SSA (Security System Analyzer) is free non-intrusive OVAL-Compatible software. It provides security testers, auditors with an advanced overview of the security policy level applied.
Features :
- OVAL-compatible product
- SCAP (Security Content Automation Protocol)
- Perform a deep inventory audit on installed softwares and applications
- Scan and map vulnerabilities using non-intrusive techniques based on schemas
- Detect and identify missed patches and hotfixes
- Define a patch management deployment strategy using CVSS scores
Changelog for v.1.5.2
- Based on OVAL 5.3 build 20 (see OVAL project for more information)
- SSA now supports SCAP (Security Content Automation Protocol)
- SSA now supports scan for missed patches (using SCAP format)
- Updated OVAL XML Viewer Plugin
- Updated database to 2039 definitions
Download it here:
Or read more here.
dre says
qualys has integrated oval support into their product.
i find that the avdl support in webinspect is much more mature, and i wish that other products would support this… although oval support isn’t that bad of an idea either
fazed says
I have to agree with dre..
dre says
There is a ton of information about OVAL on these forums.
I’m reconsidering what I said earlier about OVAL after looking at the MITRE integration overall. I’m also reconsidering AVDL because it turns out that WebInspect hasn’t even supported it themselves all year.
For example, check out this presentation by Bob Martin on CWE. On slide 15 (second to last slide), he shows how XCCDF and OVAL can be used as knowledge repositories to bring data to/from operations security management processes.