Common Vulnerability Scoring System

The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. It offers visibility into how each score was calculated by revealing the underlying vulnerability characteristics that are inputs to the score calculation. NVD publishes CVSS scores for all CVE and CCE vulnerabilities (software flaws and configurations issues). 

CVSS is under the custodial care of the Forum of Incident Response and Security Teams (FIRST). However, it is a completely free and open standard. No one company “owns” CVSS and membership is not required to use or implement it.

One advantage to using CVSS is that when an organization normalizes vulnerability scores across all their software and hardware platforms, they can leverage a single vulnerability management policy. This policy may be similar to a service level agreement (SLA) that states how quickly a particular vulnerability must be validated and remediated. 

CVSS Homepage: http://www.first.org/cvss/index.html

CVSS Specification: http://www.first.org/cvss/cvss-guide.html

NVD CVSS data feed: http://nvd.nist.gov/cvss.cfm  

Extensible Configuration Checklist Description Format (XCCDF) 

The Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents.  An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance, and thereby foster more widespread application of good security practices. XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser. Development of the XCCDF specification is being led by the U.S. National Security Agency, published by the U.S. National Institute of Standards and Technology (NIST), and developed with contributions from the security community.

For a checklist to be considered an SCAP checklist, it must conform to the SCAP XCCDF template and style guide. This requires, among other things, inclusion of relevant SCAP enumerations and mappings (CVE, CCE, CPE, and CVSS) in the XCCDF file. In addition, the checklist must be submitted to, and accepted by, the NIST National Checklist Program. 

XCCDF was designed to support integration with multiple underlying configuration checking ‘engines’.  The expected or default checking technology is MITRE’s Open Vulnerability and Assessment Language (OVAL). In cases where the OVAL language does not support certain low level checks, it is expected that an XCCDF check will be written that will interface with vendor proprietary check engines. 

XCCDF Standard: http://nvd.nist.gov/xccdf.cfm

NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm

NIST National Checklist Program: http://nvd.nist.gov/ncp.cfm

SCAP XCCDF style guide:

SCAP XCCDF template:

Open Vulnerability and Assessment Language (OVAL™)

The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL includes a language used to encode system details and an assortment of content repositories held throughout the community. The language standardizes the three main steps of the assessment process: representing configuration information of systems for testing; analyzing the system for the presence of the specified machine state (vulnerability, configuration, patch state, etc.); and reporting the results of this assessment. OVAL is managed by The MITRE Corporation and is sponsored by the U.S. Department of Homeland Security. OVAL and the OVAL logo are trademarks of The MITRE Corporation.  OVAL is used within SCAP to automate performing low-level security checks.

OVAL Homepage: http://oval.mitre.org/

OVAL Compatibility: http://oval.mitre.org/compatible/

NVD XCCDF/OVAL data feed: http://nvd.nist.gov/scapchecklists.cfm

Popularity: 10% [?]