The Security Content Automation Protocol, or SCAP, is an effort led by the National Institute for Standards and Technology to create a consistent language and format for discussing security issues. In this video, learn about the major components of SCAP and how you may use them in your organization.
- [Instructor] You've probably already figured out that there's a ton of jargon in the world of vulnerability management and that jargon can be a little bit confusing. We might use the terms web application vulnerability, SQL injection issue and input validation flaw all to refer to the same issue. We also might talk about a vulnerability are being severe, critical or urgent. There's a lot of ambiguity in our language and that ambiguity is not only confusing for all of us, it can also prevent us from automating vulnerability activities. It's as if our systems don't speak the same language. That's where the Security Content Automation Protocol, SCAP comes into place. SCAP is an effort led by the National Institute for Standards and Technology to create a consistent language and format for discussing security issues. Systems that adhere to SCAP standards are able to share information in a way that describes environments, vulnerabilities and remediation steps using consistent language. SCAP has several components. Let me give you a quick run through of them at a high level. The SCAP component that we'll explore in the most depth is the Common Vulnerability Scoring System, CVSS. CVSS is widely used throughout the security community because it provides a consistent way to evaluate the severity of security vulnerabilities. CVSS scores are found in most vulnerability scanning products and are seen on scan reports. Common Configuration Enumeration, CCE, is another SCAP component. CCE provides us with a consistent language to use when we're sharing system configuration information. Common Platform Enumeration, CPE, provides a common language for product names and versions, giving us a way to make sure that we're all talking about the same software. Common Vulnerabilities and Exposures, CVE, gives us a language for describing vulnerabilities in those products and the Extensible Configuration Checklist Description Format, XCCDF, provides a language for creating and sharing checklists and the results of processing those checklists. And finally, the Open Vulnerability and Assessment Language, OVAL, gives us a way to describe testing procedures in a programmatic fashion. You should be familiar with these SCAP acronyms and the high-level purpose of each SCAP component when you take the exam.
- Setting up Nessus on Linux and Windows
- Identifying scan targets and frequency
- Configuring vulnerability scans
- Reporting scan results
- Overcoming barriers to vulnerability remediation