SCAP Update Brings More Security

Wednesday, September 14, 2011 @ 12:09 PM gHale


Software tools and technical specifications that allow security information to share between information systems—the Security Content Automation Protocol (SCAP)—can save time and improve security.

However, bringing order and security to that computing environment in a large organization can scare off anyone.

RELATED STORIES
Top Research Priorities for Cyber Security
One Flip Means Victims for Hackers
Executive Fear: APT Attacks
Survey: For Security, Talk, but No Action

That is one reason with the National Institute of Standards and Technology (NIST) released four new publications that detail specifications used by the latest version of SCAP.

“A primary goal of automated security in a large organization’s computer environment is to make sure everything is configured securely as required by management, and that all patches are applied to eliminate known vulnerabilities,” said NIST computer scientist David Waltermire. SCAP-enabled tools can scan computer systems to reveal software vulnerabilities and security configuration problems.

SCAP relies on a fundamental component called Common Platform Enumeration (CPE), which is a standardized method of describing and identifying classes of applications, operating systems and hardware devices in an organization’s computer systems. A new version of CPE — version 2.3 — and the four new NIST Interagency Reports (NISTIRs) provide specifications for this version, which will be with the new SCAP version.

For SCAP to work, CPE needs to have a unique name to identify all of the same types of products. Without CPE, different terms, such as “Windows XP” and “Win XP,” typically refer to a single type of product, which can cause confusion and waste resources. CPE provides a single standardized unique name that covers all of these variants. NISTIR 7695 defines and explains the naming specification for CPE version 2.3.

Once there is a definition of a unique name, CPE needs to compare names to determine whether they refer to some or all of the same products or platforms. For example, a product may have a unique name, but as in the Windows XP case, there may be subsets such as “Service Pack 1” or “Service Pack 2” that may further distinguish types of products. NISTIR 7696 provides the CPE name matching specification, which defines procedures for comparing two CPE names.

A dictionary specification for CPE is in NISTIR 7697, which includes the semantics of its data model and the rules associated with the CPE dictionary creation and management. NIST hosts the official CPE dictionary so organizations can search for and find identifier names.

With the naming, name matching and dictionary specifications defined, researchers moved to language specifications.

NISTIR 7698 provides the applicability language specification, which allows construction of logical expressions built from CPE names. SCAP uses these expressions to identify more complex vulnerability and configuration situations, such as a problem that only exists when two applications are running together or an application is running on particular computing platforms. A real-life example is writing an applicability language expression that tells SCAP to search for situations in which Adobe Flash player version 10.3 or earlier is running on Mac OSX, Linux, Sun Solaris or Microsoft Windows.



Leave a Reply

You must be logged in to post a comment.