security content automation protocol and web application security
DESCRIPTION
A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.TRANSCRIPT
![Page 1: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/1.jpg)
The Security Content Automation Protocol and Web Application SecurityAutomatisch, Praktisch, Gut!
![Page 2: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/2.jpg)
Who is Michael Smith?
• 8 years active duty army• Graduate of Russian basic course,
Defense Language Institute, Monterey, CA
• DotCom survivor• Infantryman, deployed to Afghanistan
(2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service
Delivery Center• Currently a Manager in a Big Four Firm
![Page 3: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/3.jpg)
SCAP Defined
SCAP comprises a suite of specifications for organizing and expressing security-
related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security
configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying
the installation of patches, checking system security configuration settings,
and examining systems for signs of compromise.
--NIST SP 800-117
![Page 4: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/4.jpg)
So What Really is SCAP
Simple: XML Schemas that describe security XCCDF: The eXtensible Configuration
Checklist Description Format OVAL: Open Vulnerability and Assessment
Language CCE: Common Configuration Enumeration CPE: Common Platform Enumeration CVE: Common Vulnerabilities and Exposures CVSS: Common Vulnerability Scoring System
![Page 5: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/5.jpg)
So What Really is SCAP
Simple: XML Schemas that describe security XCCDF: Audit and vulnerability checks OVAL: Audit description and results CCE: Hardening guides CPE: Environment descriptions CVE: Vulnerability disclosures CVSS: Impact of vulnerabilities
![Page 6: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/6.jpg)
The “So What” Test
Security Automation Autonomic Security Massively-scaled technical security
management Operational Metrics My favorite:
Replace the “checklist monkeys” with a cleverly-written shell script
![Page 7: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/7.jpg)
Scenarios: The Important First Word The scenarios are all conceptual I probably got some things wrong I’m really just trying to illustrate what
SCAP can become at some point
7
![Page 8: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/8.jpg)
Scenario: Patch, VM, and Audit
ServerFarm
Patch and VM Tools
National Vulnerability
DatabaseCVE
XCCDF?RML?
CCEHardening
GuideWriters
Compliance and Audit
XCCDFOVAL
?OCIL?
ScansAnd
ManagementTraffic
Security Test and
Evaluation Team
XCCDFOVAL
?OCIL?
![Page 9: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/9.jpg)
Scenario: Configuration Management
ServerFarm
Configuration Management
Tool
Developers
Code
CPECCE
XCCDFCode
Deployment Packagers
CPECCE
XCCDFCode
Development Environment
National Vulnerability
Database
Patching
CPE
![Page 10: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/10.jpg)
Scenario: Vulnerability Research
National Vulnerability
Database
CVEXCCDF?RML?
CVEXCCDF
Vulnerability Researcher
Patch and VM Staff
Vendor Response
Center
CVEXCCDF
CVEXCCDF?RML?
Milw0rm
CVEXCCDF
![Page 11: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/11.jpg)
SCAP Weaknesses
Certification Program too byzantine Users don’t understand what “Big
SCAP” can do for them Current content not in SCAP formats “Squishy” for custom code
vulnerabilities We need more content!!!
![Page 12: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/12.jpg)
How You Can Use SCAP
Use the Foo, Luke—Automate wherever possible
Work with WASC’s Threat Classification WG Use Common Weaknesses and Exposures
for misconfigurations and coding errors Go to the NIST SCAP Conference in October Write SCAP Content, Write SCAP
Content, Write SCAP Content, Write SCAP Content!
12
![Page 13: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/13.jpg)
Goodies from Mitre!
Recommendation Tracker Benchmark Editor Windows Investigator Tool (WIT) OVAL Interpreter XCCDF Content Automation Tool (XCAT)
http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools
![Page 14: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/14.jpg)
The Final Message
![Page 15: Security Content Automation Protocol and Web Application Security](https://reader036.vdocuments.mx/reader036/viewer/2022062511/54ba54ec4a7959041e8b45f1/html5/thumbnails/15.jpg)
15
Questions, Comments, or War Stories?
http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx