The Mitre Corp. last week announced the availability of a new language designed to make it easier for researchers to define and explain vulnerabilities found in software.
Known as OVAL (Open Vulnerability Assessment Language), the budding standard is built on Mitres well-known description of vulnerabilities, the CVE (Common Vulnerabilities and Exposures) database. Whenever a researcher finds a flaw in a software application, he or she can submit it to Mitre for consid- eration. If the organization finds it is a new vulnerability, it is assigned a CVE candidate number, which identifies it as a unique problem.
Queries to the database are written in SQL and can be incorporated into security tools or reviewed by hand. Every OVAL query is based on one or more CVE entries.
The query development process involves the submission of draft OVAL queries to a public forum that includes system administrators, software vendors and security analysts for review, debate and refinement. The result is a mass of vulnerability data available to the entire Internet community.
"OVAL solves the consistency problem," said Matthew Wojcik, senior information security engineer at Mitre, based in Bedford, Mass.
"The queries provide a base line for performing vulnerability assessments, and each query reflects the combined expertise of the broadest-possible collection of security and system administration professionals," Wojcik said.
Mitre is a not-for-profit company that works closely with the government on security and other issues.