SAINT is a NIST-Validated SCAP Solution

The Security Content Automation Protocol (SCAP) is a specification established by the U.S. National Institute of Standards and Technology (NIST) for expressing and manipulating security data in standardized ways. Currently, SCAP can enumerate product names and vulnerabilities (both software flaws and configuration issues); identify the presence of vulnerabilities; and assign severity scores to software flaw vulnerabilities. NIST SCAP validation.

Benefits of SAINT

  • SCAP supported FDCC, USGCB and DISA policies
  • Agentless scanning
  • Access to over 20,000 definitive checks from MITRE's OVAL repository
  • Output can be used in SAINT 8’s custom report capability, including charts, graphs and tables
  • SAINT has been a leader and “first to market” in a number of SCAP initiatives over the years, and remains focused on delivering innovative, value-added solutions
  • SAINT solutions are kept up-to-date with changing threats and standards

SAINTscanner was the first product to receive validation by NIST for the U.S. Government Configuration Baseline (USGCB).

SAINT is currently in recertification testing for validation under SCAP v1.2 standards. SAINTscanner was previously validated under SCAP v1.0 for the following components –

  • Authenticated Vulnerability and Patch Scanner
  • Unauthenticated Vulnerability Scanner
  • Federal Desktop Core Configuration (FDCC) Scanner
  • Authenticated Configuration Scanner

How SAINT Supports SCAP

SAINT offers all assessment and reporting capabilities compliant with SCAP version 1.2, as an Authenticated Configuration Scanner (ACS), including Common Vulnerabilities and Exposures (CVE) for content published at Tier III and the OVAL repository for each of the six mandated platforms:

  • Microsoft Windows XP Professional with Service Pack 3
  • Microsoft Windows Vista with Service Pack 2
  • Microsoft Windows 7, 32- and 64-bit
  • Red Hat Enterprise Linux 5 Desktop, 32- and 64-bit

SAINT also extends customer value well beyond the six mandated platforms, offering assessment capabilities for many other platforms critical to today’s infrastructure, such as:

  • Windows 7, 8, 2008 R2, 2012 R2
  • Ubuntu, SUSE Linux
  • Red Hat
  • CISCO
  • MAC OS X
  • IBM AIX
  • CISCO IOS and CISCO PIX
  • and many others…

 

 

 

 

 

 

 

 

 

 

 

 

The SCAP v.1.2 capabilities include the following components:

OVAL Adopter Logo

 

 

Open Vulnerability and Assessment Language (OVAL®) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. SAINT provides support to the OVAL® Adoption Program as a Vulnerability Scanner, and provides the capabilities as both a Definition Evaluator and a System Characteristics Producer.

XCCDF  

XCCDF security benchmark automation is a specification language for writing security checklists, benchmarks, and related types of documents, defined by NIST. Security checklists (or benchmarks) can be downloaded from http://scap.nist.gov/content; these data streams can then be downloaded into SAINT to run an XCCDF scan.

CPE

 

Common Platform Enumeration (CPE™) enumeration is a structured naming scheme for information technology systems, software, and packages.


CVE

 

Common Vulnerabilities and Exposures (CVE®) enumeration is a dictionary of publicly known information security vulnerabilities and other information security exposures.

CVSS

 

 

Common Vulnerability Scoring System (CVSS) metric is a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities.

CCE  

Common Configuration Enumeration (CCE™) provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools.

   

Asset Identification (AI) is a format for uniquely identifying assets based on known identifiers and/or known information about the assets. The SCAP specification describes the purpose of asset identification, a data model for identifying assets, methods for identifying assets, and guidance on how to use asset identification. It also identifies a number of known use cases for asset identification.

   

Asset Reporting Format (ARF) expresses the transport format of information about assets and the relationships between assets and reports. The SCAP specification prescribes the standardized data model to facilitate the reporting, correlating and fusing of asset information throughout and between organizations.

   

Trust Model for Security Automation Data (TMSAD) is a specification for using digital signatures in a common trust model applied to other security automation specifications. The SCAP specification prescribes the standardized data model for establishing trust for security automation data.