By William Jackson
Since its inception several years ago, the Security Content Automation
Protocol (SCAP) has done a lot to help agencies in the uphill battle
against security vulnerabilities, but it hasnt yet gotten them over the
What has been done to date is useful, but it is not the endgame, said
Peter Mell, who heads the National Institute of Standards and
Technologys SCAP program.
Released by NIST last spring, SCAP is a suite of tools to help automate
vulnerability management and evaluate compliance with federal
information technology security requirements.
It is an expansion of the National Vulnerability Database with an
automated checklist that uses a collection of recognized standards for
naming software flaws and configuration problems in specific products.
But, handy as it can be in scanning for vulnerabilities in a handful of
common operating systems and applications, it does not yet help fix the
problems it finds.
Some vendors have applied SCAP content to the remediation process, but
we have yet to explore what it means to provide standard references to
automate remediation, Mell said.
Still, it seems that SCAP has been embraced.
NIST is accrediting independent labs for a SCAP product evaluation
program, vendors are producing scanning tools using the protocol, and
agencies are using them to automate compliance with IT security
Take the package
?I first heard about it back in 2007 at a developers conference, said
Matt Oney, security administrator of the Systems Integration Division at
the General Services Administrations Public Buildings Service. We
decided to take this package and use the tools as much as we can.
Oney works at a data center hosting applications for GSA in Chantilly,
Va., and he rolls out a lot of servers in the course of his work. We
figured we may as well roll them out in compliance.
NIST developed SCAP in cooperation with the Defense and Homeland
Security departments and Mitre to provide technical specifications for
identifying, enumerating, assigning and sharing security-related data.
Using existing standards developed as guidance for securing IT hardware
and software, SCAP can help test for vulnerabilities and rank them
according to severity of impact.
The checklist files are mapped to NIST specifications for compliance
with the Federal Information Security Management Act so the output can
be used to document FISMA compliance.
It also can be used to check for compliance with the Federal Desktop
Core Configuration (FDCC) requirements for Microsoft Windows XP and
Vista operating systems.
The Office of Management and Budget has said IT vendors must use
validated tools to ensure that their products do not alter FDCC
configurations on desktop PCs, and NIST established a SCAP validation
program last summer.
So far, NIST-approved labs have validated SCAP tools only for scanning
Windows XP Professional SP 2 although FDCC also includes configurations
for Vista. Validations for Vista should be coming soon, said ThreatGuard
Chief Technology Officer Randal Taylor. NIST has been unable to get test
images to the lab for Vista, Taylor said. As soon as NIST can get that
material to the labs, they will be validated.
?Im pleased with the progress we have made, Mell said of SCAP. From a
program point of view, yes, things have moved quickly. But from a
technical point of view, they havent.
One of the difficulties with SCAP is that it is based on a series of
open standards, some of which date back 10 years and are at varying
levels of maturity. Integrating these standards into a single scheme
that can be implemented in multiple interoperable products is a
The more mature standards in the suite include:
* The Common Vulnerabilities and Exposures Standard from Mitre,
which provides standard identifiers and a dictionary for security
vulnerabilities related to software flaws.
* Open Vulnerability and Assessment Language, also from Mitre, a
standard Extensible Markup Language for security testing
procedures and reporting.
* Extensible Configuration Checklist Description Format from the
National Security Agency and NIST, a standard XML for specifying
checklists and reporting results.
* Common Vulnerability Scoring System from the Forum of Incident
Response and Security Teams, a standard for conveying and scoring
the impact of vulnerabilities.
Less mature standards are:
* Common Configuration Enumeration from Mitre, standard identifiers
and dictionary for system security configuration issues.
* Common Platform Enumeration from Mitre, standard identifiers and a
dictionary for platform and product naming.
Mell said that as much as he would like NIST to be able to take credit
for the advances SCAP has enabled, I dont think [we] government people
did anything brilliant. We put a name and a program around what the
industry already was doing.
But SCAP has made it easier to identify and use those security
standards, he said. It gave us more momentum than we would have had with
a bunch of individual standards.
Subscribe to InfoSec News