SCAP Beta Will Boost Enterprise Compliance Efforts

By Cameron Sturdevant  |  Posted 2007-08-01 Print this article Print

Tech Analysis: The NSA's beta could streamline the way civilian organizations enable automated vulnerability management.

LAS VEGAS—SCAP, the Security Content Automation Protocol now in beta development at the National Security Agency, could streamline the way civilian organizations enable automated vulnerability management and compliance with regulations, including FISMA. Discussed at a full-capacity crowd keynote speech at the Black Hat 2007 briefing given by Tony Sager, chief of the Vulnerability Analysis and Operations Group at the NSA, SCAP should be included in proposal requests that security managers send to vendors.
SCAP uses data feeds from the NVD (National Vulnerability Database), which is defined and maintained by the National Institute of Standards and Technology, better known as NIST. SCAP is an open standard, and the NVD is available license-free.
Read here about how Black Hats demonstrations shattered common myths about hackers. SCAP uses information from six open standards, including CVE (Common Vulnerability and Exposures) and CCE (Common Configuration Enumeration ), both overseen by MITRE, along with data provided by the XCCDF (eXtensible Configuration Checklist Description Format), a standard XML expression for specifying checklists and reporting results from those checklists. Although it seems like a bottomless pit of alphabet soup, SCAP basically boils down to a way for organizations to specify how systems and applications should be equipped to report their current security configuration and a way for external tools to be used to confirm these configurations to generate reports. Most of the literature around SCAP and Sagers comments focused on FISMA (Federal Information Security Management Act) compliance, which guides how the federal government and contractors secure computers and data networks. However, security managers can use SCAP reporting tools to issue break-fix reports that actually dispatch technicians to ensure that out-of-compliance machines are remediated. According to Sager at Blackhat, "SCAP is focused on automating compliance. Its an evolving and very exciting development." The list of standards that supply data to the NVD that SCAP uses to determine compliance are impressive. Security managers who are faced with vulnerability management will likely benefit from bringing a degree of uniformity to their assessment, remediation and reporting efforts that SCAP and SCAP-enabled tools will offer. SCAP content is made up of security checklists data in XML format. The checklist data is built using efforts from a variety of U.S. government security and military groups. The data enumerates product names, vulnerabilities associated with those products and standards for reporting a score that indicates the seriousness of the vulnerability. SCAP scans look not only at the vulnerabilities in specific products, but also at the way in which those products are configured. Configuration issues and software flaws all generate impact scores that are reported. Labs Technical Director Cameron Sturdevant can be reached at Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Cameron Sturdevant Cameron Sturdevant is the executive editor of Enterprise Networking Planet. Prior to ENP, Cameron was technical analyst at PCWeek Labs, starting in 1997. Cameron finished up as the eWEEK Labs Technical Director in 2012. Before his extensive labs tenure Cameron paid his IT dues working in technical support and sales engineering at a software publishing firm . Cameron also spent two years with a database development firm, integrating applications with mainframe legacy programs. Cameron's areas of expertise include virtual and physical IT infrastructure, cloud computing, enterprise networking and mobility. In addition to reviews, Cameron has covered monolithic enterprise management systems throughout their lifecycles, providing the eWEEK reader with all-important history and context. Cameron takes special care in cultivating his IT manager contacts, to ensure that his analysis is grounded in real-world concern. Follow Cameron on Twitter at csturdevant, or reach him by email at

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel