Security Content Automation Protocol and Web Application Security
Upcoming SlideShare
Loading in...5
×
 

Security Content Automation Protocol and Web Application Security

on

  • 3,960 views

A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.

A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.

Statistics

Views

Total Views
3,960
Views on SlideShare
3,374
Embed Views
586

Actions

Likes
1
Downloads
72
Comments
1

5 Embeds 586

http://www.guerilla-ciso.com 446
http://blog.securitymonks.com 131
http://www.slideshare.net 6
http://www.linkedin.com 2
http://feeds.feedburner.com 1

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • ActivClient CAC is arguably the best solution for network security and assurance. Because you need an ID to gain access, you can know who is responsible for any intrusion of privacy. It's not a bulletproof system. The U.S. Department of Defense uses it, and its available for private organizations.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • The following presentation contains insights and opinions gathered from over 30 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with the impetus to reemphasize security within your organization, and feel good about doing so. The subtitle means “Automatic, Practical, Good!” and is a play on the Ritter Sport tagline “Quadratisch, Praktish, Gut!” which translates as “Square, Practical, Good!” http://www.ritter-sport.de/
  • Mike’s blog is at http://www.guerilla-ciso.com/ Mike teaches for Potomac Forum http://www.potomacforum.org/ Contact information for Mike is at the end of this presentation.
  • OK, it could be that SCAP and automation replaces all of us with tool monkeys. This impact remains to be seen.
  • WASC Threat Classification Working Group http://projects.webappsec.org/Threat-Classification-Working CWE http://cwe.mitre.org/
  • Picture is “lifted” from Encyclopedia Dramatica and used under Fair Use. http://www.encyclopediadramatica.com/Image:God-kills-kitten.jpg http://www.encyclopediadramatica.com/Encyclopedia_Dramatica:General_disclaimer#Fair_Use_and_Copyrighted_Materials
  • If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at http://creativecommons.org/licenses/by-nc-sa/3.0/

Security Content Automation Protocol and Web Application Security Security Content Automation Protocol and Web Application Security Presentation Transcript

  • The Security Content Automation Protocol and Web Application Security Automatisch, Praktisch, Gut!
  • Who is Michael Smith?
    • 8 years active duty army
    • Graduate of Russian basic course, Defense Language Institute, Monterey, CA
    • DotCom survivor
    • Infantryman, deployed to Afghanistan (2004)
    • CISSP #50247 (2003), ISSEP (2005)
    • Former CISO, Unisys Federal Service Delivery Center
    • Currently a Manager in a Big Four Firm
  • SCAP Defined
    • SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise.
    • --NIST SP 800-117
  • So What Really is SCAP
    • Simple: XML Schemas that describe security
    • XCCDF: The eXtensible Configuration Checklist Description Format
    • OVAL: Open Vulnerability and Assessment Language
    • CCE: Common Configuration Enumeration
    • CPE: Common Platform Enumeration
    • CVE: Common Vulnerabilities and Exposures
    • CVSS: Common Vulnerability Scoring System
  • So What Really is SCAP
    • Simple: XML Schemas that describe security
    • XCCDF: Audit and vulnerability checks
    • OVAL: Audit description and results
    • CCE: Hardening guides
    • CPE: Environment descriptions
    • CVE: Vulnerability disclosures
    • CVSS: Impact of vulnerabilities
  • The “So What” Test
    • Security Automation
    • Autonomic Security
    • Massively-scaled technical security management
    • Operational Metrics
    • My favorite:
    • Replace the “checklist monkeys” with a cleverly-written shell script
  • Scenarios: The Important First Word
    • The scenarios are all conceptual
    • I probably got some things wrong
    • I’m really just trying to illustrate what SCAP can become at some point
  • Scenario: Patch, VM, and Audit
  • Scenario: Configuration Management
  • Scenario: Vulnerability Research
  • SCAP Weaknesses
    • Certification Program too byzantine
    • Users don’t understand what “Big SCAP” can do for them
    • Current content not in SCAP formats
    • “ Squishy” for custom code vulnerabilities
    • We need more content!!!
  • How You Can Use SCAP
    • Use the Foo, Luke—Automate wherever possible
    • Work with WASC’s Threat Classification WG
    • Use Common Weaknesses and Exposures for misconfigurations and coding errors
    • Go to the NIST SCAP Conference in October
    • Write SCAP Content, Write SCAP Content, Write SCAP Content, Write SCAP Content!
  • Goodies from Mitre!
    • Recommendation Tracker
    • Benchmark Editor
    • Windows Investigator Tool (WIT)
    • OVAL Interpreter
    • XCCDF Content Automation Tool (XCAT)
    • http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools
  • The Final Message
    • Questions, Comments, or War Stories?
    • http://www.guerilla-ciso.com/
    • rybolov(a)ryzhe.ath.cx