[ISN] New Language Assesses Software Flaws

From: InfoSec News (isnat_private)
Date: Fri Dec 13 2002 - 02:45:20 PST

  • Next message: InfoSec News: "[ISN] Boy of 12 exposes Whitehall email flaw"

    By Dennis Fisher
    December 11, 2002 
    The MITRE Corp. on Tuesday announced the availability of a new
    language designed to make it easier for researchers to define and
    explain the vulnerabilities that they find in software.
    Known as the Open Vulnerability Assessment Language, the budding
    standard is built upon MITRE's well-known description of
    vulnerabilities, the Common Vulnerabilities and Exposures database.  
    Whenever a researcher finds a flaw in a software application, he can
    submit it to MITRE for consideration. If the organization finds that
    it is a new vulnerability, it is assigned a CVE candidate number,
    which identifies it as a unique problem.
    Queries to the database are written in SQL (Structured Query Language)  
    and can either be incorporated into security tools or reviewed by
    hand. Every OVAL query is based upon one or more CVE entries.
    The query development process involves the submission of draft OVAL
    queries to a public forum that includes system administrators,
    software vendors and security analysts for review, debate and
    refinement. The end result is a mass of vulnerability data that is
    available to the entire Internet community on the MITRE Web site.
    Despite the wide acceptance of the CVE format, there is a debate
    within the security community about what exactly qualifies as a
    vulnerability. Each software vendor seems to define vulnerabilities
    differently, which often leads to disputes among researchers and
    vendor representatives.
    "OVAL solves the consistency problem," said Matthew Wojcik, senior
    information security engineer at MITRE, based in Bedford, Mass. "The
    queries provide a baseline for performing vulnerability assessments,
    and each query reflects the combined expertise of the broadest
    possible collection of security and system administration
    professionals. The widespread availability of OVAL queries will
    provide the means for standardized vulnerability assessment and result
    in consistent and reproducible information assurance metrics from
    MITRE is a not-for-profit company that works closely with the
    government on security and other issues.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Dec 13 2002 - 05:46:43 PST