[ISN] SCAP narrows security gap

From: InfoSec News (alerts@private)
Date: Wed Mar 05 2008 - 00:42:33 PST


By William Jackson
03/03/08 issue

Since its inception several years ago, the Security Content Automation 
Protocol (SCAP) has done a lot to help agencies in the uphill battle 
against security vulnerabilities, but it hasnt yet gotten them over the 

What has been done to date is useful, but it is not the endgame, said 
Peter Mell, who heads the National Institute of Standards and 
Technologys SCAP program.

Released by NIST last spring, SCAP is a suite of tools to help automate 
vulnerability management and evaluate compliance with federal 
information technology security requirements.

It is an expansion of the National Vulnerability Database with an 
automated checklist that uses a collection of recognized standards for 
naming software flaws and configuration problems in specific products.

But, handy as it can be in scanning for vulnerabilities in a handful of 
common operating systems and applications, it does not yet help fix the 
problems it finds.

Some vendors have applied SCAP content to the remediation process, but 
we have yet to explore what it means to provide standard references to 
automate remediation, Mell said.

Still, it seems that SCAP has been embraced.

NIST is accrediting independent labs for a SCAP product evaluation 
program, vendors are producing scanning tools using the protocol, and 
agencies are using them to automate compliance with IT security 

Take the package

?I first heard about it back in 2007 at a developers conference, said 
Matt Oney, security administrator of the Systems Integration Division at 
the General Services Administrations Public Buildings Service. We 
decided to take this package and use the tools as much as we can.

Oney works at a data center hosting applications for GSA in Chantilly, 
Va., and he rolls out a lot of servers in the course of his work. We 
figured we may as well roll them out in compliance.

NIST developed SCAP in cooperation with the Defense and Homeland 
Security departments and Mitre to provide technical specifications for 
identifying, enumerating, assigning and sharing security-related data. 
Using existing standards developed as guidance for securing IT hardware 
and software, SCAP can help test for vulnerabilities and rank them 
according to severity of impact.

The checklist files are mapped to NIST specifications for compliance 
with the Federal Information Security Management Act so the output can 
be used to document FISMA compliance.

It also can be used to check for compliance with the Federal Desktop 
Core Configuration (FDCC) requirements for Microsoft Windows XP and 
Vista operating systems.

The Office of Management and Budget has said IT vendors must use 
validated tools to ensure that their products do not alter FDCC 
configurations on desktop PCs, and NIST established a SCAP validation 
program last summer.

So far, NIST-approved labs have validated SCAP tools only for scanning 
Windows XP Professional SP 2 although FDCC also includes configurations 
for Vista. Validations for Vista should be coming soon, said ThreatGuard 
Chief Technology Officer Randal Taylor. NIST has been unable to get test 
images to the lab for Vista, Taylor said. As soon as NIST can get that 
material to the labs, they will be validated.

?Im pleased with the progress we have made, Mell said of SCAP. From a 
program point of view, yes, things have moved quickly. But from a 
technical point of view, they havent.

One of the difficulties with SCAP is that it is based on a series of 
open standards, some of which date back 10 years and are at varying 
levels of maturity. Integrating these standards into a single scheme 
that can be implemented in multiple interoperable products is a 

The more mature standards in the suite include:

    * The Common Vulnerabilities and Exposures Standard from Mitre, 
      which provides standard identifiers and a dictionary for security 
      vulnerabilities related to software flaws.
    * Open Vulnerability and Assessment Language, also from Mitre, a 
      standard Extensible Markup Language for security testing 
      procedures and reporting.
    * Extensible Configuration Checklist Description Format from the 
      National Security Agency and NIST, a standard XML for specifying 
      checklists and reporting results.
    * Common Vulnerability Scoring System from the Forum of Incident 
      Response and Security Teams, a standard for conveying and scoring 
      the impact of vulnerabilities.

Less mature standards are:

    * Common Configuration Enumeration from Mitre, standard identifiers 
      and dictionary for system security configuration issues.
    * Common Platform Enumeration from Mitre, standard identifiers and a 
      dictionary for platform and product naming.

Mell said that as much as he would like NIST to be able to take credit 
for the advances SCAP has enabled, I dont think [we] government people 
did anything brilliant. We put a name and a program around what the 
industry already was doing.

But SCAP has made it easier to identify and use those security 
standards, he said. It gave us more momentum than we would have had with 
a bunch of individual standards.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Wed Mar 05 2008 - 00:57:06 PST