Running multiple vulnerability assessment programs allows you to detect vulnerabilities that may have been missed, but it often results in conflicting reports. One tool says a given vulnerability is present, while another doesn't. The Open Vulnerability Assessment Language (OVAL) project, headed by nonprofit MITRE and funded by the Department of Homeland Security's U.S.-CERT, is being developed as a standardized process by which security tool creators, operating system vendors and security professionals test systems for exploitable vulnerabilities. XML-based OVAL leverages MITRE's Common Vulnerabilities and Exposures (CVE) initiative, a standardized registry of known vulnerabilities and security exposures. It gives security managers the ability to test for a particular CVE vulnerability in OVAL-compliant applications and platforms. OVAL will tell testers whether vulnerable software is installed and, if so, whether it has a vulnerable configuration. OVAL provides a schema that describes the platforms and presents a query customized to each vulnerability that determines whether a machine is at risk.
While OVAL may seem like a theoretical exercise, it has already generated results. MITRE offers the language and free vulnerability definitions for Linux, Solaris and Windows and a proof-of-concept, host-based vulnerability assessment tool under the open-source GPL license. This command-line tool can check a system for vulnerabilities with definitions downloaded from the project site or supplied by users. The most exciting prospect is that the OVAL interpreter may become a standard component shipped with any operating system. It would be a welcome complement to many Linux distributions, which ship with security tools like Nmap, Snort and Nessus.
OVAL's system characteristics schema allows OVAL-compliant tools to capture a configuration snapshot of a system and make checks against it. Putting such configurations into XML-based OVAL facilitates the development and maintenance of the Center for Internet Security's auditing tools and creates a programmatic tie-in between benchmark documents and those tools. There's even a schema that the interpreter uses to store the results of each test, making it possible for third-party vulnerability management consoles to pull in OVAL-related information.
The OVAL board, which includes members from Red Hat, Debian, Microsoft, Cisco Systems and Symantec, as well as government and non-profit groups, creates and approves vulnerability tests and steers the language's refinement. MITRE is creating the first draft for vulnerability tests, but Debian's Javier Fernandez-Sanguino Pena has already seeded the effort with automatically generated tests for Debian vulnerabilities; Red Hat's Mark Cox has created the first draft of a Linux specification. The open-source community will likely aid and accelerate the development of Linux tests.
OVAL promises to improve the quality of our vulnerability assessment tests as the vendors analyze and critique them, and allow end users to create new tests. The best way to support this effort is to look at the language, try the vulnerability assessment tool and push your vendors towards OVAL compatibility.
About the author:
Jay Beale works for Intelguardians, a security consulting firm, and is the author of Bastille Linux. He's also the editor for the Syngress Open Source Security series.