We all should know that SCAP stands for “Security Content Automation Protocol”. Let’s look behind the acronym and into what actually defines an SCAP implementation.
The problem with defining an SCAP implementation is that there really isn’t an industry standard definition for the term. This problem is compounded by the current NIST SCAP validation program. It’s great that NIST has taken the initiative to validate products to individual SCAP standards. That said, the security vendors and NIST could do a better job at defining the various validations they may confer onto products. For example, a security vendor can be awarded the validation of “Asset Scanner” or “Unauthenticated Vulnerability Scanner” by NIST. These vendors can simply claim that they are “SCAP validated”. The truth is, while these accreditations do mean the products comply to some of the component of SCAP standards, they do not necessarily provide any sort of security automation. Can you have SCAP without automation? It’s at this point that a subjective assessment must be made. Personally, I believe that applying component protocols which, when used alone, do not perform automation, one is simply measuring risk. Without automation, we end up with Security Content Automation Measurement. Not as nice of an acronym, now is it?
A properly designed SCAP implementation can save time and money by accurately measuring and automating detection using open standards. What if a consumer seeking to implement an SCAP tool purchases an unauthenticated vulnerability scanner that is labeled as “SCAP validated”? While the consumer may get accurate vulnerability measurement from this tool, they more than likely will not get time-saving automation from it. I could even argue that, since the unauthenticated vulnerability scanner is using proprietary technology to detect vulnerabilities, the consumer may actually expend more time trying to identify false positives. Implementing individual components of the SCAP standard does not guarantee automation or time savings.
So what is my definition of an SCAP implementation? Aharon’s definition of an SCAP implementation is: an implementation that uses the individual components of the SCAP standard to accurately measure vulnerabilities and automate detection. An SCAP implementation for vulnerability management must include implementation of at least CVE, CVSS, CPE, and OVAL. When we only implement a single component of SCAP, we are not implementing automation; and without automation, we only have measurement. I believe that the spirit of SCAP is to provide this valuable, time-saving automation.
I would like to see vendors state the true and specific SCAP validation they acquire from NIST. If companies release tools that use a mix of SCAP standards and proprietary product standards, it could inadvertently give SCAP a bad reputation. If a product doesn’t work as expected, was it the proprietary product standard that broke, or was it the SCAP standards? NIST could also help by:
- Allowing vendors to claim only the specific SCAP components for which their product is certified, instead of stating “SCAP validated”.
- Requiring that products display the highest awarded SCAP Requirement ID on the product marketing material.
- Reserving the broad term “SCAP validated” exclusively for products that use SCAP components for both accurate measurement and automation.
Recent Comments