Engineering Enterprise SCAP

We are a small, engineering-oriented company narrowly focused on delivering the best standards-based configuration assessment technology in the world. Our lightweight toolkits enable ISVs, MSSPs, U.S. Federal Agencies and enterprises large and small, around the globe to scan anything from anywhere.
David A. Solin

David A. Solin

Co-Founder, Research & Technology

David Solin is the chief architect for Joval Continuous Monitoring.

Prior to joining JovalCM, he was Chief Architect for Service Automation at BMC Software, where he led a global team responsible for overall software design and the technical road-map for five product families accounting for $200M in annual sales. He was also the lead architect for BMC’s first Cloud Lifecycle Management solution, and a member of BMC’s Office of the CTO.

David joined BMC with the Marimba acquisition in 2004. At Marimba, he held a range of positions in the professional services and sales organizations before becoming a member of Marimba’s Office of the CTO. He was instrumental in the genesis, design and development of Marimba’s server and patch management products.

Prior to joining Marimba, David worked at the Defense Information Systems Agency (DISA) and the International Telecommunications Satellite Organization (INTELSAT). He holds a bachelors degree in mathematics from Yale University, and has authored nine issued and one pending US patents.

David E. Ries

David E. Ries

Co-Founder, Business Development

David leads business development efforts for Joval Continuous Monitoring.

Prior to joining JovalCM, David co-founded where he served as CTO for two years and COO for five years. As CTO, David designed’s patented and proprietary content management and operational support systems. After pivoting the company from a SaaS CMS provider to a technology-enabled website services provider, he was promoted to COO where he developed’s standardized service delivery model, led the development of a technology platform to support it and built a specialized service organization to operate it. As a founder and board member, David played a large role in securing three rounds of financing for the company as well as creating and executing the company’s marketing, sales, and business development strategies.

Prior to, David spent four years as a business process analyst and web application developer for operations, IT and new media departments at Christies, Pfizer, and other enterprise clients. Previously, he produced 35 commercial musicals across the Midwest. David received a B.A. in History from Yale University and has one issued and one pending patent.


Slang 1.0 Released

Today Joval Continuous Monitoring introduced the first version of its SCAP content authoring toolkit called “Slang” (Shorthand-LANGuage for SCAP). The toolkit consists of a VSCode extension and command-line tools that greatly simplify the process of creating security compliance content in SCAP format. The first release covers Windows operating systems, with a follow-on release adding Linux and macOS support planned for the first half of this year.


Joval Achieves SCAP 1.3 Program Validation

Joval is proud to have become the first commercial product to complete the NIST SCAP 1.3 validation program and receive an official validation record, having successfully undergone testing by an independent accredited 3rd-party laboratory. Joval’s validation record includes every platform and every capability currently included in the program, and customers who license the SCAP Validated Module may now participate in the “SCAP Inside” labeling program for their own products to meet Federal purchasing requirements.


Joval Announces new Performance Tuning Features

Today Joval Continuous Monitoring released version 6.3.0 of its flagship products, the Joval SDK and Joval Utilities. This important update to the Joval Utilities includes a new host-based scan mode for resource-constrained environments, making it possible for Joval customers to fine-tune the amount of memory and CPU that will be utilized during the scanning process. New CPU usage configuration properties are also available for users of the Joval SDK.

“Our customers have been finding that some environments involving point-of-sale kiosks and VDI require a softer touch,” said David Solin, co-founder and lead product architect at Joval Continuous Monitoring. “These machines are often stripped to the bone to contain costs, and don’t necessarily have a lot of excess capacity for vulnerability scanning. These new features make it possible to manage the very real vulnerability risks on such machines, without impacting the core business functions they serve.”

For more information, please contact us about conducting an evaluation.


CIS Credits Joval for Windows Security Content Development Leadership

The Center for Internet Security today released a blog article titled Automating the Generation of Windows Vulnerability Detection Content, which highlights the work being performed by Joval Continuous Monitoring to automate the generation of publicly-available Windows vulnerability content.


Joval adds Offline Docker Image Scanning Capability

Joval Continuous Monitoring is pleased to announce release v6.2.0, which adds support for compliance and vulnerability scanning of offline Docker (Linux) image files.


IGI Announces Joval Partnership for Nodeware

IGI announces their partnership with Joval Continuous Monitoring to power its Nodeware product line.


Presentations by Joval Continuous Monitoring at NIST SCAPv2 Summit

Representatives from Joval Continuous Monitoring gave presentations at the NIST SCAP v2 developer conference at MITRE Corporation’s McLean, VA campus, including:

  • Repository Metadata
  • Programmatic OVAL
  • Protocol-Oriented OVAL Schemas

Joval Earns Top Contributor Award (Q1 2019)

The Center for Internet Security today announced Joval Continuous Monitoring was a Top Contributor of publicly-available OVAL content for the first quarter of 2019. This is Joval’s fifth consecutive award for content contribution.


Introducing Joval Discovery

Joval Continuous Monitoring is pleased to announce general availability of Discovery 1.0, available as a stand-alone product, or as an add-on capability for Joval Developer and Enterprise edition customers. Discovery 1.0 is compatible with the new Joval 6.1.0 release.

Discovery 1.0 features include:

  • Configuration-free vulnerability scanning, with no prior knowledge of network topology required
  • OVAL-based definitions for thousands of common vulnerabilities and misconfigurations
  • Options for both stand-alone ARP discovery and support for NMap XML file formats

Contact us for an evaluation license.


Joval Earns Top Contributor Award (Q4 2018)

The Center for Internet Security today announced Joval Continuous Monitoring was a Top Contributor of publicly-available OVAL content for the fourth quarter of 2018. This is Joval’s fourth consecutive award, making us a top contributing organization for the entire year of 2018.


Joval Earns Top Contributor Award (Q3 2018)

The Center for Internet Security today announced Joval Continuous Monitoring was a Top Contributor of publicly-available OVAL content for the third quarter of 2018.


Joval Earns Top Contributor Award (Q2 2018)

The Center for Internet Security today announced Joval Continuous Monitoring was a Top Contributor of publicly-available OVAL content for the second quarter of 2018.


Joval Earns Top Contributor Award (Q1 2018)

The Center for Internet Security today announced Joval Continuous Monitoring was a Top Contributor of publicly-available OVAL content for the first quarter of 2018.


Joval Announces CIS Certifications

Joval Continuous Monitoring, in conjunction with its new 6.0.0 release, announced that it would begin distributing CIS-certified content to its enterprise customers.


Tanium Adds Support for JovalCM

Joval Continuous Monitoring introduces Joval™ for Tanium® Comply, an officially supported engine for Tanium Comply, empowering Tanium Comply customers to leverage Joval’s market-leading SCAP compliance and security vulnerability scanning capabilities. Contact us for details on pricing and availability.


Joval Introduces Partnership with CIS

Today Joval and the Center for Internet Security signed an agreement allowing Joval to provide CIS benchmarks directly to end-user customers. Licensed customers can now request CIS content via the support portal, to begin the certification process.


OVAL 5.11.2 official release

The OVAL community met a major milestone by completing its first independent release of the OVAL language since the transition from MITRE. OVAL 5.11.2 features over 70 changes and enhancements to the language, and the release effort was spearheaded by Joval’s own David Solin, who volunteered on behalf of the community to implement and categorize the issue back-log.


Joval 5.11.1-3 Released

JovalCM announces general availability of version 5.11.1-3 of the Joval product suite, which includes numerous bug fixes, improved performance for remote Windows scanning, support for the SCAP validation suite v1.2.1.14 and support for RHEL on IBM System Z mainframes.


Joval Authoring Toolkit Released

JovalCM announces the immediate availability of the Joval Authoring Toolkit. The toolkit can be used by OVAL authoring teams to generate high-quality automation content from the National Vulnerability Database’s CVE XML feed.


Version 5.11.1-2 Released

JovalCM ships version 5.11.1-2, featuring a number of bug fixes and minor enhancements.


Version 5.11.1-1 Released

JovalCM ships version 5.11.1-1, featuring support for the over 40 new test types found in OVAL version 5.11.1.  Included are the new Cisco IOS-XE and Cisco ASA schemas, many formerly experimental tests in their new (official) namespaces, and new OVAL language functions and datatypes. Numerous connectivity and resilience enhancements, such as the ability to scan Windows devices through SSH gateways, are also included.


2015 Cybersecurity Innovation Forum

David Ries, Joval co-founder, presents on Community-Driven Automation Standards at the 2015 Cybersecurity Innovation Forum in Washington, D.C.


Canonical Publishes OVAL Content for Ubuntu

Canonical announced its automatically-generated OVAL repository of Ubuntu vulnerability data. OVAL content is generated continuously (i.e., as soon as it is made available) for the Precise (12.04) and Trusty (14.04) Ubuntu versions. The automation scripts were prototyped by the JovalCM team and donated to Canonical to enable this effort.


OVAL Repository 2.0 Launched

In collaboration with the Center for Internet Security (CIS), ThreatGuard, Qualys, and the OVAL Board and with the support of MITRE and The Department of Homeland Security, the JovalCM team helped launch the new CIS-sponsored OVAL Repository. Our team played a leading role in designing the GitHub repository and implementing the maintenance and packaging tools.


OVAL Language Version 5.11.1 Officially Released

The OVAL governing board officially released version 5.11.1 of the OVAL language. This release includes a large number of bug-fixes that the JovalCM team determined were required to successfully implement the language, particularly focusing on the Cisco IOS, IOS-XE and ASA schemas.


Version Released

JovalCM ships version, featuring proven drop-in readiness for the NIST SCAP 1.2 certification program.  This new release includes many performance and scalability enhancements, including new tests specifically for MacOS X and Debian-based Linux distributions, and a new set of command-line utilities for Enterprise and Developer Edition customers.


Joval Proposes APT Test for Ubuntu Linux

JovalCM’s proposal for a Linux APT (Advanced Packaging Technology) test has been accepted into the official OVAL Sandbox.  This new test adds simplified patch management assessment delegation to native facilities for Ubuntu-based Linux distributions.


OVAL Language Version 5.11 Officially Released

The OVAL governing board officially released the much-awaited version 5.11 of the OVAL language.  This release includes a large number of new tests and schemas that were proposed by the JovalCM team, including the NETCONF and Juniper JunOS schemas, Windows License and System Metric tests, Unix Symlink test and nine new MacOS tests — effectively doubling the capabilities of the MacOS schema.


Joval Proposes New Tests for MacOS, Unix Schemas

The official OVAL Sandbox published Joval’s proposals for nine new MacOS X tests, and a long-needed symlink test for the Unix schema.  These new tests are required to implement newly-available security best practices from CIS in OVAL format, pertaining to MacOS X Mavericks.


Joval Adds SQL Database Support

Version is released, featuring SQL database support.


Cisco Showcases Joval Pro

Cisco showcases Joval Professional Edition in a security automation webinar.


Joval Professional Edition

Joval Professional is released! “Pro” is a desktop application that includes a full GUI for: target and credential management; local and remote scanning; and results display. It is intended for content authors and ad hoc scanning.


Joins OVAL Governing Board

Joval accepts the invitation of the OVAL community to join the OVAL language board.


Cisco Webinar Features Joval

Omar Santos of Cisco’s PSIRT team hosts Cisco’s Automating Cisco IOS Software Vulnerability webinar in which Joval is presented as a robust solution for Cisco IOS scanning.

Apr Stronger & Faster

Version is released, featuring performance and reliability enhancements.

Feb SCAP 1.2 Validation Ready

Version is released, adding support for XCCDF, ARF, digital signatures and full coverage for the Windows and Linux SCAP 1.2 certification tests.


Joval Powers Cisco's SCAP Initiatives

Cisco’s PSIRT team adopts Joval to test and validate their OVAL content and features Joval in Cisco’s white-paper on OVAL scanning.


Joval Pioneers NETCONF & JunOS Support

Joval presents new schemas for NETCONF and JunOS at MITRE Developer Days.


Enterprise OCIL Has Arrived

The Joval team announces the immediate availability our fully-featured enterprise OCIL engine and demo’s it to the community at Mitre SCAP Developer Days. Check out our online demo at


Joval Dramatically Expanded Platform Support

Version is released, adding support for IBM AIX, Apple Mac OSX and complete support for Cisco IOS.


A New Content Toolkit for Windows Patch

Joval announces the beta of, a data feed and SDK for OVAL-based patch assessment, packaging and application. The beta offers comprehensive support for Windows, including over 500,000 OVAL definitions!


First OEM

GCP Global licenses Joval for its ORCA® GRC suite.


Official OVAL Adopter

Joval is now an officially-recognized OVAL adopter.


"Windows_View" Released

Joval becomes the first to implement Windows_View functionality with Alpha release A.5.10.1.


Joval in the News(letter)

Joval SCAP engine featured in the OVAL newsletter.


First Open Source Release

The first commit of Joval Community Edition’s source code is published on Github, under the Affero GPL license terms.


Joval is a "Go"!

Farnam Hall Ventures LLC green-lights the Joval project.