Skip to content

Home

Jump to bottom
cargenio edited this page Jun 4, 2020 · 2 revisions

Introduction

SCAP v2

SCAP v2 is standardizing protocols and an architecture that allows for the interoperability of security tools. There’s a common interface that allows security assessments using multiple tools to take place using a single set of guidance. SCAP v2 facilitates event-driven data collection and security baseline updates as they are published, allowing security administrators a continuous, ongoing understanding of the state of their enterprise.

SCAP v2 builds on the foundation provided by SCAP v1 by integrating additional standardized data models and interfaces to improve collection and assessment capabilities as well as improve interoperability among tools. This allows security assessments using multiple tools to take place using a single set of guidance and facilitates event-driven data collection and security baseline updates as they are published, allowing security administrators a continuous, ongoing understanding of the state of their enterprise.

SCAP v2 is a community effort. Get involved here.

What is SCAP

The Security Content Automation Protocol (SCAP) is a suite of specifications first published in 2009 that standardize the assessment of endpoints across multiple enterprise security use cases including:

  • Configuration Management

  • Software Inventory Management

  • Hardware Asset Management

  • Vulnerability Management

SCAP does this by providing

  • a common language to talk about different aspects of endpoint assessment including common identifiers for expressing vulnerabilities, platforms, and configuration items

  • a common format for expressing security configuration guidance, and

  • a common expression of information to collect from endpoints and how to assess it.

SCAP Content and Scanners

SCAP content is a baseline for comparison of systems being scanned by the SCAP scanning tools. The content can be sorted and filtered based on a user’s need. It can be easily modified, combined, reused, packaged and shared. Content is intended to be created, modified, and reused easily. Repositories of existing SCAP content can be found here. (Insert link to repositories)

SCAP Scanners are tools that compare a computer or application configuration and/or patch level against that of the SCAP content baseline. Scanners are capable of performing compliance verification using SCAP content and authenticated vulnerability scanning using OVAL content.

Many commercial and open-source SCAP scanners are available from enterprise-level scanning to personal computer use. Many SCAP-validated applications can interoperate with other SCAP-validated scanners (Insert link to scanners) to express results in a standardized way.

Use cases

SCAP supports several use cases including software inventory, vulnerability management, and configuration management. The following sections describe how the new architecture can be applied to support each use case.

Software Inventory

Software asset management is an information security continuous monitoring capability that identifies unauthorized software on devices that is likely to be used by attackers as a platform from which to extend compromise of the network to be mitigated. [insert reference here]

Software policies can be written using open, standardized formats (SCAP) that allow these policies to be assessed using any SCAP-compliant tool. With these policies, an SCAP tool can gather software inventory information from endpoints and compare it against these policies using automated procedures. The result is a report of all endpoints that diverge from policy and what led to this determination.

A screenshot of a cell phone Description automatically generated

Figure 1: Identifying Software and Available Patches for Endpoints

Vulnerability Assessment

Vulnerability management is an information security continuous monitoring capability that identifies vulnerabilities on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network. [insert reference here]

Similar to software policies, security advisories can be written using SCAP formats that allow these advisories to be assessed using any SCAP-compliant tool. With these advisories, an SCAP tool can gather software inventory and configuration information from endpoints and compare it against these advisories in an automated fashion. The result is a report of all endpoints that have vulnerable software present. Furthermore, applicable advisories can be selected in an automated fashion using the software inventory data collected from endpoints as described in the SCAP Software Asset Management use case.

A screenshot of a cell phone Description automatically generated

Figure 1: Identifying Software and Security Advisories for Endpoints

Configuration Settings Assessment

Configuration settings management is an information security continuous monitoring capability that identifies configuration settings on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network. [insert reference here]

Security configuration baselines can also be expressed using SCAP formats and then be assessed using any SCAP-compliant tool. An SCAP tool can gather configuration settings information from endpoints and compare it against these baselines using automated procedures. The result is a report of all endpoints that are not compliant with the baseline. Similar to the vulnerability management use case, applicable baselines can be automatically selected by mapping the set of software applicable to those baselines against the software inventory data collected from endpoints, as described in the SCAP Software Asset Management use case.

A screenshot of a cell phone Description automatically generated

Figure 1: Steps for Selecting and Applying SCAP Benchmarks

Benefits of Using SCAP

Software asset management, vulnerability assessment, and configuration management using SCAP provides a number of benefits over non-standards-based solutions.

  • Transparency of Operations: See exactly what information is collected from endpoints and how it is assessed

  • Standardized Data: Software inventory, vulnerability, and configuration data is represented using open and standardized formats

  • Event-Driven Updates: Software inventory data is updated whenever software is installed, updated, or removed and configuration data is updated when a setting is changed

  • Interoperability Among Products: Standardized formats, interfaces, and protocols enable interoperability and best-of-breed product selection

  • Reusable Data: Real-time software inventory, vulnerability, and configuration data supports a wide range of use cases including asset counting, license management, vulnerability assessment, configuration settings management, anomalous behavior detection, and threat informatio

Clone this wiki locally