The Security Content Automation Protocol and Web Application Security Automatisch, Praktisch, Gut!

Who is Michael Smith? 8 years active duty army Graduate of Russian basic course, Defense Language Institute, Monterey, CA DotCom survivor Infantryman, deployed to Afghanistan (2004) CISSP #50247 (2003), ISSEP (2005) Former CISO, Unisys Federal Service Delivery Center Currently a Manager in a Big Four Firm

8 years active duty army

Graduate of Russian basic course, Defense Language Institute, Monterey, CA

DotCom survivor

Infantryman, deployed to Afghanistan (2004)

CISSP #50247 (2003), ISSEP (2005)

Former CISO, Unisys Federal Service Delivery Center

Currently a Manager in a Big Four Firm

SCAP Defined SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise. --NIST SP 800-117

SCAP comprises a suite of specifications for organizing and expressing security-related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying the installation of patches, checking system security configuration settings, and examining systems for signs of compromise.

--NIST SP 800-117

So What Really is SCAP Simple: XML Schemas that describe security XCCDF: The eXtensible Configuration Checklist Description Format OVAL: Open Vulnerability and Assessment Language CCE: Common Configuration Enumeration CPE: Common Platform Enumeration CVE: Common Vulnerabilities and Exposures CVSS: Common Vulnerability Scoring System

Simple: XML Schemas that describe security

XCCDF: The eXtensible Configuration Checklist Description Format

OVAL: Open Vulnerability and Assessment Language

CCE: Common Configuration Enumeration

CPE: Common Platform Enumeration

CVE: Common Vulnerabilities and Exposures

CVSS: Common Vulnerability Scoring System

So What Really is SCAP Simple: XML Schemas that describe security XCCDF: Audit and vulnerability checks OVAL: Audit description and results CCE: Hardening guides CPE: Environment descriptions CVE: Vulnerability disclosures CVSS: Impact of vulnerabilities

Simple: XML Schemas that describe security

XCCDF: Audit and vulnerability checks

OVAL: Audit description and results

CCE: Hardening guides

CPE: Environment descriptions

CVE: Vulnerability disclosures

CVSS: Impact of vulnerabilities

The “So What” Test Security Automation Autonomic Security Massively-scaled technical security management Operational Metrics My favorite: Replace the “checklist monkeys” with a cleverly-written shell script

Security Automation

Autonomic Security

Massively-scaled technical security management

Operational Metrics

My favorite:

Replace the “checklist monkeys” with a cleverly-written shell script

Scenarios: The Important First Word The scenarios are all conceptual I probably got some things wrong I’m really just trying to illustrate what SCAP can become at some point

The scenarios are all conceptual

I probably got some things wrong

I’m really just trying to illustrate what SCAP can become at some point

Scenario: Patch, VM, and Audit

Scenario: Configuration Management

Scenario: Vulnerability Research

SCAP Weaknesses Certification Program too byzantine Users don’t understand what “Big SCAP” can do for them Current content not in SCAP formats “ Squishy” for custom code vulnerabilities We need more content!!!

Certification Program too byzantine

Users don’t understand what “Big SCAP” can do for them

Current content not in SCAP formats

“ Squishy” for custom code vulnerabilities

We need more content!!!

How You Can Use SCAP Use the Foo, Luke—Automate wherever possible Work with WASC’s Threat Classification WG Use Common Weaknesses and Exposures for misconfigurations and coding errors Go to the NIST SCAP Conference in October Write SCAP Content, Write SCAP Content, Write SCAP Content, Write SCAP Content!

Use the Foo, Luke—Automate wherever possible

Work with WASC’s Threat Classification WG

Use Common Weaknesses and Exposures for misconfigurations and coding errors

Go to the NIST SCAP Conference in October

Write SCAP Content, Write SCAP Content, Write SCAP Content, Write SCAP Content!

Goodies from Mitre! Recommendation Tracker Benchmark Editor Windows Investigator Tool (WIT) OVAL Interpreter XCCDF Content Automation Tool (XCAT) http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools

Recommendation Tracker

Benchmark Editor

Windows Investigator Tool (WIT)

OVAL Interpreter

XCCDF Content Automation Tool (XCAT)

http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools

The Final Message

Questions, Comments, or War Stories? http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx

Questions, Comments, or War Stories?

http://www.guerilla-ciso.com/

rybolov(a)ryzhe.ath.cx