Security Content Automation Protocol

Security Content Automation Protocol

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP.

Purpose

The Security Content Automation Protocol (SCAP), pronounced “S-Cap”, combines a number of open standards that are used to enumerate software flaws and configuration issues related to security. They measure systems to find vulnerabilities and offer methods to score those findings in order to evaluate the possible impact. It is basically a is a method for using those open standards for automated vulnerability management, measurement, and policy compliance evaluation. SCAP defines how the following standards (referred to as SCAP 'Components') are combined:

CAP Components

* [http://cve.mitre.org/ Common Vulnerabilities and Exposures (CVE)]
* [http://cce.mitre.org/ Common Configuration Enumeration (CCE)]
* [http://cpe.mitre.org/ Common Platform Enumeration (CPE)]
* [http://nvd.nist.gov/cvss.cfm?version=2 Common Vulnerability Scoring System (CVSS)]
* [http://nvd.nist.gov/xccdf.cfm Extensible Configuration Checklist Description Format (XCCDF)]
* [http://oval.mitre.org/ Open Vulnerability and Assessment Language (OVAL)]

These components can be used to build products that have SCAP Capabilities:

CAP Capabilities

* Federal Desktop Core Configuration (FDCC) Scanner
* Authenticated Configuration Scanner
* Authenticated Vulnerability Scanner
* Unauthenticated Vulnerability Scanner
* Intrusion Detection and Prevention
* Patch Remediation
* Mis-configuration Remediation
* Asset Management
* Asset Database
* Vulnerability Database
* Mis-configuration Database
* Malware Tool

Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations and the NIST Special Publication 800-53 Revision 1 (SP 800-53 Rev1) controls framework. The current version of SCAP is meant to perform initial measurement and continuous monitoring of security settings and corresponding SP 800-53 Rev1 controls. Future versions will likely standardize and enable automation for implementing and changing security settings of corresponding SP 800-53 Rev1 controls. In this way, SCAP contributes to the implementation, assessment, and monitoring steps of the NIST Risk Management Framework. Accordingly, SCAP is an integral part of the NIST [http://csrc.nist.gov/groups/SMA/fisma/index.html FISMA] implementation project.

CAP Validation Program

Security programs overseen by NIST focus on working with government and industry to establish more secure systems and networks by developing, managing and promoting security assessment tools, techniques, services, and supporting programs for testing, evaluation and validation; and addresses such areas as: development and maintenance of security metrics, security evaluation criteria and evaluation methodologies, tests and test methods; security-specific criteria for laboratory accreditation; guidance on the use of evaluated and tested products; research to address assurance methods and system-wide security and assessment methodologies; security protocol validation activities; and appropriate coordination with assessment-related activities of voluntary industry standards bodies and other assessment regimes.

Independent third party testing assures the customer/user that the product meets the NIST specifications. The SCAP standards can be complex and several configurations must be tested for each component and capability to ensure that the product meets the requirements. A third party lab (accredited by [http://ts.nist.gov/standards/accreditation/index.cfm NVLAP] ) provides assurance that the product has been thoroughly tested and has been found to meet all of the requirements.

A vendor seeking validation of a product that implements an SCAP component (CVE, CCE, CPE, CVSS, XCCDF or OVAL), or capability (Federal Desktop Core Configuration (FDCC) Scanner, Authenticated Configuration Scanner, Authenticated Vulnerability Scanner, Unauthenticated Vulnerability Scanner, Intrusion Detection and Prevention, Patch Remediation, Mis-configuration Remediation, Asset Management, Asset Database, Vulnerability Database, Mis-configuration Database or Malware Tool), should contact an NVLAP accredited SCAP validation laboratory for assistance in the validation process.

A customer who is subject to the FISMA requirements, or wants to use security products that have been tested and validated to the SCAP standard by an independent third party laboratory should visit the [http://nvd.nist.gov/scapproducts.cfm SCAP validated products web page] to verify the status of the product(s) being considered.

External links

* [http://scap.nist.gov Security Content Automation Protocol web site]
* [http://nvd.nist.gov National Vulnerability Database web site]


Wikimedia Foundation. 2010.

Игры ⚽ Нужен реферат?

Look at other dictionaries:

  • Information Security Automation Program — The Information Security Automation Program (ISAP, pronounced “I Sap”) is a U.S. government multi agency initiative to enable automation and standardization of technical security operations. While a U.S. government initiative, its standards based …   Wikipedia

  • National Vulnerability Database — The National Vulnerability Database is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management,… …   Wikipedia

  • Border Gateway Protocol — BGP redirects here. For the Formula One Team, see Brawn GP. The Border Gateway Protocol (BGP) is the protocol backing the core routing decisions on the Internet. It maintains a table of IP networks or prefixes which designate network reachability …   Wikipedia

  • Open Vulnerability and Assessment Language — (OVAL) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL… …   Wikipedia

  • Angela Orebaugh — (1973) is a security technologist, scientist, and author. She is the author of the Syngress Wireshark and Ethereal Network Protocol Analyzer Toolkit and Ethereal Packet Sniffing . She is also known for her work as a researcher, writer, and… …   Wikipedia

  • SCAP — may refer to: * Security Certification and Authorization Package * Security Content Automation Program * Security Content Automation Protocol * SREBP cleavage activating protein * Standard Computerized Airplane Performance * Supreme Commander of… …   Wikipedia

  • Communications security — Not to be confused with Commonwealth Securities. Communications security is the discipline of preventing unauthorized interceptors from accessing telecommunications in an intelligible form, while still delivering content to the intended… …   Wikipedia

  • Common Vulnerabilities and Exposures — The Common Vulnerabilities and Exposures or CVE system provides a reference method for publicly known information security vulnerabilities and exposures. MITRE Corporation maintains the system, with funding from the National Cyber Security… …   Wikipedia

  • SCAP — steht für: Supreme Commander for the Allied Powers, der Befehlshaber der Alliierten während der Besatzungszeit in Japan SA des Automobiles Société de Construction des Automobiles Parisiennes, kurz S.C.A.P., ehemalige französische Automarke… …   Deutsch Wikipedia

  • List of computing and IT abbreviations — This is a list of computing and IT acronyms and abbreviations. Contents: 0–9 A B C D E F G H I J K L M N O P Q R S T U V W X Y …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”