|By Reuven Cohen||
|May 27, 2009 08:45 AM EDT||
The National Institute of Standards and Technology (NIST) recently released a draft "Guide to Adopting and Using the Security Content Automation Protocol" (SCAP) for public review. The guide takes a close look at what they describe as "the need for a comprehensive, standardized approach to overcoming security challenges found within a modern enterprise IT environment". In case you're not familiar with SCAP, it comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues, mostly geared toward federal government agencies. Although SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise.
I haven't done too much digging through the specification, but at first glance a lot of the security concepts seem fairly well suited to both governmental and enterprise infrastructure as a service / private cloud deployments such as at Amazon Ec2.
Interesting to note, one of the major issues outlined in the guide is the lack of interoperability across system security tools; for example, the use of proprietary names for vulnerabilities or platforms creates inconsistencies in reports from multiple tools, which can cause delays in security assessment, decision-making, and vulnerability remediation. The guide recommends that organizations should to demonstrate compliance with security requirements in mandates such as the Federal Information Security Management Act (FISMA).
The guide goes onto outline; "Many tools for system security, such as patch management and vulnerability management software, use proprietary formats, nomenclatures, measurements, terminology, and content. For example, when vulnerability scanners do not use standardized names for vulnerabilities, it might not be clear to security staff whether multiple scanners are referencing the same vulnerabilities in their reports. This lack of interoperability can cause delays and inconsistencies in security assessment, decision-making, and remediation."
Direct Link > http://csrc.nist.gov/publications/drafts/800-117/draft-sp800-117.pdf
NIST requests comments on the new publication, 800-117, "Guide to Adopting and Using the Security Content Automation Protocol." E-mail comments to [email protected] by Friday, June 12.
Sep. 25, 2014 03:30 PM EDT Reads: 1,889
Sep. 22, 2014 10:00 PM EDT Reads: 2,374
Sep. 22, 2014 03:30 PM EDT Reads: 2,023
Sep. 12, 2014 11:45 PM EDT Reads: 1,521
Sep. 12, 2014 11:30 PM EDT Reads: 1,829
Sep. 11, 2014 10:30 PM EDT Reads: 2,303
Sep. 10, 2014 06:30 PM EDT Reads: 3,733
Sep. 10, 2014 03:00 PM EDT Reads: 2,805
Sep. 6, 2014 06:45 PM EDT Reads: 5,115
Sep. 6, 2014 02:00 PM EDT Reads: 1,817
Sep. 6, 2014 11:00 AM EDT Reads: 1,845
Sep. 5, 2014 02:15 PM EDT Reads: 3,043
Sep. 4, 2014 07:15 PM EDT Reads: 9,075
Sep. 4, 2014 01:45 PM EDT Reads: 2,388
Sep. 3, 2014 07:00 PM EDT Reads: 3,318
Sep. 3, 2014 01:00 PM EDT Reads: 2,591
Sep. 3, 2014 09:00 AM EDT Reads: 2,670
Sep. 2, 2014 11:00 PM EDT Reads: 1,527
Sep. 2, 2014 11:00 PM EDT Reads: 1,986
Sep. 2, 2014 02:30 PM EDT Reads: 3,847