In the dark ages of vulnerability assessment and system security, rating the risks associated with software vulnerabilities and evaluating secure system configurations were largely subjective endeavors. Essentially, every enterprise was forced to rely on the vague risk rankings of software makers as to how severely a software flaw truly would jeopardize the security of the IT infrastructure. Additionally, when it came to hardening servers, endpoints and application implementations, many organizations created their own security checklists to harden desktops and servers — pulling the information, the best they could, from various sources such as industry practices and vendor guides.
To bring some objectivity and standardization to the process, the National Institute of Standards and Technology (NIST) recently released its first draft of the Security Content Automation Protocol (SCAP). SCAP, as NIST explains, is a standards-based method to enable automated vulnerability management, measurement and policy compliance evaluation. SCAP is based on a number of existing, well-used, open standards that itemize software flaws, security configurations, and various product names. When brought together, these standards make it possible to rank security flaws, as well as security configurations, so that the impact of security vulnerabilities and misconfigured systems can be measured. To do so, SCAP leverages the following standards:
– Common Vulnerabilities and Exposures (CVE)
– Common Configuration Enumeration (CCE)
– Common Platform Enumeration (CPE)
– Common Vulnerability Scoring System (CVSS)
As more security vendors embrace SCAP, expect the adoption of SCAP to broaden throughout the commercial sector as the interoperability benefits grow — and subjective security makes way for a more measured risk posture.