Wikipedia

Security Content Automation Protocol: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
AnomieBOT (talk | contribs)
Bots
6,859,570 edits
m Dating maintenance tags: {{By whom?}} {{When?}}
make purpose clearer
Line 1:
The '''Security Content Automation Protocol''' ('''SCAP''') is a method for using specific standards to enable the automated vulnerability management, measurement, and policy compliance evaluation (of systems deployed in an organization, including e.g., [[FISMA]] compliance). The [[National Vulnerability Database]] (NVD) is the U.S. government content repository for SCAP.
 
==Purpose==
To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced "ess-cap", combinescomprises a number of open standards that are widely used{{by whom?|date=February 2016}} to enumerate software flaws and configuration issues related to security. TheyApplications measurewhich conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. ItThe isSCAP asuite methodof forspecifications usingstandardize thosethe opennomenclature standardsand forformats used by these automated vulnerability management, measurement, and policy compliance evaluationproducts. SCAP defines how the following standards (referred to as SCAP 'Components') are combined:
 
A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way.
 
SCAP defines how the following standards (referred to as SCAP 'Components') are combined:
 
===SCAP Components===
Starting with SCAP version 1.0 (July, 2010)
* [[Common Vulnerabilities and Exposures]] [http://cve.mitre.org/ (CVE)]
* [http://nvd.nist.gov/cce/ Common Configuration Enumeration (CCE)] ([http://cce.mitre.org/ prior web-site at MITRE])
Line 12 ⟶ 17:
* [[Extensible Configuration Checklist Description Format]] [http://scap.nist.gov/specifications/xccdf/ (XCCDF)]
* [[Open Vulnerability and Assessment Language]] [http://oval.mitre.org/ (OVAL)]
Starting with SCAP version 1.1 (February, 2011)
* [http://scap.nist.gov/specifications/ocil/ Open Checklist Interactive Language (OCIL) Version 2.0]
Starting with SCAP version 1.2 (September, 2011)
* [http://scap.nist.gov/specifications/ai/ Asset Identification]
* [http://scap.nist.gov/specifications/arf/ Asset Reporting Format (ARF)]
Retrieved from "https://en.wikipedia.org/wiki/Security_Content_Automation_Protocol"