[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] New Language Assesses Software Flaws


By Dennis Fisher
December 11, 2002 

The MITRE Corp. on Tuesday announced the availability of a new
language designed to make it easier for researchers to define and
explain the vulnerabilities that they find in software.

Known as the Open Vulnerability Assessment Language, the budding
standard is built upon MITRE's well-known description of
vulnerabilities, the Common Vulnerabilities and Exposures database.  
Whenever a researcher finds a flaw in a software application, he can
submit it to MITRE for consideration. If the organization finds that
it is a new vulnerability, it is assigned a CVE candidate number,
which identifies it as a unique problem.

Queries to the database are written in SQL (Structured Query Language)  
and can either be incorporated into security tools or reviewed by
hand. Every OVAL query is based upon one or more CVE entries.

The query development process involves the submission of draft OVAL
queries to a public forum that includes system administrators,
software vendors and security analysts for review, debate and
refinement. The end result is a mass of vulnerability data that is
available to the entire Internet community on the MITRE Web site.

Despite the wide acceptance of the CVE format, there is a debate
within the security community about what exactly qualifies as a
vulnerability. Each software vendor seems to define vulnerabilities
differently, which often leads to disputes among researchers and
vendor representatives.

"OVAL solves the consistency problem," said Matthew Wojcik, senior
information security engineer at MITRE, based in Bedford, Mass. "The
queries provide a baseline for performing vulnerability assessments,
and each query reflects the combined expertise of the broadest
possible collection of security and system administration
professionals. The widespread availability of OVAL queries will
provide the means for standardized vulnerability assessment and result
in consistent and reproducible information assurance metrics from

MITRE is a not-for-profit company that works closely with the
government on security and other issues.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@xxxxxxxxxxxxx with 'unsubscribe isn'
in the BODY of the mail.