We’re going to dig into SCAP in a fair amount of detail. So, let’s start by covering the various technologies that make up SCAP:
- XCCDF – the Extensible Configuration Checklist Description Format. An XML based language for creating machine parsable security checklists.
- OVAL – the Open Vulnerability and Assessment Language. Standardizes how to assess and report on the machine state of computer systems.
- OCIL – the Open Checklist Interactive Language. Ask users questions. For example, “do you know who to report security breaches to?” and allowing the user to respond with yes or no – or perhaps the name and contact information of where to report security breaches.
- CCE – Common Configuration and Enumeration. Uniquely identify configuration characteristics. For example, how do you identify minimum password length across Windows, Unix, Linux and Mac?
- CPE – Common Platform Enumeration. A structured naming scheme for IT systems, software and packaging.
- CVE – Common Vulnerability Enumeration. A standard way to uniquely identify computer vulnerabilities, for example HeartBleed – CVE-2014-0160.
- CEE – Common Event Expression. A common way to record events – i.e. a standard logging format.
- CRE – Common Remediation Enumeration. Describes how to remediate or mitigate security vulnerabilities.
- CVSS – Common Vulnerability Scoring System. A consistent methodology for measuring and quantifying the impact and risk of vulnerabilities identified through CVE.
Some of these are widely used. For example, the CVE Database maintained by Mitre is the common resource used for sharing information on security vulnerabilities. It has been used by security professionals around the world for over 15 years.
Others are new, such as the use of XCCDF and OVAL to create standardized security content that can be shared across organizations and industries and be used by automated scanners.