What is OVAL? A Community-Driven Vulnerability Management Brain!


The Open Vulnerability and Assessment Language (OVAL®) is a critical component of most enterprises’ endpoint cybersecurity operations. While OVAL doesn’t do anything itself, it enables a thriving ecosystem that IT professionals have come to depend on for endpoint vulnerability management. The ecosystem consists of:

  1. The OVAL XML language standard
  2. A community of repositories holding current vulnerability assessment definitions
  3. Tools and services vendors and developers who build solutions leveraging OVAL and community repositories

Put another way: OVAL helps sysadmins check endpoints for software vulnerabilities, security settings compliance, app inventory, and patch-levels.

So, Wait, Why Does OVAL Even Exist!?

Before OVAL arrived on the scene, each vendor or organization developing a vulnerability management solution used a proprietary format. The security community had no easy way to share information about the latest vulnerabilities. .

OVAL provides a standard for expressing common classes of vulnerability management information. In OVAL parlance, each complete unit of information is called a definition. A collection of definitions is called repository.

What Exactly is an OVAL Definition?

Definitions are XLM documents created using OVAL core XML schema.

An XML schema is a definition for an XML document. The core OVAL schema (5.11.2) was committed to the repository in Dec 13, 2016. You can get it at the OVAL GitHub. The fact that the schema hasn’t changed in over two years tells you that OVAL is an extremely stable standard and you won’t need to spend a lot of time keeping up with it.

New definitions are being released almost constantly because that’s the whole point! OVAL static format in which you can get the newest, latest vulnerability checks so you can run them against your endpoints.

An OVAL definition includes:

  • Metadata: includes the OVAL-ID (unique ID for each definition), status (draft, interim, accepted), source (CVE or other source), author(s), and additional metadata.
  • High-level summary: includes the OS and various information as needed such as the file name, app version, patch status, configuration settings, etc.
  • Detailed definition: provides the guts of the logic to satisfy the assessment

OVAL provides for five classes of definitions.

  1. Vulnerability definitions check for known vulnerabilities on a system
  2. Compliance definitions well verify whether or not a system’s configuration satisfies a security policy
  3. Inventory definitions look for various types of software on a system, from small pieces to full apps
  4. Patch definitions will test to see if a given patch is appropriate for a system
  5. Miscellaneous definitions cover everything else.

Who Manages the Repositories?

A community of vendors and other organizations manages the sphere of OVAL repositories.

The Center for Internet Security (CIS) manages the Official OVAL Repository.

The US National Institute of Standards and Technology (NIST) Computer Security Resource Center (CIRC) maintains a very large repository under the Security Content Automation Protocol (SCAP) project. RedHat maintains their own, as does Cisco. These are just a few examples. For a full list, get involved in the OVAL community. A great place to start is the OVAL Documentation GitHub.

What Operating Systems and Platforms Does OVAL Support?

OVAL does not include or exclude OSes. Each repository will have definitions for endpoints and software that match their purpose. Statistics from primary repository from the CIS shows that it holds primarily Windows and Unix/Linux definitions, followed by Cisco IOS.

Just as OVAL is OS agnostic, it is device agnostic. That is, OVAL is not limited to specific types or makes of devices. Definitions can be created for servers, desktops, laptops, mobile devices, routers, etc.

Looking Beyond OVAL

Vulnerability assessment solutions tend to lack the ability to remediate vulnerabilities once they are found. For automated remediation, you may want to investigate tools like Adaptiva’s new Evolve VM. It uses OVAL definitions and other features to check a system’s  health, compliance, and vulnerabilities, but where it really shines is that it can automate the remediation

To learn more, join us for an upcoming webinar:

Introducing Evolve VM – Endpoint Compliance and Vulnerability Management
Thursday, April 4th, 2019
Chaz Spahn, Sr. Solutions Architect, Adaptiva


Bill Bernat
Director of Product and Content Marketing, Adaptiva