US-CERT and OVAL

OVAL is sponsored by National Cyber Security Division (NCSD) at the U.S. Department of Homeland Security. OVAL provides its vulnerability content to US CERT and US-CERT uses this information and the CVE names upon which OVAL definitions are based to incorporate into its security advisories when possible.

What Is OVAL?

Open Vulnerability Assessment Language (OVAL™) is the common language for security experts to discuss and agree upon technical details about how to check for the presence of vulnerabilities on computer systems. The vulnerabilities are identified using gold-standard tests—OVAL vulnerability definitions in Extensible Markup Language (XML) and queries in Structured Query Language (SQL)—that can be utilized by end users or implemented in scanning tools.

Members of the information security community participate in the OVAL project by writing, reviewing, and discussing definitions on the OVAL Community Forum email list. This means OVAL vulnerability content reflects the insights and combined expertise of the broadest possible collection of security and system administration professionals.

An OVAL Board of representatives from industry, academia, and government organizations approves OVAL's baseline schema and evaluates and reviews definitions.

Platforms Supported

OVAL supports Windows, UNIX, and Linux. Numerous definitions are available for each platform as well as Definition Interpreters that can test a system for vulnerabilities. Definitions and downloads are updated regularly.