I’m reconsidering what I said earlier about OVAL after looking at the MITRE integration overall. I’m also reconsidering AVDL because it turns out that WebInspect hasn’t even supported it themselves all year.

For example, check out this presentation by Bob Martin on CWE. On slide 15 (second to last slide), he shows how XCCDF and OVAL can be used as knowledge repositories to bring data to/from operations security management processes.

i find that the avdl support in webinspect is much more mature, and i wish that other products would support this… although oval support isn’t that bad of an idea either