IT Security 101: Security Content Automation Protocol (SCAP)

Introduction

In this installment of ITSEC101, I will discuss a framework created by the National Institute of Standards and Technology (NIST) called the Security Content Automation Protocol (SCAP). This standard is codified in Special Publication (SP) 800-126. Its current version is 1.3 (SP 800-126 Rev. 3) and NIST is in the process of designing v2.0.

The purpose of SCAP is to provide a standardized method to organize and present vulnerability data across disparate IT systems, and the tools used for vulnerability scanning, assessment, and overall management. This allows organizations to meet regulatory requirements uniformly, regardless of their chosen solutions.

SCAP Explained

The SCAP framework is a collaboration between NIST and other organizations such as MITRE and FIRST. It consists of multiple specifications to standardize vulnerability and security configuration evaluation, management, and compliance, with emphasis on automation.

• Asset Identification
  A standardized method for uniquely identifying assets.

• Asset Reporting Format (ARF)
  A standardized data model for asset and security report relationships.

• Common Configuration Enumeration (CCE)
  A standardized method for identifying configuration issues.

• Common Configuration Scoring System (CCSS)
  A standardized method for measuring the severity of security configuration issues.

• Common Platform Enumeration (CPE)
  A standardized method for identifying software and hardware.

• Common Vulnerabilities and Exposures (CVE)
  A standardized list of known vulnerabilities.

• Common Vulnerability Scoring System (CVSS)
  A standardized method for scoring vulnerabilities in software and hardware.

• Extensible Configuration Checklist Description Format (XCCDF)
  A standardized format for defining security benchmarks and checklists written in XML.

• Open Checklist Interactive Language (OCIL)
  A standardized language for implementing manual interaction during security evaluations.

• Open Vulnerability and Assessment Language (OVAL)
  A standardized language for defining compliance evaluations of vulnerabilities and configurations.

• Trust Model for Security Automation Data (TMSAD)
  A standardized trust model for defining integrity, authentication and traceability of data exchanged within the SCAP framework.

Finally, the data is centralized in NIST’s National Vulnerability Database (NVD).

Conclusion

SCAP is a widely accepted framework to assist organizations with automating their vulnerability and security configuration management. It is an important concept for defenders to understand, as it allows for consistent security through standardized baselines and evaluations. It is a powerful tool for identifying gaps and maintaining compliance.

Daily Cuppa

Today’s cup of tea is Organic Green Tea provided by Newman’s Own.

If you found this article useful, or enjoy the site in general, feel free to buy the author a cup of tea.
The author is also available for work.