In Depth

How SCAP Brought Sanity to Vulnerability Management

Orbitz CISO Ed Bellis explains how the proliferation of vulnerability assessment products and services has created chaos, and how SCAP may be the answer.

By Ed Bellis, Orbitz CISO

Page 3

That's a heck of a lot of acronyms. Let's see how this helps me in building a real solution.

As a head of a vulnerability management program as discussed earlier, I am sitting on data from application security assessment tools, host and network scanners, and database vulnerability and configuration scanners.

In reality, this includes multiple products and services for application security, as well as multiple tools for host and network assessments.

I set out by taking advantage of APIs when available from the assessment tool providers as well as XML data feeds. Utilizing the code I've just written to automate the movement of the data, I now need to map this information to a normalized schema, taking advantage of the SCAP standards. This is a big deal!

I now have a common way to describe the vulnerabilities. I can eliminate duplicates that reference the same CVE on the same platforms.

I can score many of these utilizing CVSS, which not only gives me a common scoring formula, it is now being utilized by audit standards such as the PCI DSS, which is very helpful in my world of e-commerce.

Connecting the Dots
Once I have all of my vulnerability information stored in a centralized data store, I can create reporting and metrics that give management a view into our security vulnerability state across all applications, hosts, networks, databases, etc. This centralized and normalized data also gives the CISO and technology management the ability to prioritize security-bug-fixing work.

From there I can now build connectors into my remediation systems, such as bug trackers and trouble ticketing systems, closing the time from identification to remediation dramatically.

In the end I hope to address this heaping data issue giving security teams the ability to once again automate the mundane and repeatable, and at the same time accelerate the "time to close" gap that organizations often suffer from.

I'm not quite there yet, but I'm getting awfully close. Care to help me out?



Ed Bellis is CISO of Orbitz.

SCAP

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors