Two new SCAP documents help improve automating computer security management

Mar 16, 2011

It's increasingly difficult to keep up with all the vulnerabilities present in today's highly complex operating systems and applications. Attackers constantly search for and exploit these vulnerabilities to commit identity fraud, intellectual property theft and other attacks. The National Institute of Standards and Technology has released two updated publications that help organizations to find and manage vulnerabilities more effectively, by standardizing the way vulnerabilities are identified, prioritized and reported.

Computer departments work behind the scenes at government agencies and other organizations to keep computers and networks secure. A valuable tool for them is security automation software that uses NIST's Security Content Automation Protocol (SCAP). Software based on SCAP can be used to automatically check individual computers to see if they have any known vulnerabilities and if they have the appropriate security configuration settings and patches in place. Security problems can be identified quickly and accurately, allowing them to be resolved before hackers can exploit them.

The first publication, The Technical Specifications for the Security Content Automation Protocol (SCAP) Version 1.1 (NIST Special Publication (SP) 800-126 Revision 1) refines the protocol's requirements from the SCAP 1.0 version. SCAP itself is a suite of specifications for standardizing the format and nomenclature by which communicates to assess software flaws, security configurations and software inventories.

SP 800-126 Rev. 1 tightens the requirements of the individual specifications in the suite to support SCAP's functionality and ensure interoperability between SCAP tools. It also adds a new specification—the Open Checklist Interactive Language (OCIL)—that allows security experts to gather information that is not accessible by automated means. For example, OCIL could be used to ask users about their recent security awareness training or to prompt a system administrator to review security settings only available through a proprietary graphical user interface. Additionally, SCAP 1.1 calls for the use of the 5.8 version of the Open and Assessment Language (OVAL).

NIST and others provide publicly accessible repositories of security information and standard security configurations in SCAP formats, which can be downloaded and used by any tool that complies with the SCAP protocol. For example, the NIST-run National Vulnerability Database (NVD) provides a unique identifier for each reported software vulnerability, an analysis of its potential damage and a severity score. The NVD has grown from 6,000 listings in 2002 to about 46,000 in early 2011. It is updated daily.

The second document, Guide to Using Vulnerability Naming Schemes (Special Publication 800-51 Revision 1), provides recommendations for naming schemes used in SCAP. Before these schemes were standardized, different organizations referred to vulnerabilities in different ways, which created confusion. These naming schemes "enable better synthesis of information about software vulnerabilities and misconfigurations," explained co-author David Waltermire, which minimizes confusion and can lead to faster security fixes. The Common Vulnerabilities and Exposures (CVE) scheme identifies software flaws; the Common Configuration Enumeration (CCE) scheme classifies configuration issues.

SP 800-51 Rev.1 provides an introduction to both naming schemes and makes recommendations for using them. It also suggests how and service vendors should use the vulnerability names and naming schemes in their products and service offerings.

Explore further: Japan orders air bag maker to conduct probe

More information: The Technical Specifications for the Security Content Automation Protocol (SCAP) Version 1.1 (NIST Special Publication 800-126 Revision 1) can be found at csrc.nist.gov/publications/nis… rev1/SP800-126r1.pdf . The Guide to Using Vulnerability Naming Schemes (Special Publication 800-51 Revision 1) can be found at csrc.nist.gov/publications/nis… ev1/SP800-51rev1.pdf .

add to favorites email to friend print save as pdf

Related Stories

Method to Better Predict Software Vulnerabilities

Jun 29, 2006

Vulnerability defects in software that can allow hackers to bypass security measures have emerged as a significant threat in a society that increasingly relies on computer systems and the Internet for commerce and other uses.

Recommended for you

Japan orders air bag maker to conduct probe

Nov 21, 2014

Japan's transport ministry said Friday it has ordered air bag maker Takata to conduct an internal investigation after cases of its air bags exploding triggered safety concerns in the United States and other countries.

Senators get no clear answers on air bag safety

Nov 20, 2014

There were apologies and long-winded explanations, but after nearly four hours of testimony about exploding air bags, senators never got a clear answer to the question most people have: whether or not their ...

Winter-like temps can reduce tire pressure

Nov 19, 2014

The polar plunge that has chilled much of the nation does more than bring out ice scrapers and antifreeze. It can trigger vehicles' tire pressure monitoring systems overnight, sending nervous drivers to dealers ...

US: Gov't aircraft regulations apply to drones (Update)

Nov 18, 2014

The U.S. government has the power to hold drone operators accountable when they operate the remote-control aircraft recklessly, a federal safety board ruled Tuesday in a setback to small drone operators chafing ...

Mapping the crisis of displaced peoples

Nov 17, 2014

Population displacement is a global problem, one that historically has been insufficiently quantified and analyzed, especially given its wide-ranging effects. Displacement can result from a number of factors, ...

User comments : 0

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.