SCAP narrows security gap
Protocol helps find vulnerabilities; next step is to help fix them
Since its inception several years ago, the Security Content Automation Protocol (SCAP) has done a lot to help agencies in the uphill battle against security vulnerabilities, but it hasn't yet gotten them over the top.
'What has been done to date is useful, but it is not the endgame,' said Peter Mell, who heads the National Institute of Standards and Technology's SCAP program.
Released by NIST last spring, SCAP is a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements.
It is an expansion of the National Vulnerability Database with an automated checklist that uses a collection of recognized standards for naming software flaws and configuration problems in specific products.
But, handy as it can be in scanning for vulnerabilities in a handful of common operating systems and applications, it does not yet help fix the problems it finds.
Some vendors have applied SCAP content to the remediation process, but 'we have yet to explore what it means to provide standard references to automate remediation,' Mell said.
Still, it seems that SCAP has been embraced.
NIST is accrediting independent labs for a SCAP product evaluation program, vendors are producing scanning tools using the protocol, and agencies are using them to automate compliance with IT security regulations. 'Take the package'
'I first heard about it back in 2007' at a developers' conference, said Matt Oney, security administrator of the Systems Integration Division at the General Services Administration's Public Buildings Service. 'We decided to take this package and use the tools as much as we can.'
Oney works at a data center hosting applications for GSA in Chantilly, Va., and he rolls out a lot of servers in the course of his work. 'We figured we may as well roll them out in compliance.'
NIST developed SCAP in cooperation with the Defense and Homeland Security departments and Mitre to provide technical specifications for identifying, enumerating, assigning and sharing security-related data. Using existing standards developed as guidance for securing IT hardware and software, SCAP can help test for vulnerabilities and rank them according to severity of impact.
The checklist files are mapped to NIST specifications for compliance with the Federal Information Security Management Act so the output can be used to document FISMA compliance.
It also can be used to check for compliance with the Federal Desktop Core Configuration (FDCC) requirements for Microsoft Windows XP and Vista operating systems.
The Office of Management and Budget has said IT vendors must use validated tools to ensure that their products do not alter FDCC configurations on desktop PCs, and NIST established a SCAP validation program last summer.
So far, NIST-approved labs have validated SCAP tools only for scanning Windows XP Professional SP 2 although FDCC also includes configurations for Vista. Validations for Vista should be coming soon, said ThreatGuard Chief Technology Officer Randal Taylor. 'NIST has been unable to get test images to the lab' for Vista, Taylor said. 'As soon as NIST can get that material to the labs, they will be validated.'
'I'm pleased with the progress we have made,' Mell said of SCAP. 'From a program point of view, yes, things have moved quickly. But from a technical point of view, they haven't.'
One of the difficulties with SCAP is that it is based on a series of open standards, some of which date back 10 years and are at varying levels of maturity. Integrating these standards into a single scheme that can be implemented in multiple interoperable products is a challenge.
The more mature standards in the suite include:
- The Common Vulnerabilities and Exposures Standard from Mitre, which provides standard identifiers and a dictionary for security vulnerabilities related to software flaws.
- Open Vulnerability and Assessment Language, also from Mitre, a standard Extensible Markup Language for security testing procedures and reporting.
- Extensible Configuration Checklist Description Format from the National Security Agency and NIST, a standard XML for specifying checklists and reporting results.
- Common Vulnerability Scoring System from the Forum of Incident Response and Security Teams, a standard for conveying and scoring the impact of vulnerabilities.
Less mature standards are:
- Common Configuration Enumeration from Mitre, standard identifiers and dictionary for system security configuration issues.
- Common Platform Enumeration from Mitre, standard identifiers and a dictionary for platform and product naming.
Mell said that as much as he would like NIST to be able to take credit for the advances SCAP has enabled, 'I don't think [we] government people did anything brilliant. We put a name and a program around what the industry already was doing.'
But SCAP has made it easier to identify and use those security standards, he said. 'It gave us more momentum than we would have had with a bunch of individual standards.'