Security Audit Automation Made Easy with SCAP

Security automation can be defined as the use of standardized specifications and protocols to perform specific common security functions.

Which leads us to SCAP – the Security Content Automation Protocol, an industry and government initiative to automate security audits and compliance.

The basic concept of SCAP is that security guides should be executable content, not paper documents. You should be able to define your security requirements (or security content) in a form that can be run on a computer with no human intervention, and which produces an audit report that can be understood by both computers and people. You should be able to run these reports – effectively, to perform a complete security audit on a system – as frequently as you want.

Further, these security guides should be dynamic, extensible, customizable, and actionable.

  • Dynamic – as new security threats are discovered, the threat and how to respond to the threat should be added to the security guide.
  • Extensible – you should be able to get security content from multiple sources, as well as create your own specialized security content.
  • Customizable – you should be able to choose which security rules apply to which systems. For example, a web server in a DMZ, a database server and a development system will all have different security requirements.
  • Actionable – the security guide should not only identify security issues, it should also give you assistance in resolving these security issues. Specifically, it should help you understand what the issue is, what the risk is, and what the exposure is, as well as what steps can be taken to resolve or mitigate it.

And, of course, consistent. You may recall the discussion of password rules from a few posts back. You need to apply the same security rules across Windows, Solaris, AIX, HP-UX, Linux, Mac, and all other computers you have.

For people who want to jump ahead, good resources for SCAP include:

About Russell Doty

A technology strategist and product manager at Red Hat, working on the next generation of open source systems.
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s