The Security Content Automation Protocol (SCAP) is a specification established by the U.S. National Institute of Standards and Technology (NIST) for expressing and manipulating security data in standardized ways. Currently, SCAP can enumerate product names and vulnerabilities (both software flaws and configuration issues); identify the presence of vulnerabilities; and assign severity scores to software flaw vulnerabilities.
SAINT includes SCAP supported FDCC and USGCB and DISA policies.
SAINT Support for SCAP
In 2011, SAINTscanner became the first product to receive validation by NIST for the U.S. Government Configuration Baseline (USGCB). SAINT is also validated under SCAP as an Authenticated Vulnerability and Patch Scanner; Unauthenticated Vulnerability Scanner; Federal Desktop Core Configuration (FDCC) Scanner; and Authenticated Configuration Scanner. SAINT also provides support for the new Cyberscope report format; as well as offering a SAINT-specific Executive Report to show system pass/fail results for selected configuration policies. Additionally, SAINT provides a Policy Editor for customers to edit configuration policies and save the custom policy for local requirements. SAINT also supports open standards languages, enumerations and metrics applicable to both ‘unauthenticated’ and ‘authenticated’ scanners for OVAL, XCCDF, CPE, CVE, CCE and CVSS, as described below. SAINT provides pre-defined analysis and reporting capabilities that includes these enumerations and metrics; as well as over 150 customizable report features for user-defined reporting.
|Open Vulnerability and Assessment Language (OVAL®) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. SAINT provides support to the OVAL® Adoption Program as a Vulnerability Scanner, and provides the capabilities as both a Definition Evaluator and a System Characteristics Producer.
|XCCDF security benchmark automation is a specification language for writing security checklists, benchmarks, and related types of documents, defined by NIST. Security checklists (or benchmarks) can be downloaded from http://scap.nist.gov/content; these data streams can then be downloaded into SAINT to run an XCCDF scan.
|Common Platform Enumeration (CPE™) enumeration is a structured naming scheme for information technology systems, software, and packages.
|Common Vulnerabilities and Exposures (CVE®) enumeration is a dictionary of publicly known information security vulnerabilities and other information security exposures.
|Common Vulnerability Scoring System (CVSS) metric is a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities.
|Common Configuration Enumeration (CCE™) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.|
SAINT supports FDCC and USGCB checklist policies* provided by NIST that are SCAP validated:
- FDCC – Windows XP
- FDCC Windows XP Firewall
- FDCC – Windows Vista
- FDCC Windows Vista Firewall
- FDCC IE 7
- USGCB – Windows 7
- USGCB Win 7 Firewall
- USGCB IE 8
- DISA MS Access 2007
- DISA MS Excel 2007
- DISA MS Infopath 2007
- DISA MS Office System 2007
- DISA MS Outlook 2007
- DISA MS Powerpoint 2007
- DISA MS Visio 2007
- DISA MS Word 2007
SAINT also provides coverage for over 15 platforms and 9500+ checks from Mitre’s OVAL Repository.