New Language Assesses Software Flaws

MITRE's new language makes it easier for researchers to define and explain the vulnerabilities they find in software.

The MITRE Corp. on Tuesday announced the availability of a new language designed to make it easier for researchers to define and explain the vulnerabilities that they find in software.

Known as the Open Vulnerability Assessment Language, the budding standard is built upon MITREs well-known description of vulnerabilities, the Common Vulnerabilities and Exposures database. Whenever a researcher finds a flaw in a software application, he can submit it to MITRE for consideration. If the organization finds that it is a new vulnerability, it is assigned a CVE candidate number, which identifies it as a unique problem.

Queries to the database are written in SQL (Structured Query Language) and can either be incorporated into security tools or reviewed by hand. Every OVAL query is based upon one or more CVE entries.

The query development process involves the submission of draft OVAL queries to a public forum that includes system administrators, software vendors and security analysts for review, debate and refinement. The end result is a mass of vulnerability data that is available to the entire Internet community on the MITRE Web site.

Despite the wide acceptance of the CVE format, there is a debate within the security community about what exactly qualifies as a vulnerability. Each software vendor seems to define vulnerabilities differently, which often leads to disputes among researchers and vendor representatives.

"OVAL solves the consistency problem," said Matthew Wojcik, senior information security engineer at MITRE, based in Bedford, Mass. "The queries provide a baseline for performing vulnerability assessments, and each query reflects the combined expertise of the broadest possible collection of security and system administration professionals. The widespread availability of OVAL queries will provide the means for standardized vulnerability assessment and result in consistent and reproducible information assurance metrics from systems."

MITRE is a not-for-profit company that works closely with the government on security and other issues.