New Language Assesses Software Flaws

Started by Metgod, December 22, 2002, 01:29:43 AM

Previous topic - Next topic
Interesting concept I think.. everyone else ? I don't know how good it is or anything about it (first I heard) but.. hey, it's something new (I think).

Met


http://www.eweek.com/article2/0,3959,760032,00.asp

By Dennis Fisher
December 11, 2002

The MITRE Corp. on Tuesday announced the availability of a new
language designed to make it easier for researchers to define and
explain the vulnerabilities that they find in software.

Known as the Open Vulnerability Assessment Language, the budding
standard is built upon MITRE's well-known description of
vulnerabilities, the Common Vulnerabilities and Exposures database.  
Whenever a researcher finds a flaw in a software application, he can
submit it to MITRE for consideration. If the organization finds that
it is a new vulnerability, it is assigned a CVE candidate number,
which identifies it as a unique problem.

Queries to the database are written in SQL (Structured Query Language)  
and can either be incorporated into security tools or reviewed by
hand. Every OVAL query is based upon one or more CVE entries.

The query development process involves the submission of draft OVAL
queries to a public forum that includes system administrators,
software vendors and security analysts for review, debate and
refinement. The end result is a mass of vulnerability data that is
available to the entire Internet community on the MITRE Web site.

Despite the wide acceptance of the CVE format, there is a debate
within the security community about what exactly qualifies as a
vulnerability. Each software vendor seems to define vulnerabilities
differently, which often leads to disputes among researchers and
vendor representatives.

"OVAL solves the consistency problem," said Matthew Wojcik, senior
information security engineer at MITRE, based in Bedford, Mass. "The
queries provide a baseline for performing vulnerability assessments,
and each query reflects the combined expertise of the broadest
possible collection of security and system administration
professionals. The widespread availability of OVAL queries will
provide the means for standardized vulnerability assessment and result
in consistent and reproducible information assurance metrics from
systems."

MITRE is a not-for-profit company that works closely with the
government on security and other issues.

"My Terminal is my Soul"

Yeah, that IS really cool and interesting. Thats worth looking into...hmmm...

Yep. We'll just have to wait and see...


Met
"My Terminal is my Soul"

SMF spam blocked by CleanTalk