OVAL is the Open Vulnerability Assessment Language, an open standard for not just conveying checklist information but also how to gather and test for compliance, for example, check a registry key for specified values and compare to the required settings for compliance.

In short, it means our menu of Compliance Checklists is now huge and more readily caters for the differing requirements of commercial, federal and military organizations. The industry’s quest for a unified standard that caters for the similar but separate requirements for

  • compliance auditing
  • vulnerability management
  • patching
  • inventory and configuration management
  • remediation and mitigation

Center for Internet Security Benchmark Checklists

The first important step along this path was to ensure CIS checklist content could be utilized and, as a result, NNT Change Tracker is now a Certified Vendor for CIS Benchmarks.

The Center For Internet Security is recognized as one of the most valuable and useable sources of vulnerability and hardening intelligence. Significantly, CIS content is drawn from a consensus of Manufacturers, OEMs, security product vendors and researchers of exploits and vulnerabilities.

CIS Checklists are provided in a wide range of formats and include a detailed background to the vulnerability, how to audit for its existence, and how to remediate if found.

Checklists are provided in both the CIS’s own Embedded Check Language rulesets (for use in their CIS-CAT tool) and the more standardized, Extensible Configuration Checklist Description Format (XCCDF). NNT Change Tracker can now utilize both CIS checklist ruleset formats.

OVAL and XCCDF, STIGs and SCAP

Adoption of OVAL, however, opens up a much wider range of checklists including those provided in the National Vulnerability Database repository here

http://web.nvd.nist.gov/view/ncp/repository

and also the checklists provided for the US Military known as STIGs (Security Technical Implementation Guides)

http://iase.disa.mil/stigs/a-z.html

Of course, SCAP (Security Content Automation Protocol) has now been positioned as an all-encompassing standard and is a superset of OVAL and XCCDF.

While SCAP leverages OVAL and XCCDF, using the same checklist ruleset content, this is combined with vulnerability scoring metrics (CVSS) and other standardized platforms, vulnerability and configuration enumeration/naming conventions to provide a more comprehensive standard (respectfully CPE, CVE, and CCE – see www.mitre.org for more details).

It is important to note, however, that the ‘meat’ of SCAP is still the OVAL content and NNT can just as easily use SCAP’s OVAL content.

 

The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.