Security Content Automation and Protocol (SCAP)

(OBJ .)

Security Content Automation Protocol (SCAP)

• Suite of open standards that enhances the automation of vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization
• Developed by the National Institute of Standards and Technology (NIST)
• Enhances the automation of security tasks, including the following
  • Vulnerability scanning
  • Configuration checking
  • Software inventory

Components of SCAP

• SCAP comprises a suite of open standards used to automate security tasks
• Supports standardized vulnerability scanning, results reporting, and scoring
• Promotes vulnerability prioritization and compliance with internal and external requirements
• Ensures that different security tools communicate using the same SCAP formatted data

SCAP Languages

• OVAL (Open Vulnerability and Assessment Language)
  • XML schema for describing system security states and querying vulnerability reports
• XCCDF (Extensible Configuration Checklist Description Format)
  • XML schema for developing and auditing best-practice configuration checklists and rules
  • Allows improved automation
• ARF (Asset Reporting Format)
  • XML schema for expressing information about assets and their relationships
  • Vendor and technology neutral
  • Flexible
  • Suited for a wide variety of reporting applications

Enumeration Methods in SCAP

• CCE (Common Configuration Enumeration)
  • Scheme for provisioning secure configuration checks across multiple sources
  • Provides unique identifiers for different system configuration issues
• CPE (Common Platform Enumeration)
  • Identifies hardware devices, operating systems, and applications
  • Standard format:
    • cpe:/part:vendor:product:version:update:edition:language
• CVE (Common Vulnerabilities and Exposures)
  • Describes publicly known vulnerabilities with unique identifiers
  • Standard format
    • CVE-Year first documented-Number
    • CVE-2017-0144

Common Vulnerability Scoring System (CVSS)

• Used to provide a numerical score reflecting the severity of a vulnerability (0 to 10)
• Scores are used to categorize vulnerabilities as none, low, medium, high, or critical
• Scores assist in prioritizing remediation efforts but do not account for existing mitigations

SCAP Benchmarks

• Benchmarks
  • Sets of security configuration rules for specific products to establish security baselines
  • Provide a detailed checklist that can be used to secure systems to a specific baseline
• Expressed in the XCCDF format and used for compliance testing
• Many SCAP Benchmarks available for different systems and applications, ensuring proper system configuration and vulnerability identification
• Examples of SCAP Benchmarks
  • Red Hat Enterprise Linux Benchmark
    • Provides security configuration rules for Red Hat Enterprise Linux
  • CIS Microsoft Windows 10 Enterprise Benchmark
    • Includes security configuration rules for Microsoft Windows 10 Enterprise
• Three languages used in SCAP
  • OVAL
  • XCCDF
  • ARF