Your SlideShare is downloading. ×
0
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Security Content Automation Protocol and Web Application Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Content Automation Protocol and Web Application Security

2,636

Published on

A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.

A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.

Published in: Technology, News & Politics
1 Comment
2 Likes
Statistics
Notes
  • ActivClient CAC is arguably the best solution for network security and assurance. Because you need an ID to gain access, you can know who is responsible for any intrusion of privacy. It's not a bulletproof system. The U.S. Department of Defense uses it, and its available for private organizations.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
2,636
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
81
Comments
1
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • The following presentation contains insights and opinions gathered from over 30 years of combined experience in the government INFOSEC space. It’s interspersed with some humor – security presentations can be pretty dry without it. We hope that this presentation will provide you with the impetus to reemphasize security within your organization, and feel good about doing so. The subtitle means “Automatic, Practical, Good!” and is a play on the Ritter Sport tagline “Quadratisch, Praktish, Gut!” which translates as “Square, Practical, Good!” http://www.ritter-sport.de/
  • Mike’s blog is at http://www.guerilla-ciso.com/ Mike teaches for Potomac Forum http://www.potomacforum.org/ Contact information for Mike is at the end of this presentation.
  • OK, it could be that SCAP and automation replaces all of us with tool monkeys. This impact remains to be seen.
  • WASC Threat Classification Working Group http://projects.webappsec.org/Threat-Classification-Working CWE http://cwe.mitre.org/
  • Picture is “lifted” from Encyclopedia Dramatica and used under Fair Use. http://www.encyclopediadramatica.com/Image:God-kills-kitten.jpg http://www.encyclopediadramatica.com/Encyclopedia_Dramatica:General_disclaimer#Fair_Use_and_Copyrighted_Materials
  • If you would like us to speak for your event or group, please ask. If you would like to learn more and to keep up-to-date on groundbreaking Government security news, subscribe to the guerilla-ciso blog feed. Presentation released under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License. More information available at http://creativecommons.org/licenses/by-nc-sa/3.0/
  • Transcript

    • 1. The Security Content Automation Protocol and Web Application Security Automatisch, Praktisch, Gut!
    • 2. Who is Michael Smith? <ul><li>8 years active duty army </li></ul><ul><li>Graduate of Russian basic course, Defense Language Institute, Monterey, CA </li></ul><ul><li>DotCom survivor </li></ul><ul><li>Infantryman, deployed to Afghanistan (2004) </li></ul><ul><li>CISSP #50247 (2003), ISSEP (2005) </li></ul><ul><li>Former CISO, Unisys Federal Service Delivery Center </li></ul><ul><li>Currently a Manager in a Big Four Firm </li></ul>
    • 3. SCAP Defined <ul><li>SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise. </li></ul><ul><li>--NIST SP 800-117 </li></ul>
    • 4. So What Really is SCAP <ul><li>Simple: XML Schemas that describe security </li></ul><ul><li>XCCDF: The eXtensible Configuration Checklist Description Format </li></ul><ul><li>OVAL: Open Vulnerability and Assessment Language </li></ul><ul><li>CCE: Common Configuration Enumeration </li></ul><ul><li>CPE: Common Platform Enumeration </li></ul><ul><li>CVE: Common Vulnerabilities and Exposures </li></ul><ul><li>CVSS: Common Vulnerability Scoring System </li></ul>
    • 5. So What Really is SCAP <ul><li>Simple: XML Schemas that describe security </li></ul><ul><li>XCCDF: Audit and vulnerability checks </li></ul><ul><li>OVAL: Audit description and results </li></ul><ul><li>CCE: Hardening guides </li></ul><ul><li>CPE: Environment descriptions </li></ul><ul><li>CVE: Vulnerability disclosures </li></ul><ul><li>CVSS: Impact of vulnerabilities </li></ul>
    • 6. The “So What” Test <ul><li>Security Automation </li></ul><ul><li>Autonomic Security </li></ul><ul><li>Massively-scaled technical security management </li></ul><ul><li>Operational Metrics </li></ul><ul><li>My favorite: </li></ul><ul><li>Replace the “checklist monkeys” with a cleverly-written shell script </li></ul>
    • 7. Scenarios: The Important First Word <ul><li>The scenarios are all conceptual </li></ul><ul><li>I probably got some things wrong </li></ul><ul><li>I’m really just trying to illustrate what SCAP can become at some point </li></ul>
    • 8. Scenario: Patch, VM, and Audit
    • 9. Scenario: Configuration Management
    • 10. Scenario: Vulnerability Research
    • 11. SCAP Weaknesses <ul><li>Certification Program too byzantine </li></ul><ul><li>Users don’t understand what “Big SCAP” can do for them </li></ul><ul><li>Current content not in SCAP formats </li></ul><ul><li>“ Squishy” for custom code vulnerabilities </li></ul><ul><li>We need more content!!! </li></ul>
    • 12. How You Can Use SCAP <ul><li>Use the Foo, Luke—Automate wherever possible </li></ul><ul><li>Work with WASC’s Threat Classification WG </li></ul><ul><li>Use Common Weaknesses and Exposures for misconfigurations and coding errors </li></ul><ul><li>Go to the NIST SCAP Conference in October </li></ul><ul><li>Write SCAP Content, Write SCAP Content, Write SCAP Content, Write SCAP Content! </li></ul>
    • 13. Goodies from Mitre! <ul><li>Recommendation Tracker </li></ul><ul><li>Benchmark Editor </li></ul><ul><li>Windows Investigator Tool (WIT) </li></ul><ul><li>OVAL Interpreter </li></ul><ul><li>XCCDF Content Automation Tool (XCAT) </li></ul><ul><li>http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools </li></ul>
    • 14. The Final Message
    • 15. <ul><li>Questions, Comments, or War Stories? </li></ul><ul><li>http://www.guerilla-ciso.com/ </li></ul><ul><li>rybolov(a)ryzhe.ath.cx </li></ul>

    ×