In Depth
How SCAP Brought Sanity to Vulnerability Management
Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.
By Ed Bellis, Orbitz CISO
- Schema normalization: All vulnerability data needs to be described in the same manner to compare apples to apples across host, network, application and database vulnerabilities.
- Use existing standards (where possible): Don't reinvent the wheel.
- Connect the data: If we don't do this, we're not solving the problem! The primary purpose of our solution is to eliminate these silos of data, reporting and tracking.
- Define our metrics: I thought this might be one of the easier requirements; after all, we already have some vulnerability metrics as part of our current program. Lo and behold, as I drilled deeper into this, I discovered once this data is tied together it gives us additional views and metrics to track and measure our success.
- Useful reporting: Once I have centralized, normalized and correlated this data, I have the ability to crack open the database and sort this any way I see fit.
- Keep it simple: Enough said. [Related: A New Hope for Software Security?]
Enter the Security Content Automation Protocol (SCAP)
What's SCAP, you ask? Until last year I hadn't heard of it either. I was struggling with some development I had taken on myself to help address the problem.
It became a personal project of mine to go out and build something to solve this ever-growing issue.
I was making some progress on a caffeine-fueled weekend development bender when reality hit me in the face.
I've been successful at building some automated connectors to "move" much of the data, but how on earth was I going to describe this data in common terms and normalize the vulnerabilities?
That week I happened to send out a "tweet" on Twitter describing my new, painful reality when a friend and follower of mine, Mike Smith (@rybolov on Twitter), responded with, "You need SCAP!"
I looked it up and found that SCAP is part of the Information Security Automation Program and is made up of a collection of existing standards. These standards include some that many of us are already familiar with, such as the Common Vulnerabilities and Exposures (CVE) and the Common Vulnerability Scoring System (CVSS). Additionally, it includes the Common Platform Enumeration (CPE), a standard to describe a specific hardware, OS and software configuration.
This is helpful for enumerating assets, giving you your baseline information to apply all of this data; the Common Configuration Enumeration (CCE), very similar to CVE but dealing with misconfiguration issues; the Open Vulnerability and Assessment Language (OVAL) to provide schemas that describe the inventory of a computer, the configuration on that computer and a report of what vulnerabilities were found on that computer; and Extensible Configuration Checklist Description Format (XCCDF), a description language to help you apply your technical policies and standards to your scanning tools.
SCAP
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
