Superior Content Support
Joval's wide adoption, robust schema support and use by leading content authors combine to provide superior content support.
Public Content Sources
One unique advantage to the SCAP family of specifications is that there is a significant amount of freely-available content (and even more commercially-available) that is written in compatible formats. A continuous monitoring solution that is SCAP-based has the advantage of being able to leverage these content sources, and avoid having to dedicate a team to content creation and migration activities. Most available content addresses the security compliance and known-vulnerability detection use-cases.
Compliance Content
NIST United States Government Configuration Baselines (USGCB)
NIST is chartered with maintaining the baseline configuration guidance for products commonly used by US Government Federal agencies. This guidance is captured in the US Government Configuration Baseline (USGCB) XML benchmarks, which are published by NIST and available for royalty-free use.
DISA Secure Technical Implementation Guidelines (STIGs)
The Defense Information Systems Agency is the IT department for the US Department of Defense. It maintains Secure Technical Implementation Guidelines in SCAP format for a wide variety of operating systems and applications. The STIGS are used as a source of authoritative secure configuration guidance by many auditors and security practitioners seeking to implement a variety of government and industry-mandated compliance policies. Many automated DISA STIGS are publicly available, and can be used royalty-free.
NIST NVD
NIST maintains the National Checklist Program Repository page at the National Vulnerability Database (NVD) website. This searchable repository indexes freely-available security benchmarks from a variety of US-government sources.
RedHat SCAP Security Guide (SSG)
RedHat maintains its own freely-available security guidelines in SCAP format, particularly for newer versions of RedHat Linux that are not explicitly covered by USGCB.
Center for Internet Security Benchmarks (CIS Benchmarks)
The Center for Internet Security is a non-profit organization focused on improving cybersecurity for public and private sector entities, which publishes security guidance on the configuration of a wide variety of software and operating systems. CIS members have access to automated benchmarks published in SCAP format.
ALTX-SOFT
ALTX-SOFT is a leading producer of SCAP content, offering PCI and Russian/FSTEC regulatory compliance benchmarks, security guides for multiple products and operating systems, and bespoke compliance benchmarks in multiple languages for resale to ISVs.
SecPod (HIPAA/PCI/NERC)
SecPod is a leading producer of commercially-available SCAP content, offering subscription-based access to its own XCCDF compliance benchmarks focused on HPIAA, PCI, NERC and other regulatory and industry frameworks.
Vulnerability Content
CIS (formerly MITRE) Repository (all platforms)
The original OVAL repository, now hosted by CIS, contains community-maintained definitions for inventory, compliance, and importantly, every vulnerability known to the National Vulnerability Database (NVD).
Cisco
Cisco publishes automatically-generated OVAL vulnerability content for IOS as part of their regular security guidance and vulnerability publishing process.
RedHat
RedHat hosts an automatically-generated OVAL vulnerability feed for all the RPM-packaged software for the RedHat Linux distribution.
Oracle
Oracle also hosts an automatically-generated OVAL vulnerability feed for all the RPM-packaged software for Oracle Enterprise Linux.
Ubuntu
Canonical hosts an automatically-generated OVAL vulnerability feed for all Debian software packages available for Ubuntu Linux distributions.
Novell
Novell hosts automatically-generated OVAL vulnerability feeds for supported versions of SUSE Linux distributions.
Debian
Debian hosts automatically-generated OVAL vulnerability feeds for Debian packages.
ALTX-SOFT
ALTX-SOFT is the leading contributor of OVAL content to the CIS repository, who also maintain their own repository of OVAL vulnerability content for registered users.
SecPod
SecPod, a leading producer of commercially-available SCAP content, maintains extensive OVAL definitions covering MacOS X vulnerabilities.
