Messaging Newswire
Follow Us on Twitter
Facebook Page
Google Plus Page
RSS feeds
SCAP Standard Benefits Both Government and Commercial Space
Widgets & RSS FeedsThe Security Content Automation Protocol (SCAP) defines open, standardized methods that measure, remediate, and continuously monitor adherence to security policies and approved configurations. These open standards enable, for the first time, products from different vendors to work together to automate the entire vulnerability management lifecycle. This includes vulnerability scanning; patch management and remediation; and changing security settings to be compliant with various security regulations and policies.
While SCAP began as a U.S. government multi-agency initiative to help government agencies meet regulatory requirements such as FISMA and FDCC, the gains in operational efficiency and cost savings can also provide substantial benefits for the commercial sector.
Growth and Success of SCAP
Several factors are driving the success of SCAP. This includes government mandates that created a demand; use of open and accepted standards, such as OVAL (Open Vulnerability and Assessment Language); vendor neutrality; a third-party certification program; and substantial cost savings for commercial enterprises. We expect the major security vendors to quickly adopt SCAP. This has already started with vendors catering to government agencies.
Multi Product Collaboration
The real power of SCAP is that SCAP-compliant products like Shavlik NetChk can read the results from other SCAP-compliant products to drive NetChk’s actions. Likewise, any SCAP-compliant product can read output from NetChk to drive their process. For example, a vulnerability scanner can team with Shavlik’s products to provide remediation. Conversely, a reporting product can use SCAP output from NetChk to generate reports showing scanning, remediation, and configuration settings. Customers can buy the best-of-breed solution and know that it will work with all SCAP-compliant products.
SCAP and FDCC Compliance
FDCC is an example of how SCAP protocols are currently being leveraged. The U.S. government has mandated that all cabinet level agencies deploy a single Federal Desktop Core Configuration (FDCC). The FDCC scanners identify non-compliant systems, but do not offer a way to automatically bring those systems into compliance. However, by leveraging the SCAP compatibility, products like Shavlik NetChk can import standards-based data for compliance and configuration settings, such as those defined by FDCC, and automatically deploy fixes to bring errant systems into compliance. Additionally, other analysis tools can accept the SCAP-standard output from the Shavlik NetChk assessment and remediation scans to generate full-view reports.
Commercial Benefits Too
The commercial sector also stands to gain from SCAP standardization. First, enterprises are not dependent on a single vender. Second, they can achieve operational efficiency by using best-of-breed products all working together from a single, well-defined security policy that extends across the entire organization. Finally, costs are reduced, because there are fewer configurations to maintain and test when deploying new software or patching critical applications. By mid-2009 I expect to see a large number of products targeting the commercial sector.
About Mark Shavlik
Mark Shavlik founded Shavlik Technologies in 1993 to offer a unique, market-driven approach to security application design and development. Mark has over 20 years experience in successfully identifying market needs and building, marketing and selling innovative products and solutions. He has tenure as a senior systems designer and Windows NT kernel development project leader in the Microsoft Systems group, and as an original member of the Windows NT development team under David Cutler.
