Skip to main content

SCAP

Updated Jan 30, 2024 ·

Overview

Security Content Automation Protocol (SCAP) is a collection of open standards developed by the National Institute of Standards and Technology (NIST) to automate vulnerability management, measurement, and policy compliance evaluation.

Supported Languages

Three main languages used inside a SCAP:

  • Open Vulnerability and Assessment Language (OVAL)

    • Vulnerability Reporting Format
    • XML schema for reporting vulnerabilities and configuration issues.
    • Describe system information, machine state, and the reporting method.
    • Allows for consistent and interoperable way of collecting information.

  • Extensible Configuration Checklist Description Format (XCCDF)

    • Security Automation Data
    • XML schema for developing and auditing best practice configuration rules.
    • Describes security configuration guidelines and automated test procedures.
    • Before XCCDF, a long document containing step-by-step guide is used.
    • With XCCDF, we can use automated scanning tools to check the systems.

  • Asset Reporting Format (ARF)

    • XML schema for expressing informattion about assets and relationships.
    • Standardized format for reporting asset identification and metadata.
    • Vendor and technology neutral, suited for different reporting applications.

Enumeration Methods

There are also different methods of enumerating assets.

Common Configuration Enumeration (CCE)

Common Configuration Enumeration (CCE) is part of the SCAP ecosystem and complements CPE, CVE, and related standards. It provides a standardized identifier for system security configuration settings.

  • Security Checklists.
  • Guidelines and best practices for secure system configuration.
  • Unique identifiers for different configuration system issues.

Example: A CCE ID like CCE-12345-6 could represent “Ensure the Windows firewall is enabled for all profiles.”

Common Platform Enumeration (CPE)

Common Platform Enumeration (CPE) is a standardized naming scheme for IT systems, software, and hardware. It uniquely identifies platforms, operating systems, and applications. It is written in machine-readable format, with prefix:

cpe:/

Standard format:

cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>

Example:

cpe:/a:microsoft:internet_explorer:11.0

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a list of records of security flaws or vulnerability definitions. Each CVE has the following format:

CVE-YYYY-NNNN         ## YYYY is year, NNNN is unique number.

CVSS

CVSS, or Common Vulnerability Scoring System, provides a standardized method for rating vulnerabilities to help organizations prioritize their responses and allocate resources effectively.

  • Scores are based on metrics evaluating exploitability and impact.
  • Metrics include base, temporal, and environmental scores.
  • Higher scores means more severe vulnerabilities.

Qualitative severity ratings:

  • Low
  • Medium
  • High
  • Critical

CVSS Ratings:

CVSS Score RangeSeverity Rating
0.0 - 3.9Low
4.0 - 6.9Medium
7.0 - 8.9High
9.0 - 10.0Critical

Benchmarks

A benchmark is a set of security configuration rules for some specific set or products to provide a detailed checklist that can be used to secure systems to a specific baseline.

  • Usually expressed in the XCCDF.
  • Examples are benchmark from Red Hat and CIS.