Security Content Automation Protocol (SCAP)
Security Content Automation Protocol (SCAP) describes a suite of interoperable specifications designed to standardize the formatting and naming conventions used to identify and report on the presence of software flaws, such as misconfigurations and/or vulnerabilities.
- NIST framework that outlines various accepted practices for automating vulnerability scanning
- allows compatible scanners to determine whether a computer meets a configuration baseline
- https://csrc.nist.gov/projects/security-content-automation-protocol/
- Tools
- OpenSCAP
- assess and verify the system’s adherence to the baseline
- OpenSCAP
SCAP Languages
Open Vulnerability and Assessment Language (OVAL) is an XML schema for describing system security state and querying vulnerability reports and information.
- maintained by MITRE
- Helps describe three main aspects of an evaluated system
- system information
- machine state
- reporting
- provides a consistent and interoperable way to collect and assess information
- regardless of the security tools being used
- https://oval.mitre.org/
Asset Reporting Format (ARF)
- helps to correlate reporting formats to assess information independently from any specific application or vendor product for consistency and interoperability
- https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/arf
Extensible Configuration Checklist Description Format (XCCDF) provides a consistent and standardized way to define benchmark information as well as configuration and security checks to be performed during an assessment.
- an XML schema for developing and auditing best practice configuration checklists and rules
- provides a machine-readable format that can be applied and validated using compatible software
- https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/xccdf
SCAP Identification Schemes
Common Platform Enumeration (CPE) is a scheme for identifying hardware devices, operating systems, and applications.
- is a standardized naming format used to identify systems and software
- consistent language for product names and versions
- developed by MITRE
- https://nvd.nist.gov/products/cpe
Common Configuration Enumeration (CCE) is a scheme for provisioning secure configuration checks across multiple sources.
- developed by MITRE and adopted by NIST
- provides a consistent language to share system configuration information
- similar to CVE, except focused on configuration issues which may result in a vulnerability
- https://ncp.nist.gov/cce/
Common Vulnerabilities and Exposures (CVE) is a scheme for identifying vulnerabilities.
Common Vulnerability Scoring System (CVSS) is a system for scoring CVEs.