Security Content Automation Protocol and Web Application Security

The Security Content Automation Protocol and Web Application Security Automatisch, Praktisch, Gut!

Who is Michael Smith?
8 years active duty army
Graduate of Russian basic course, Defense Language Institute, Monterey, CA
DotCom survivor
Infantryman, deployed to Afghanistan (2004)
CISSP #50247 (2003), ISSEP (2005)
Former CISO, Unisys Federal Service Delivery Center
Currently a Manager in a Big Four Firm

SCAP Defined
SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise.
--NIST SP 800-117

So What Really is SCAP
Simple: XML Schemas that describe security
XCCDF: The eXtensible Configuration Checklist Description Format
OVAL: Open Vulnerability and Assessment Language
CCE: Common Configuration Enumeration
CPE: Common Platform Enumeration
CVE: Common Vulnerabilities and Exposures
CVSS: Common Vulnerability Scoring System

So What Really is SCAP
Simple: XML Schemas that describe security
XCCDF: Audit and vulnerability checks
OVAL: Audit description and results
CCE: Hardening guides
CPE: Environment descriptions
CVE: Vulnerability disclosures
CVSS: Impact of vulnerabilities

The “So What” Test
Security Automation
Autonomic Security
Massively-scaled technical security management
Operational Metrics
My favorite:
Replace the “checklist monkeys” with a cleverly-written shell script

Scenarios: The Important First Word
The scenarios are all conceptual
I probably got some things wrong
I’m really just trying to illustrate what SCAP can become at some point

Scenario: Patch, VM, and Audit

Scenario: Configuration Management

Scenario: Vulnerability Research

SCAP Weaknesses
Certification Program too byzantine
Users don’t understand what “Big SCAP” can do for them
Current content not in SCAP formats
“ Squishy” for custom code vulnerabilities
We need more content!!!

How You Can Use SCAP
Use the Foo, Luke—Automate wherever possible
Work with WASC’s Threat Classification WG
Use Common Weaknesses and Exposures for misconfigurations and coding errors
Go to the NIST SCAP Conference in October
Write SCAP Content, Write SCAP Content, Write SCAP Content, Write SCAP Content!

Goodies from Mitre!
Recommendation Tracker
Benchmark Editor
Windows Investigator Tool (WIT)
OVAL Interpreter
XCCDF Content Automation Tool (XCAT)
http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools

The Final Message

Questions, Comments, or War Stories?
http://www.guerilla-ciso.com/
rybolov(a)ryzhe.ath.cx

http://www.guerilla-ciso.com	271
http://blog.securitymonks.com	48
http://www.slideshare.net	6
http://feeds.feedburner.com	1

Security Content Automation Protocol and Web Application Security

by Michael Smith on Aug 07, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

4 Embeds 326

Statistics

Security Content Automation Protocol and Web Application Security — Presentation Transcript