.. _oval-support-declarations:

OVAL Support Declarations
=========================

Intro tbd.

Declarations
------------

Altex-Soft
^^^^^^^^^^

| *Declared January 30, 2012*
| *www.altex-soft.com*
| *www.altx-soft.ru*
|
|   `Altex-Soft OVALdb <https://ovaldb.altx-soft.ru/>`_
|   *Web-Based OVAL Repository Database*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|
|   `RedCheck <https://www.redcheck.ru/>`_
|   *Vulnerability, Patch, and Compliance Assessment*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|


Beyond Security
^^^^^^^^^^^^^^^

| *Declared August 7, 2013*
| *www.beyondsecurity.com*
|
| The beSECURE family of network Vulnerability Assessment and Web Application Security testing solutions are the most accurate and easiest to use in the industry. beSECURE uses OVAL to import benchmarks from the OVAL repository and user-developed XML files and to export assessment results files. beSECURE is available as a network appliance or hosted solution and will deliver layer 3-7 scanning to businesses and government units of any size. It will find, prioritize and manage the repair of security weaknesses in your network and web applications with the fastest setup and the least maintenance possible.
|
|   `beSECURE <https://www.beyondsecurity.com/avds.html>`_
|   *Vulnerability and Configuration Assessment and Management*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [X] Results Consumer
|   [X] System Characteristics Producer
|


BeyondTrust
^^^^^^^^^^^

| *Declared September 8, 2010*
| *www.beyondtrust.com*
|
| BeyondTrust is an innovative leader in vulnerability and security research, providing security solutions that help businesses and users protect their systems and intellectual property from compromise.
|
|   `Retina Network Security Scanner <https://www.beyondtrust.com/products/retina-network-security-scanner/>`_
|   *Vulnerability Assessment*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [X] System Characteristics Producer
|


Center for Internet Security
^^^^^^^^^^^^^^^^^^^^^^^^^^^^

| *Declared February 26, 2014*
| *www.cisecurity.org*
|
| CIS-CAT is an SCAP-compliant, host-based configuration assessment tool primarily designed to perform compliance assessments against recommendations contained in CIS benchmarks. OVAL-based compliance content developed by third parties, such as DISA and NIST, is also supported by CIS-CAT for major Microsoft products, including Windows, Office, Internet Explorer, and SQL server, as well as Red Hat Enterprise Linux platforms. CIS-CAT's support for OVAL also affords users the ability to perform compliance, vulnerability, inventory, and patch assessments using content generated from numerous sources, including CIS, DISA, and NIST/USGCB, from a single tool.
|
|   `Center for Internet Security Configuration Assessment Tool (CIS-CAT) <https://www.cisecurity.org/cis-benchmarks/#cis-cat>`_
|   *Host-Based Configuration Assessment Tool*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [X] System Characteristics Producer
|


Cisco Systems, Inc.
^^^^^^^^^^^^^^^^^^^

| *Declared February 10, 2012*
| *www.cisco.com*
|
| Traditionally, Cisco discloses information required for an end-user to assess the impact of a vulnerability and any potential steps needed to protect their environment. This information includes all the required technical information for customers to ascertain appropriate remedial action. OVAL provides a framework that allows vendors and their customer to determine if a software vulnerability or patch exists on a given system. Cisco is in the process of adopting OVAL for vulnerability disclosure. Cisco IOS security vulnerability OVAL content is currently supported. Additional products are being considered in the future.
|
|   `Cisco PSIRT Security Advisories and Vulnerability Disclosures <https://tools.cisco.com/security/center/publicationListing.x>`_
|   *Cisco Repository of OVAL Content*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|


Defense Information Systems Agency Field Security Operations (DISA FSO)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

| *Declared July 18, 2012*
| *iase.disa.mil/stigs/*
|
| DISA is adopting OVAL for leveraging enterprise compliance and vulnerability assessment for the U.S. Department of Defense (DoD). Utilizing COTS-based scan engines, DISA is transforming security requirements from prose base documents to machine readable content. This content utilizes the OVAL Language as a mechanism to determine results for secure net worthiness in the DoD while supporting the war fighter.
|
|   `DoD SCAP Content Repository <https://iase.disa.mil/stigs/scap/Pages/index.aspx>`_
|   *SCAP Content Repository*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|


Information-Technology Promotion Agency
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

| *Declared January 30, 2012*
| *www.altex-soft.com*
| *www.altx-soft.ru*]
|
|  IPA offers two products for JVN Security Content Automation Framework. Version Checker is an OVAL-based, free, easy-to-use scanner that allows people to easily check whether the software installed on their PC is the latest version. With just one mouse click, people can check the versions of multiple software. The results are easy to understand: a tick mark signifies the latest version and a cross mark signifies an obsolete version. If the software is not the latest version, users can easily access the vendor's download website with just a few clicks. MyJVN API is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia. To enable application developers to use data through an open interface, JVN iPedia has adopted SCAP, a set of standards for describing vulnerability countermeasure information.
|
|   `MyJVN API <https://ovaldb.altx-soft.ru/>`_
|   *Vulnerability Assessment and Configuration Management*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|
|   `MyJVN Version Checker <https://www.redcheck.ru/>`_
|   *Vulnerability Assessment*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|


Institute for Information Industry
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

| *Declared December 12, 2012*
| *www.iii.org.tw*
|
| CSK controller performs automatic compliance auditing to each CSK agent on enterprise endpoints. It can check security misconfigurations, scan systems and application vulnerabilities, evaluate enterprise threats through the baselines which is in the context of XCCDF based on enterprise demands or official compliance. CSK agent gathers all the security information including system configurations, application weakness, service status on each endpoint. Moreover, CSK agent also sends the security content according to the OVAL and CCE definitions to the controller for generating the human-readable reports evaluated by CVSS and specified baselines (USGCB, MS-baselines).
|
|   `Crystal Security Keeper <http://www.iii.org.tw/infor/2012/ctti/crystal/en/csk.html>`_
|   *Vulnerability Assessment, Configuration Management, Auditing and Centralized Audit Validation*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [X] Definition Repository
|   [P] Results Consumer
|   [ ] System Characteristics Producer
|


Joval
^^^^^

| *Declared February 26, 2014*
| *www.jovalcm.com*
|
|   `Joval Continuous Monitoring <https://jovalcm.com/>`_
|   *Open Source, Java-based OVAL Definition Interpreter*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [X] System Characteristics Producer
|


Nakamura Akihito
^^^^^^^^^^^^^^^^

| *Declared January 14, 2011*
| *github.com/nakamura5akihito*
| *formerly under AIST at www.aist.go.jp*
|
| SIX OVAL is a free and open-source Java class library to build enterprise compliance/vulnerability management applications. The main parts are OVAL domain model and object-XML/object-RDB data mapping. It also provides off-the-shelf server/client components including a repository of definitions and results at the central server, which can be searched from and posted to via a web service connection from any number of clients. The client is capable of getting definitions from the repository, evaluating the content on the local host, and reporting the results back to the central server.
|
|   `SIX OVAL <https://github.com/nakamura5akihito/six-oval>`_
|   *Enterprise Compliance/Vulnerability Management*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|

Naval Information Warfare Center (NIWC) Atlantic
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

| *Declared February 25, 2010*
| *https://www.niwcatlantic.navy.mil/Technology/SCAP/*
|
| The SCAP Compliance Checker (SCC) is a SCAP 1.3 Validated Authenticated Configuration Scanner, with support for SCAP versions 1.0, 1.1, 1.2 and 1.3, and an Open Vulnerability Assessment Language (OVAL) adopter, capable of performing compliance verification using SCAP content, and authenticated vulnerability scanning using OVAL content. 
|
|   `SCAP Compliance Checker <https://www.niwcatlantic.navy.mil/Technology/SCAP/>`_
|   *OVAL Definition Evaluator*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [X] System Characteristics Producer
|



New Net Technologies, Ltd.
^^^^^^^^^^^^^^^^^^^^^^^^^^

| *Declared May 30, 2014*
| *www.nntws.com*
|
| NNT Change Tracker Enterprise provides continuous protection against known and emerging cyber security threats in an easy to use solution. NNT Change Tracker leverages OVAL Definitions to provide vulnerability and compliance assessments for a wide-range of platforms and devices. Options provided for both agent-based and agentless vulnerability scans of a wide range of database systems, operating systems, appliances and network devices. NNT Change Tracker is also a CIS Certified Vendor Product for CIS Benchmark Checklist validation.
|
|   `NNT Change Tracker <https://www.newnettechnologies.com/change-tracker-gen-7.html>`_
|   *Vulnerability and Compliance Assessment and Management, Host-Based Intrusion Detection*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [P] Definition Repository
|   [P] Results Consumer
|   [X] System Characteristics Producer
|


OpenVAS
^^^^^^^

| *Declared July 6, 2012*
| *www.openvas.org/*
|
| OpenVAS is a vulnerability management and vulnerability scanning software framework. A feed service allows regular updates of Network Vulnerability Tests (NVTs). The main security scan phase of the application collects security information about each host in the network being scanned. Subsequently, comprehensive OVAL-related processing is possible. This includes exporting system characteristics for the whole network, and applying the applications reporting framework according to OVAL Definitions.
|
|   `OpenVAS <http://www.openvas.org/software.html>`_
|   *Vulnerability Management*
|
|   [ ] Authoring Tool
|   [P] Definition Evaluator
|   [ ] Definition Repository
|   [P] Results Consumer
|   [X] System Characteristics Producer
|


Red Hat, Inc.
^^^^^^^^^^^^^

| *Declared February 10, 2010*
| *www.redhat.com*
|
| Red Hat was a founding board member of the OVAL project and has been publishing OVAL Vulnerability Definitions for Red Hat Enterprise Linux Security Advisories since 2006. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards.
|
|   `Red Hat Security Advisories <https://www.redhat.com/security/data/oval/>`_
|   *OVAL Definition Repository*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|


Resolver
^^^^^^^^

| *Declared February 26, 2014*
| *www.resolver.com*
|
| In order to promote open standards and leveraging existing tools already deployed as authoritative sources of risk, threat, security, governance, and compliance audit details, Resolver's big data risk management software platform, Resolver RiskVision, consumes OVAL Definitions, OVAL Results, and OVAL System Characteristics via its user interface or via data connectors. As a consumer of OVAL attributes, RiskVision supports OVAL 5.10.1 and prior versions. In addition, RiskVision accommodates SCAP in its 'XCCDF and OVAL' import tool.
|
|   `Resolver RiskVision <https://www.resolver.com/risk-vision-information-security-software/>`_
|   *Big Data Risk Management Software*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [ ] Definition Repository
|   [X] Results Consumer
|   [ ] System Characteristics Producer
|


SecPod Technologies
^^^^^^^^^^^^^^^^^^^

| *Declared December 10, 2010*
| *www.secpod.com*
|
| SecPod is an information security research and development company offering services in the area of threat detection and management. SecPod supports OVAL, an open standard to provide security automation. SecPod SCAP Feed is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE's for various operating systems, enterprise servers, and applications. The feed, also hosted as a repository, is backed with professional support, can be integrated into vendor products, and also consumed by end users. SecPod Saner is a light-weight, easy-to-use enterprise grade vulnerability mitigation software that proactively assesses and secures endpoint systems. SecPod Saner adopts OVAL natively consuming the SCAP feed from the SecPod SCAP Repo content repository.
|
|   `SecPod SCAP Feed <http://www.scaprepo.com/>`_
|   *OVAL Repository*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|
|   `SecPod Saner <https://www.secpod.com/saner-endpoint-security-platform.html>`_
|   *Vulnerability Management*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [X] System Characteristics Producer
|

SUSE
^^^^

| *Declared February 28, 2014*
| *www.secpod.com*
|
| Our customers need an index of fixed security incidents indexed by product, RPM package name, and version for use in their security compliance checking. As they are using a wide range of checking tools inventing a new format would have caused unnecessary work on all sides. We have chosen to use the OVAL format for publishing this data, which is in our eyes the accepted industry standard format for this purpose.
|
|   `SUSE Linux Enterprise OVAL Information <http://ftp.suse.com/pub/projects/security/oval/>`_
|   *Database*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|
|   `SUSE Manager 1.7 <https://www.suse.com/products/suse-manager/>`_
|   *Linux Patch and Configuration Management*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [X] Results Consumer
|   [X] System Characteristics Producer
|


ToolsWatch
^^^^^^^^^^

| *Declared April 14, 2015*
| *http://www.toolswatch.org/*
|
| SSA (Security System Analyzer) is free non-intrusive OVAL/XCCDF host-based security analyzer and compliance tool. It introduces a new simplified way to rely on open standards such OVAL and XCCDF to report compliance issues. SSA has adopted the OVAL standard as part of its vulnerability validation process. As a result, SSA consumes the Definitions and solely relies on the OVAL and XCCDF interpreters. vFeed provides a full aggregated, cross-linked and standardized Vulnerability Database based on CVE and standards such as OVAL, CPE, CWE, CAPEC, CVSS etc. Therefore, it introduces a new simplified XML format that expands the vulnerability coverage and correlation around the CVE. vFeed has adopted the OVAL as part of its correlation and aggregation capability. As a result, vFeed consumes the OVAL XML definitions, extract and map variables to expand the CVEs data.
|
|   `SSA - Security System Analyzer <https://code.google.com/p/ssa/>`_
|   *Security Scanner and Compliance Assessment Software*
|
|   [X] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [X] Results Consumer
|   [X] System Characteristics Producer
|
|   `vFeed API and Vulnerability Database Community <https://github.com/toolswatch/vFeed>`_
|   *Vulnerability and Threats Database*
|
|   [ ] Authoring Tool
|   [ ] Definition Evaluator
|   [X] Definition Repository
|   [X] Results Consumer
|   [ ] System Characteristics Producer
|


Tripwire, Inc.
^^^^^^^^^^^^^^

| *Declared October 19, 2010*
| *http://www.tripwire.com/*
|
| Tripwire provides a comprehensive suite of file integrity, policy compliance, and log and event management solutions. Tripwire Enterprise automates change detection and misconfiguration correction to reduce risk of exploits and breaches. Tripwire Enterprise provides SCAP functionality that includes the ability to process OVAL content.
|
|   `Tripwire Enterprise <http://www.tripwire.com/it-security-software/scm/tripwire-enterprise/>`_
|   *Security Configuration Management*
|
|   [ ] Authoring Tool
|   [X] Definition Evaluator
|   [ ] Definition Repository
|   [X] Results Consumer
|   [X] System Characteristics Producer
|


VMware
^^^^^^

| *http://www.vmware.com/*
|
|   `Enhanced SCAP Content Editor <https://labs.vmware.com/flings/vmware-modified-enhanced-scap-content-editor>`_
|   *OVAL Authoring Tool*
|
|   [X] Authoring Tool
|   [ ] Definition Evaluator
|   [ ] Definition Repository
|   [ ] Results Consumer
|   [ ] System Characteristics Producer
|

Updating the List
-----------------

To add to, remove from, or edit this list, please submit a pull request.