Security automation can be defined as the use of standardized specifications and protocols to perform specific common security functions.
Which leads us to SCAP – the Security Content Automation Protocol, an industry and government initiative to automate security audits and compliance.
The basic concept of SCAP is that security guides should be executable content, not paper documents. You should be able to define your security requirements (or security content) in a form that can be run on a computer with no human intervention, and which produces an audit report that can be understood by both computers and people. You should be able to run these reports – effectively, to perform a complete security audit on a system – as frequently as you want.
Further, these security guides should be dynamic, extensible, customizable, and actionable.
- Dynamic – as new security threats are discovered, the threat and how to respond to the threat should be added to the security guide.
- Extensible – you should be able to get security content from multiple sources, as well as create your own specialized security content.
- Customizable – you should be able to choose which security rules apply to which systems. For example, a web server in a DMZ, a database server and a development system will all have different security requirements.
- Actionable – the security guide should not only identify security issues, it should also give you assistance in resolving these security issues. Specifically, it should help you understand what the issue is, what the risk is, and what the exposure is, as well as what steps can be taken to resolve or mitigate it.
And, of course, consistent. You may recall the discussion of password rules from a few posts back. You need to apply the same security rules across Windows, Solaris, AIX, HP-UX, Linux, Mac, and all other computers you have.
For people who want to jump ahead, good resources for SCAP include: