New Language Assesses Software Flaws | eWeek

New Language Assesses Software Flaws

Écrit par
Dennis Fisher
Dennis Fisher
Dec 11, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

The MITRE Corp. on Tuesday announced the availability of a new language designed to make it easier for researchers to define and explain the vulnerabilities that they find in software.

Known as the Open Vulnerability Assessment Language, the budding standard is built upon MITREs well-known description of vulnerabilities, the Common Vulnerabilities and Exposures database. Whenever a researcher finds a flaw in a software application, he can submit it to MITRE for consideration. If the organization finds that it is a new vulnerability, it is assigned a CVE candidate number, which identifies it as a unique problem.

Queries to the database are written in SQL (Structured Query Language) and can either be incorporated into security tools or reviewed by hand. Every OVAL query is based upon one or more CVE entries.

The query development process involves the submission of draft OVAL queries to a public forum that includes system administrators, software vendors and security analysts for review, debate and refinement. The end result is a mass of vulnerability data that is available to the entire Internet community on the MITRE Web site.

Despite the wide acceptance of the CVE format, there is a debate within the security community about what exactly qualifies as a vulnerability. Each software vendor seems to define vulnerabilities differently, which often leads to disputes among researchers and vendor representatives.

“OVAL solves the consistency problem,” said Matthew Wojcik, senior information security engineer at MITRE, based in Bedford, Mass. “The queries provide a baseline for performing vulnerability assessments, and each query reflects the combined expertise of the broadest possible collection of security and system administration professionals. The widespread availability of OVAL queries will provide the means for standardized vulnerability assessment and result in consistent and reproducible information assurance metrics from systems.”

MITRE is a not-for-profit company that works closely with the government on security and other issues.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.