Superior Content Support

Joval's wide adoption, robust schema support and use by leading content authors combine to provide superior content support.

Public Content Sources

One unique advantage to the SCAP family of specifications is that there is a significant amount of freely-available content (and even more commercially-available) that is written in compatible formats. A continuous monitoring solution that is SCAP-based has the advantage of being able to leverage these content sources, and avoid having to dedicate a team to content creation and migration activities. Most available content addresses the security compliance and known-vulnerability detection use-cases.

Compliance Content

NIST United States Government Configuration Baselines (USGCB)

NIST is chartered with maintaining the baseline configuration guidance for products commonly used by US Government Federal agencies. This guidance is captured in the US Government Configuration Baseline (USGCB) XML benchmarks, which are published by NIST and available for royalty-free use.

Visit Repository

DISA Secure Technical Implementation Guidelines (STIGs)

The Defense Information Systems Agency is the IT department for the US Department of Defense. It maintains Secure Technical Implementation Guidelines in SCAP format for a wide variety of operating systems and applications. The STIGS are used as a source of authoritative secure configuration guidance by many auditors and security practitioners seeking to implement a variety of government and industry-mandated compliance policies. Many automated DISA STIGS are publicly available, and can be used royalty-free.

Visit Repository

NIST NVD

NIST maintains the National Checklist Program Repository page at the National Vulnerability Database (NVD) website. This searchable repository indexes freely-available security benchmarks from a variety of US-government sources.

Visit Repository

RedHat SCAP Security Guide (SSG)

RedHat maintains its own freely-available security guidelines in SCAP format, particularly for newer versions of RedHat Linux that are not explicitly covered by USGCB.

Visit Repository

Center for Internet Security Benchmarks (CIS Benchmarks)

The Center for Internet Security is a non-profit organization focused on improving cybersecurity for public and private sector entities, which publishes security guidance on the configuration of a wide variety of software and operating systems. CIS members have access to automated benchmarks published in SCAP format.

Visit Repository

ALTX-SOFT

ALTX-SOFT is a leading producer of SCAP content, offering PCI and Russian/FSTEC regulatory compliance benchmarks, security guides for multiple products and operating systems, and bespoke compliance benchmarks in multiple languages for resale to ISVs.

Visit Repository

SecPod (HIPAA/PCI/NERC)

SecPod is a leading producer of commercially-available SCAP content, offering subscription-based access to its own XCCDF compliance benchmarks focused on HPIAA, PCI, NERC and other regulatory and industry frameworks.

Visit Repository

Vulnerability Content

CIS (formerly MITRE) Repository (all platforms)

The original OVAL repository, now hosted by CIS, contains community-maintained definitions for inventory, compliance, and importantly, every vulnerability known to the National Vulnerability Database (NVD).

Visit Repository

Cisco

Cisco publishes automatically-generated OVAL vulnerability content for IOS as part of their regular security guidance and vulnerability publishing process.

Visit Repository

RedHat

RedHat hosts an automatically-generated OVAL vulnerability feed for all the RPM-packaged software for the RedHat Linux distribution.

Visit Repository

Ubuntu

Canonical hosts an automatically-generated OVAL vulnerability feed for all Debian software packages available for Ubuntu Linux distributions.

Visit Repository

Novell

Novell hosts automatically-generated OVAL vulnerability feeds for supported versions of SUSE Linux distributions.

Visit Repository

Debian

Debian hosts automatically-generated OVAL vulnerability feeds for Debian packages, although the auto-generation process is currently broken.

Visit Repository

ALTX-SOFT

ALTX-SOFT is the leading contributor of OVAL content to the CIS repository, who also maintain their own repository of OVAL vulnerability content for registered users.

Visit Repository

SecPod

SecPod, a leading producer of commercially-available SCAP content, maintains extensive OVAL definitions covering MacOS X vulnerabilities.

Visit Repository