Network Security Assessment – OVAL Definition
I have briefly mentioned network security assessment part 1 and part 2, here I’d like to introduce how to do the vulnerability test. In terms of penetration test, this test is white box test because the tester has put the sensor or agent in the asset. This operation is allowed by the firm.
OVAL is Open Vulnerability Assessment Language which is well adapted by the industry. The language is written by XML format. Many communities and groups contribute for the OVAL definition and test. The major one is OVAL Repository which is hosted by The MITRE Corporation. Before we go detailed about OVAL, let’s think about how to do the vulnerability assessment test intuitively.
- Firs, we need define what was vulnerability.
- Then, we need to give several criteria, which refer to the real test result.
- Then, in the test phase, we need to define the object, such as Windows registry definition.
- Last, we need to retrieve values to compared with the object. Then, the one test is done.
Here is a solid example for OVAL. Microsoft announced one vulnerability “Excel Cache Memory Corruption Vulnerability (KB973471)”. Then, we give one definition for that vulnerability.
<definition id=”oval:com.vendor.oval:def:10383″ version=”1″>
</definition>
In the definition there are some nested categories: metadata and criteria.
The metadata provides some description including definition title, affected family, reference CVE and status etc. For example, the following is reference for this definition.
<reference source=”CVE” ref_id=”CVE-2009-3127″ ref_url=”http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3127″ />
The criteria provides test definition and some comments.
<criterion comment=”Microsoft Excel 2002 SP3 or later is installed” test_ref=”oval:org.mitre.oval:tst:8677″/>
At this point, the definition is completed. Next, we will go to see how to define and perform test.