Making Security Measurable › OVAL › OVAL Remediation Forum

OVAL Remediation Proposal

2 messages Options
Embed this post
Permalink
Zhou, Yuzheng

OVAL Remediation Proposal

Reply Threaded More More options
Print post
Permalink
All,

We would like to submit the attached proposal to extend OVAL to support vulnerability remediation. This
proposal describes the OVAL remediation framework with sample OVALs and outlines HP's efforts on OVAL remediation standardization process.

Background
---------------------------
OVAL has been widely accepted and referenced by major
operating system and application software vendors. However, the current OVAL schema can only audit vulnerabilities and does not satisfy the existing strong market need for automated remediation of vulnerabilities. This OVAL remediation schema proposal is HP's contribution to the OVAL remediation standardization process.

Proposal
---------------------------
1.) Propose a detailed framework for extending OVAL to support vulnerability remediation.
2.) Submit a set of new OVAL elements based on the remediation framework.
3.) Provide several sample OVALs with remediation supplement to show how the remediation framework works.

We look forward to comments and questions.

Thanks,
Yuzheng


Yuzheng Zhou
HP Software
2000 Regency Parkway Suite 500, Cary, NC 27511
www.hp.com/go/software




OVAL_Remediation_Proposal_v1.2.pdf (599K) Download Attachment
bakerj

Re: OVAL Remediation Proposal

Reply Threaded More More options
Print post
Permalink
Yuzheng,

We are currently reviewing your proposal. Your team has done a great
job of clearly defining a remediation proposal that would fit smoothly
into OVAL without a major impact on existing compatible products.

Your proposal is focused on vulnerability remediation, which is
understandable given the product line that your team supports. That
said, I think that this proposal could easily be extended to other
types of remediation too (compliance) by adding in new types of
<xxx_remedy>s.

I will reply with more concrete comments after oval developer days. I
plan to discuss this proposal at OVAL Developer Days next week.

Thanks for the great contribution,

Jon

============================================
Jonathan O. Baker
The MITRE Corporation
Email: [hidden email]



>-----Original Message-----
>From: Zhou, Yuzheng [mailto:[hidden email]]
>Sent: Monday, April 07, 2008 12:47 PM
>To: oval-remediation-discussion-list Open Remediation Language Commu
>Subject: [OVAL-REMEDIATION-DISCUSSION-LIST] OVAL Remediation Proposal
>
>All,
>
>We would like to submit the attached proposal to extend OVAL to
support
>vulnerability remediation. This
>proposal describes the OVAL remediation framework with sample OVALs
and
>outlines HP's efforts on OVAL remediation standardization process.
>
>Background
>---------------------------
>OVAL has been widely accepted and referenced by major
>operating system and application software vendors. However, the
current

>OVAL schema can only audit vulnerabilities and does not satisfy the
>existing strong market need for automated remediation of
>vulnerabilities. This OVAL remediation schema proposal is HP's
>contribution to the OVAL remediation standardization process.
>
>Proposal
>---------------------------
>1.) Propose a detailed framework for extending OVAL to support
>vulnerability remediation.
>2.) Submit a set of new OVAL elements based on the remediation
>framework.
>3.) Provide several sample OVALs with remediation supplement to show
how

>the remediation framework works.
>
>We look forward to comments and questions.
>
>Thanks,
>Yuzheng
>
>
>Yuzheng Zhou
>HP Software
>2000 Regency Parkway Suite 500, Cary, NC 27511
>www.hp.com/go/software
>
Free Embeddable Forum Powered by Nabble Help