{"id":2430,"date":"2015-11-10T02:16:53","date_gmt":"2015-11-10T02:16:53","guid":{"rendered":"http:\/\/websecuritypatterns.com\/blogs\/?p=2430"},"modified":"2017-10-12T04:34:09","modified_gmt":"2017-10-12T04:34:09","slug":"automating-security-assessments-using-scap-demand-assessments-compliance-reporting-remediation","status":"publish","type":"post","link":"https:\/\/websecuritypatterns.com\/blogs\/2015\/11\/10\/automating-security-assessments-using-scap-demand-assessments-compliance-reporting-remediation\/","title":{"rendered":"Automating Security and Compliance Assessments using SCAP – On-demand Scanning and Compliance Reporting with Remediation"},"content":{"rendered":"

Manually assessing security controls, host and application configuration, access control policies, software patch levels and creating on-demand compliance readiness reports has always been a daunting task, especially when it is critical to adhere standards and regulatory mandates. \u00a0Not only those processes are very time consuming and they are also highly prone to human errors. \u00a0It becomes even more complicated when Security professionals unfamiliar with the target resource often struggle to identify technical controls, particularly to find ways to answer the following questions:<\/span><\/p>\n

    \n
  1. Does the hosted system and applications meet the organization’s security policies?<\/span><\/li>\n
  2. Does the hosted\u00a0system and applications are configured right and patched to the appropriate levels addressing all known vulnerabilities?<\/span><\/li>\n
  3. How can we review default configuration settings, ports, protocols, and services are effective and in use?<\/span><\/li>\n
  4. How can we perform individual checks for critical security controls and report the results of each of those checks performed?<\/span><\/li>\n
  5. How to measure risks in terms of metrics for vulnerabilities assigning severity levels?<\/span><\/li>\n<\/ol>\n

    Answering those questions\u00a0becomes, even more, harder if those processes need to be repeated for periodic reviews and to sustain compliance mandates. Thus, it is extremely critical to automate using a standards-based approach that is easily repeatable to help on-demand evaluation and reviews. This will help quickly review system configurations, installation and presence of minimum required security policies, updates, patches, \u00a0system security configuration settings and all known vulnerabilities related to unnecessary ports and protocols and finally minimization of hosted applications in alignment with industry standards (such as PCI-DSS) and regulatory mandates such as HIPAA, FISMA and others.<\/span><\/p>\n

    What is SCAP?<\/span><\/h3>\n
    \n
    \n
    \n
    \n

    Based on the NIST Special Publication 800-53<\/a> (SP 800-53) controls framework, the “Security Content Automation Protocol \u00a0(SCAP)<\/a>” is a NIST defined standard to enable automation of vulnerability management, vulnerability measurement, and security compliance assessment for systems. \u00a0The scripts follow standards using “Open Vulnerability and Assessment Language” (OVAL) and Extensible Configuration Checklist Description Format (XCCDF). A typical SCAP implementation will include the following components:<\/span><\/p>\n