OVAL Support Declarations

Intro tbd.

Declarations

Altex-Soft

Declared January 30, 2012
www.altex-soft.com
www.altx-soft.ru

Web-Based OVAL Repository Database

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Vulnerability, Patch, and Compliance Assessment

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Beyond Security

Declared August 7, 2013
www.beyondsecurity.com

The beSECURE family of network Vulnerability Assessment and Web Application Security testing solutions are the most accurate and easiest to use in the industry. beSECURE uses OVAL to import benchmarks from the OVAL repository and user-developed XML files and to export assessment results files. beSECURE is available as a network appliance or hosted solution and will deliver layer 3-7 scanning to businesses and government units of any size. It will find, prioritize and manage the repair of security weaknesses in your network and web applications with the fastest setup and the least maintenance possible.

Vulnerability and Configuration Assessment and Management

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[X] Results Consumer
[X] System Characteristics Producer

BeyondTrust

Declared September 8, 2010
www.beyondtrust.com

BeyondTrust is an innovative leader in vulnerability and security research, providing security solutions that help businesses and users protect their systems and intellectual property from compromise.

Vulnerability Assessment

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[X] System Characteristics Producer

Center for Internet Security

Declared February 26, 2014
www.cisecurity.org

CIS-CAT is an SCAP-compliant, host-based configuration assessment tool primarily designed to perform compliance assessments against recommendations contained in CIS benchmarks. OVAL-based compliance content developed by third parties, such as DISA and NIST, is also supported by CIS-CAT for major Microsoft products, including Windows, Office, Internet Explorer, and SQL server, as well as Red Hat Enterprise Linux platforms. CIS-CAT’s support for OVAL also affords users the ability to perform compliance, vulnerability, inventory, and patch assessments using content generated from numerous sources, including CIS, DISA, and NIST/USGCB, from a single tool.

Host-Based Configuration Assessment Tool

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[X] System Characteristics Producer

Cisco Systems, Inc.

Declared February 10, 2012
www.cisco.com

Traditionally, Cisco discloses information required for an end-user to assess the impact of a vulnerability and any potential steps needed to protect their environment. This information includes all the required technical information for customers to ascertain appropriate remedial action. OVAL provides a framework that allows vendors and their customer to determine if a software vulnerability or patch exists on a given system. Cisco is in the process of adopting OVAL for vulnerability disclosure. Cisco IOS security vulnerability OVAL content is currently supported. Additional products are being considered in the future.

Cisco Repository of OVAL Content

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Defense Information Systems Agency Field Security Operations (DISA FSO)

Declared July 18, 2012
iase.disa.mil/stigs/

DISA is adopting OVAL for leveraging enterprise compliance and vulnerability assessment for the U.S. Department of Defense (DoD). Utilizing COTS-based scan engines, DISA is transforming security requirements from prose base documents to machine readable content. This content utilizes the OVAL Language as a mechanism to determine results for secure net worthiness in the DoD while supporting the war fighter.

SCAP Content Repository

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Information-Technology Promotion Agency

Declared January 30, 2012
www.altex-soft.com
www.altx-soft.ru]

IPA offers two products for JVN Security Content Automation Framework. Version Checker is an OVAL-based, free, easy-to-use scanner that allows people to easily check whether the software installed on their PC is the latest version. With just one mouse click, people can check the versions of multiple software. The results are easy to understand: a tick mark signifies the latest version and a cross mark signifies an obsolete version. If the software is not the latest version, users can easily access the vendor’s download website with just a few clicks. MyJVN API is a software interface to access and utilize vulnerability countermeasure information and OVAL repository stored in JVN and JVN iPedia. To enable application developers to use data through an open interface, JVN iPedia has adopted SCAP, a set of standards for describing vulnerability countermeasure information.

Vulnerability Assessment and Configuration Management

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Vulnerability Assessment

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Institute for Information Industry

Declared December 12, 2012
www.iii.org.tw

CSK controller performs automatic compliance auditing to each CSK agent on enterprise endpoints. It can check security misconfigurations, scan systems and application vulnerabilities, evaluate enterprise threats through the baselines which is in the context of XCCDF based on enterprise demands or official compliance. CSK agent gathers all the security information including system configurations, application weakness, service status on each endpoint. Moreover, CSK agent also sends the security content according to the OVAL and CCE definitions to the controller for generating the human-readable reports evaluated by CVSS and specified baselines (USGCB, MS-baselines).

Vulnerability Assessment, Configuration Management, Auditing and Centralized Audit Validation

[ ] Authoring Tool
[X] Definition Evaluator
[X] Definition Repository
[P] Results Consumer
[ ] System Characteristics Producer

Joval

Declared February 26, 2014
www.jovalcm.com

Open Source, Java-based OVAL Definition Interpreter

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[X] System Characteristics Producer

Nakamura Akihito

Declared January 14, 2011
github.com/nakamura5akihito
formerly under AIST at www.aist.go.jp

SIX OVAL is a free and open-source Java class library to build enterprise compliance/vulnerability management applications. The main parts are OVAL domain model and object-XML/object-RDB data mapping. It also provides off-the-shelf server/client components including a repository of definitions and results at the central server, which can be searched from and posted to via a web service connection from any number of clients. The client is capable of getting definitions from the repository, evaluating the content on the local host, and reporting the results back to the central server.

Enterprise Compliance/Vulnerability Management

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

New Net Technologies, Ltd.

Declared May 30, 2014
www.nntws.com

NNT Change Tracker Enterprise provides continuous protection against known and emerging cyber security threats in an easy to use solution. NNT Change Tracker leverages OVAL Definitions to provide vulnerability and compliance assessments for a wide-range of platforms and devices. Options provided for both agent-based and agentless vulnerability scans of a wide range of database systems, operating systems, appliances and network devices. NNT Change Tracker is also a CIS Certified Vendor Product for CIS Benchmark Checklist validation.

Vulnerability and Compliance Assessment and Management, Host-Based Intrusion Detection

[ ] Authoring Tool
[X] Definition Evaluator
[P] Definition Repository
[P] Results Consumer
[X] System Characteristics Producer

OpenVAS

Declared July 6, 2012
www.openvas.org/

OpenVAS is a vulnerability management and vulnerability scanning software framework. A feed service allows regular updates of Network Vulnerability Tests (NVTs). The main security scan phase of the application collects security information about each host in the network being scanned. Subsequently, comprehensive OVAL-related processing is possible. This includes exporting system characteristics for the whole network, and applying the applications reporting framework according to OVAL Definitions.

Vulnerability Management

[ ] Authoring Tool
[P] Definition Evaluator
[ ] Definition Repository
[P] Results Consumer
[X] System Characteristics Producer

Red Hat, Inc.

Declared February 10, 2010
www.redhat.com

Red Hat was a founding board member of the OVAL project and has been publishing OVAL Vulnerability Definitions for Red Hat Enterprise Linux Security Advisories since 2006. This initiative forms part of our commitment to make the deployment of security ubiquitous through the use of industry-wide standards.

OVAL Definition Repository

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Resolver

Declared February 26, 2014
www.resolver.com

In order to promote open standards and leveraging existing tools already deployed as authoritative sources of risk, threat, security, governance, and compliance audit details, Resolver’s big data risk management software platform, Resolver RiskVision, consumes OVAL Definitions, OVAL Results, and OVAL System Characteristics via its user interface or via data connectors. As a consumer of OVAL attributes, RiskVision supports OVAL 5.10.1 and prior versions. In addition, RiskVision accommodates SCAP in its ‘XCCDF and OVAL’ import tool.

Big Data Risk Management Software

[ ] Authoring Tool
[ ] Definition Evaluator
[ ] Definition Repository
[X] Results Consumer
[ ] System Characteristics Producer

SecPod Technologies

Declared December 10, 2010
www.secpod.com

SecPod is an information security research and development company offering services in the area of threat detection and management. SecPod supports OVAL, an open standard to provide security automation. SecPod SCAP Feed is a service providing Vulnerability, Inventory, Compliance, and Patch definitions covering majority of the CVE’s for various operating systems, enterprise servers, and applications. The feed, also hosted as a repository, is backed with professional support, can be integrated into vendor products, and also consumed by end users. SecPod Saner is a light-weight, easy-to-use enterprise grade vulnerability mitigation software that proactively assesses and secures endpoint systems. SecPod Saner adopts OVAL natively consuming the SCAP feed from the SecPod SCAP Repo content repository.

OVAL Repository

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Vulnerability Management

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[X] System Characteristics Producer

SPAWAR Systems Center Atlantic

Declared February 25, 2010
www.public.navy.mil/spawar/Atlantic/

The SCAP Compliance Checker has adopted OVAL as part of the FDCC Scanner capabilities of SCAP Validation Program. SCAP Compliance Checker is able to process all four of OVAL’s schemas: the Definitions schema, the System Characteristics schema, the Results schema and the Variables schema. SCAP Compliance Checker processes the XCCDF content of a SCAP stream and extracts any variables that need to be imported into the OVAL engine. It then creates an XML file using the OVAL Variables schema that contains these variables. The OVAL engine later uses this file during OVAL processing. By using the industry standard OVAL schemas, SCAP Compliance Checker can share data with any tool that understands OVAL.

OVAL Definition Evaluator

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[X] System Characteristics Producer

SUSE

Declared February 28, 2014
www.secpod.com

Our customers need an index of fixed security incidents indexed by product, RPM package name, and version for use in their security compliance checking. As they are using a wide range of checking tools inventing a new format would have caused unnecessary work on all sides. We have chosen to use the OVAL format for publishing this data, which is in our eyes the accepted industry standard format for this purpose.

Database

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Linux Patch and Configuration Management

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[X] Results Consumer
[X] System Characteristics Producer

ToolsWatch

Declared April 14, 2015
http://www.toolswatch.org/

SSA (Security System Analyzer) is free non-intrusive OVAL/XCCDF host-based security analyzer and compliance tool. It introduces a new simplified way to rely on open standards such OVAL and XCCDF to report compliance issues. SSA has adopted the OVAL standard as part of its vulnerability validation process. As a result, SSA consumes the Definitions and solely relies on the OVAL and XCCDF interpreters. vFeed provides a full aggregated, cross-linked and standardized Vulnerability Database based on CVE and standards such as OVAL, CPE, CWE, CAPEC, CVSS etc. Therefore, it introduces a new simplified XML format that expands the vulnerability coverage and correlation around the CVE. vFeed has adopted the OVAL as part of its correlation and aggregation capability. As a result, vFeed consumes the OVAL XML definitions, extract and map variables to expand the CVEs data.

Security Scanner and Compliance Assessment Software

[X] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[X] Results Consumer
[X] System Characteristics Producer

Vulnerability and Threats Database

[ ] Authoring Tool
[ ] Definition Evaluator
[X] Definition Repository
[X] Results Consumer
[ ] System Characteristics Producer

Tripwire, Inc.

Declared October 19, 2010
http://www.tripwire.com/

Tripwire provides a comprehensive suite of file integrity, policy compliance, and log and event management solutions. Tripwire Enterprise automates change detection and misconfiguration correction to reduce risk of exploits and breaches. Tripwire Enterprise provides SCAP functionality that includes the ability to process OVAL content.

Security Configuration Management

[ ] Authoring Tool
[X] Definition Evaluator
[ ] Definition Repository
[X] Results Consumer
[X] System Characteristics Producer

VMware

http://www.vmware.com/

OVAL Authoring Tool

[X] Authoring Tool
[ ] Definition Evaluator
[ ] Definition Repository
[ ] Results Consumer
[ ] System Characteristics Producer

Updating the List

To add to, remove from, or edit this list, please submit a pull request.