|By Reuven Cohen||
|May 27, 2009 08:45 AM EDT||
The National Institute of Standards and Technology (NIST) recently released a draft "Guide to Adopting and Using the Security Content Automation Protocol" (SCAP) for public review. The guide takes a close look at what they describe as "the need for a comprehensive, standardized approach to overcoming security challenges found within a modern enterprise IT environment". In case you're not familiar with SCAP, it comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues, mostly geared toward federal government agencies. Although SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise.
I haven't done too much digging through the specification, but at first glance a lot of the security concepts seem fairly well suited to both governmental and enterprise infrastructure as a service / private cloud deployments such as at Amazon Ec2.
Interesting to note, one of the major issues outlined in the guide is the lack of interoperability across system security tools; for example, the use of proprietary names for vulnerabilities or platforms creates inconsistencies in reports from multiple tools, which can cause delays in security assessment, decision-making, and vulnerability remediation. The guide recommends that organizations should to demonstrate compliance with security requirements in mandates such as the Federal Information Security Management Act (FISMA).
The guide goes onto outline; "Many tools for system security, such as patch management and vulnerability management software, use proprietary formats, nomenclatures, measurements, terminology, and content. For example, when vulnerability scanners do not use standardized names for vulnerabilities, it might not be clear to security staff whether multiple scanners are referencing the same vulnerabilities in their reports. This lack of interoperability can cause delays and inconsistencies in security assessment, decision-making, and remediation."
Direct Link > http://csrc.nist.gov/publications/drafts/800-117/draft-sp800-117.pdf
NIST requests comments on the new publication, 800-117, "Guide to Adopting and Using the Security Content Automation Protocol." E-mail comments to [email protected] by Friday, June 12.
Jun. 25, 2016 06:15 PM EDT Reads: 964
Jun. 25, 2016 05:00 PM EDT Reads: 644
Jun. 25, 2016 03:00 PM EDT Reads: 1,503
Jun. 25, 2016 02:15 PM EDT Reads: 997
Jun. 25, 2016 01:45 PM EDT Reads: 857
Jun. 25, 2016 01:15 PM EDT Reads: 1,190
Jun. 25, 2016 11:45 AM EDT Reads: 1,150
Jun. 25, 2016 11:15 AM EDT Reads: 1,152
Jun. 25, 2016 11:00 AM EDT Reads: 466
Jun. 25, 2016 11:00 AM EDT Reads: 1,274
Jun. 25, 2016 10:30 AM EDT Reads: 1,217
Jun. 25, 2016 10:15 AM EDT Reads: 1,211
Jun. 25, 2016 10:00 AM EDT Reads: 653
Jun. 25, 2016 09:30 AM EDT Reads: 1,078
Jun. 25, 2016 07:45 AM EDT Reads: 1,034
Jun. 25, 2016 07:30 AM EDT Reads: 857
Jun. 24, 2016 01:00 PM EDT Reads: 1,326
Jun. 24, 2016 12:00 PM EDT Reads: 1,582
Jun. 22, 2016 11:00 AM EDT Reads: 1,348
Jun. 19, 2016 12:45 PM EDT Reads: 1,241