security content automation protocol and web application security
DESCRIPTION
A presentation on SCAP I delivered at the August 5th OWASP DC Chapter.TRANSCRIPT
The Security Content Automation Protocol and Web Application SecurityAutomatisch, Praktisch, Gut!
Who is Michael Smith?
• 8 years active duty army• Graduate of Russian basic course,
Defense Language Institute, Monterey, CA
• DotCom survivor• Infantryman, deployed to Afghanistan
(2004)• CISSP #50247 (2003), ISSEP (2005)• Former CISO, Unisys Federal Service
Delivery Center• Currently a Manager in a Big Four Firm
SCAP Defined
SCAP comprises a suite of specifications for organizing and expressing security-
related information in standardized ways, as well as related reference data, such as identifiers for software flaws and security
configuration issues. SCAP can be used for maintaining the security of enterprise systems, such as automatically verifying
the installation of patches, checking system security configuration settings,
and examining systems for signs of compromise.
--NIST SP 800-117
So What Really is SCAP
Simple: XML Schemas that describe security XCCDF: The eXtensible Configuration
Checklist Description Format OVAL: Open Vulnerability and Assessment
Language CCE: Common Configuration Enumeration CPE: Common Platform Enumeration CVE: Common Vulnerabilities and Exposures CVSS: Common Vulnerability Scoring System
So What Really is SCAP
Simple: XML Schemas that describe security XCCDF: Audit and vulnerability checks OVAL: Audit description and results CCE: Hardening guides CPE: Environment descriptions CVE: Vulnerability disclosures CVSS: Impact of vulnerabilities
The “So What” Test
Security Automation Autonomic Security Massively-scaled technical security
management Operational Metrics My favorite:
Replace the “checklist monkeys” with a cleverly-written shell script
Scenarios: The Important First Word The scenarios are all conceptual I probably got some things wrong I’m really just trying to illustrate what
SCAP can become at some point
7
Scenario: Patch, VM, and Audit
ServerFarm
Patch and VM Tools
National Vulnerability
DatabaseCVE
XCCDF?RML?
CCEHardening
GuideWriters
Compliance and Audit
XCCDFOVAL
?OCIL?
ScansAnd
ManagementTraffic
Security Test and
Evaluation Team
XCCDFOVAL
?OCIL?
Scenario: Configuration Management
ServerFarm
Configuration Management
Tool
Developers
Code
CPECCE
XCCDFCode
Deployment Packagers
CPECCE
XCCDFCode
Development Environment
National Vulnerability
Database
Patching
CPE
Scenario: Vulnerability Research
National Vulnerability
Database
CVEXCCDF?RML?
CVEXCCDF
Vulnerability Researcher
Patch and VM Staff
Vendor Response
Center
CVEXCCDF
CVEXCCDF?RML?
Milw0rm
CVEXCCDF
SCAP Weaknesses
Certification Program too byzantine Users don’t understand what “Big
SCAP” can do for them Current content not in SCAP formats “Squishy” for custom code
vulnerabilities We need more content!!!
How You Can Use SCAP
Use the Foo, Luke—Automate wherever possible
Work with WASC’s Threat Classification WG Use Common Weaknesses and Exposures
for misconfigurations and coding errors Go to the NIST SCAP Conference in October Write SCAP Content, Write SCAP
Content, Write SCAP Content, Write SCAP Content!
12
Goodies from Mitre!
Recommendation Tracker Benchmark Editor Windows Investigator Tool (WIT) OVAL Interpreter XCCDF Content Automation Tool (XCAT)
http://benchmarkdevelopment.mitre.org/standards_tools/stnds-tools.html#tools
The Final Message
15
Questions, Comments, or War Stories?
http://www.guerilla-ciso.com/ rybolov(a)ryzhe.ath.cx