DOD tests vulnerability management tools

DOD tests vulnerability management tools
DOD tests vulnerability management tools 

By Jason Miller
Sept. 19, 2007

The Defense Department is testing a process to automate system 
vulnerability collection data from across the services and military 

The Security Content Automation Protocol [1] (SCAP) eventually will use 
Web services and a service-oriented architecture to scan as many as 1 
million information technology assets to manage vulnerabilities and deal 
with possible threats.

SCAP will help DOD, and eventually other agencies, examine how security 
content automation will help achieve compliance with the Federal 
Information Security Management Act and other cybersecurity directives 
and improve overall IT security.

"The pilot using the SCAP protocols will give us more advanced 
capabilities and optimize current business practices," said Ryan Larson, 
of the National Security Agency's systems information assurance systems 
engineering office. "We want to develop plans to implement Web services 
to expose network defense data enterprisewide."

The Army tested about 30,000 assets, which gave the service a better 
understanding of what was vulnerable and what was safe, DOD officials 
said today at the National Institute of Standards and Technology 
Security Automation Conference.

DOD and other agencies face a number of issues in automating 
vulnerability data. For example, the Army found that officials defined 
systems, hardware and software differently. Officials also said they 
found that sometimes people didn't report important incidents or 
potential problems because they didn't think they were important.

Through this SCAP effort, officials say this will change.

Joe Wolfkiel, chief of DOD's computer network defense research 
technology office, said his group is developing a data exchange model to 
help deal with taxonomy issues.

"We had to set up the constructs of what information the network 
defender cares about and then build the SCAP standards around that," he 

The data exchange model eventually will use Web services to obtain data 
from five areas of the network:

    * Assets -- what is connected to the network.

    * Vulnerabilities -- which platforms, hardware and software have 
      potential problems and the severity of those problems.

    * Events -- where vulnerabilities happen on the network in basic 

    * Incident -- what happened, who caused it and what assets was it 
      directed against.

    * Threats -- how they negatively affected the network.

Wolfkiel said that when the testing is done, DOD will turn over the data 
exchange model and lessons to NIST to figure out if the agency should 
take this governmentwide.

"NIST can decide to define the schemas and publish them as Web services 
so we can all use the same thing," he said.

Margaret Myers, DOD's deputy chief information officer, said the SCAP 
work will have the biggest effect on a common vocabulary.

"Once you do that, then you can tag and expose the data and use Web 
services to give access across the department," she said. "Then people 
will understand what the data means and how they can improve their cyber 


CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - 

Site design & layout copyright © 1986-2015 CodeGods