Security Content Automation Protocol and Web Application Security


Published on

A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.

Published in: Technology, News & Politics
1 Comment
  • ActivClient CAC is arguably the best solution for network security and assurance. Because you need an ID to gain access, you can know who is responsible for any intrusion of privacy. It's not a bulletproof system. The U.S. Department of Defense uses it, and its available for private organizations.
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The following presentation contains insights and opinions gathered from over 30 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with the impetus to reemphasize security within your organization, and feel good about doing so. The subtitle means “Automatic, Practical, Good!” and is a play on the Ritter Sport tagline “Quadratisch, Praktish, Gut!” which translates as “Square, Practical, Good!”
  • Mike’s blog is at Mike teaches for Potomac Forum Contact information for Mike is at the end of this presentation.
  • OK, it could be that SCAP and automation replaces all of us with tool monkeys. This impact remains to be seen.
  • WASC Threat Classification Working Group CWE
  • Picture is “lifted” from Encyclopedia Dramatica and used under Fair Use.
  • If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at
  • Security Content Automation Protocol and Web Application Security

    1. 1. The Security Content Automation Protocol and Web Application Security Automatisch, Praktisch, Gut!
    2. 2. Who is Michael Smith? <ul><li>8 years active duty army </li></ul><ul><li>Graduate of Russian basic course, Defense Language Institute, Monterey, CA </li></ul><ul><li>DotCom survivor </li></ul><ul><li>Infantryman, deployed to Afghanistan (2004) </li></ul><ul><li>CISSP #50247 (2003), ISSEP (2005) </li></ul><ul><li>Former CISO, Unisys Federal Service Delivery Center </li></ul><ul><li>Currently a Manager in a Big Four Firm </li></ul>
    3. 3. SCAP Defined <ul><li>SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise. </li></ul><ul><li>--NIST SP 800-117 </li></ul>
    4. 4. So What Really is SCAP <ul><li>Simple: XML Schemas that describe security </li></ul><ul><li>XCCDF: The eXtensible Configuration Checklist Description Format </li></ul><ul><li>OVAL: Open Vulnerability and Assessment Language </li></ul><ul><li>CCE: Common Configuration Enumeration </li></ul><ul><li>CPE: Common Platform Enumeration </li></ul><ul><li>CVE: Common Vulnerabilities and Exposures </li></ul><ul><li>CVSS: Common Vulnerability Scoring System </li></ul>
    5. 5. So What Really is SCAP <ul><li>Simple: XML Schemas that describe security </li></ul><ul><li>XCCDF: Audit and vulnerability checks </li></ul><ul><li>OVAL: Audit description and results </li></ul><ul><li>CCE: Hardening guides </li></ul><ul><li>CPE: Environment descriptions </li></ul><ul><li>CVE: Vulnerability disclosures </li></ul><ul><li>CVSS: Impact of vulnerabilities </li></ul>
    6. 6. The “So What” Test <ul><li>Security Automation </li></ul><ul><li>Autonomic Security </li></ul><ul><li>Massively-scaled technical security management </li></ul><ul><li>Operational Metrics </li></ul><ul><li>My favorite: </li></ul><ul><li>Replace the “checklist monkeys” with a cleverly-written shell script </li></ul>
    7. 7. Scenarios: The Important First Word <ul><li>The scenarios are all conceptual </li></ul><ul><li>I probably got some things wrong </li></ul><ul><li>I’m really just trying to illustrate what SCAP can become at some point </li></ul>
    8. 8. Scenario: Patch, VM, and Audit
    9. 9. Scenario: Configuration Management
    10. 10. Scenario: Vulnerability Research
    11. 11. SCAP Weaknesses <ul><li>Certification Program too byzantine </li></ul><ul><li>Users don’t understand what “Big SCAP” can do for them </li></ul><ul><li>Current content not in SCAP formats </li></ul><ul><li>“ Squishy” for custom code vulnerabilities </li></ul><ul><li>We need more content!!! </li></ul>
    12. 12. How You Can Use SCAP <ul><li>Use the Foo, Luke—Automate wherever possible </li></ul><ul><li>Work with WASC’s Threat Classification WG </li></ul><ul><li>Use Common Weaknesses and Exposures for misconfigurations and coding errors </li></ul><ul><li>Go to the NIST SCAP Conference in October </li></ul><ul><li>Write SCAP Content, Write SCAP Content, Write SCAP Content, Write SCAP Content! </li></ul>
    13. 13. Goodies from Mitre! <ul><li>Recommendation Tracker </li></ul><ul><li>Benchmark Editor </li></ul><ul><li>Windows Investigator Tool (WIT) </li></ul><ul><li>OVAL Interpreter </li></ul><ul><li>XCCDF Content Automation Tool (XCAT) </li></ul><ul><li> </li></ul>
    14. 14. The Final Message
    15. 15. <ul><li>Questions, Comments, or War Stories? </li></ul><ul><li> </li></ul><ul><li>rybolov(a) </li></ul>