Skip to main content

SCAP

Updated Jan 30, 2024 ·

Overview

Security Content Automation Protocol (SCAP) is a collection of open standards developed by the National Institute of Standards and Technology (NIST) to automate vulnerability management, measurement, and policy compliance evaluation.

Supported Languages

Three main languages used inside a SCAP:

  • Open Vulnerability and Assessment Language (OVAL)

    • Vulnerability Reporting Format
    • XML schema for reporting vulnerabilities and configuration issues.
    • Describe system information, machine state, and the reporting method.
    • Allows for consistent and interoperable way of collecting information.

  • Extensible Configuration Checklist Description Format (XCCDF)

    • Security Automation Data
    • XML schema for developing and auditing best practice configuration rules.
    • Describes security configuration guidelines and automated test procedures.
    • Before XCCDF, a long document containing step-by-step guide is used.
    • With XCCDF, we can use automated scanning tools to check the systems.

  • Asset Reporting Format (ARF)

    • XML schema for expressing informattion about assets and relationships.
    • Standardized format for reporting asset identification and metadata.
    • Vendor and technology neutral, suited for different reporting applications.

Enumeration Methods

There are also different methods of enumerating assets.

  • Common Configuration Enumeration (CCE)

    • Security Checklists.
    • Configuration guidelines and best practices for secure system configuration.
    • Provides unique identifiers for different configuration system issues.

  • Common Platform Enumeration (CPE)

    • Structured naming scheme for hardware, software, and operating systems.

    • Written in machine-readable format, with prefix:

      cpe:/

    • Standard format:

      cpe:/<part>:<vendor>:<product>:<version>:<update>:<edition>:<language>

    • Example:

      cpe:/a:microsoft:internet_explorer:11.0

  • Common Vulnerabilities and Exposures (CVE)

    • List of records of vulnerability definitions.

    • Provides a standardized identifier for vulnerabilities and exposures.

    • Each CVE has the following format:

      CVE-YYYY-NNNN         ## YYYY is year, NNNN is unique number.

CVSS

CVSS, or Common Vulnerability Scoring System, is a framework for assessing the severity and potential impact of security vulnerabilities. It provides a standardized method for rating vulnerabilities to help organizations prioritize their responses and allocate resources effectively.

  • Scores are based on metrics evaluating exploitability and impact.
  • Metrics include base, temporal, and environmental scores.
  • Scores range from 0 to 10; higher scores indicating more severe vulnerabilities.
  • Qualitative severity ratings such as Low, Medium, High, and Critical.

CVSS Ratings:

CVSS Score RangeSeverity Rating
0.0 - 3.9Low
4.0 - 6.9Medium
7.0 - 8.9High
9.0 - 10.0Critical

Benchmarks

A benchmark is a set of security configuration rules for some specific set or products to provide a detailed checklist that can be used to secure systems to a specific baseline.

  • Usually expressed in the XCCDF.
  • Examples are benchmark from Red Hat and CIS.