New Language Assesses Software Flaws
MITRE's new language makes it easier for researchers to define and explain the vulnerabilities they find in software.The MITRE Corp. on Tuesday announced the availability of a new language designed to make it easier for researchers to define and explain the vulnerabilities that they find in software. Known as the Open Vulnerability Assessment Language, the budding standard is built upon MITREs well-known description of vulnerabilities, the Common Vulnerabilities and Exposures database. Whenever a researcher finds a flaw in a software application, he can submit it to MITRE for consideration. If the organization finds that it is a new vulnerability, it is assigned a CVE candidate number, which identifies it as a unique problem. Queries to the database are written in SQL (Structured Query Language) and can either be incorporated into security tools or reviewed by hand. Every OVAL query is based upon one or more CVE entries.
The query development process involves the submission of draft OVAL queries to a public forum that includes system administrators, software vendors and security analysts for review, debate and refinement. The end result is a mass of vulnerability data that is available to the entire Internet community on the MITRE Web site.