tests—OVAL vulnerability definitions in Extensible Markup Language (XML) and queries in Structured Query Language (SQL)—that can be utilized by end users or implemented in scanning tools.

Members of the information security community participate in the OVAL project by writing, reviewing, and discussing definitions on the OVAL Community Forum email list. This means OVAL vulnerability content reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals.

An OVAL Board of representatives from industry, academia, and government organizations approves OVAL's baseline schema and evaluates and reviews definitions.

OVAL is

• an international, information security community baseline standard for how to check for the presence of vulnerabilities and configuration issues on computer systems.
• a three-leveled vulnerability handling method consisting of a characteristics schema for collecting configuration data from systems for testing; a set of definitions to test for the presence of specific vulnerabilities, configuration issues, and/or patches; and an schema for reporting the results from the evaluated systems.
• Free to the public on the OVAL Web site