Featured Research

from universities, journals, and other organizations

Four new reports update Security Content Automation Protocol

Date:
September 14, 2011
Source:
National Institute of Standards and Technology (NIST)
Summary:
The U.S. National Institute of Standards and Technology (NIST) has released four new publications that detail specifications to be used by the latest version of the Security Content Automation Protocol for managing IT security in large organizations.

Bringing order and security to the patchwork quilt of computing environments in a large organization can be a daunting task. Software tools and technical specifications that allow security information to be shared between information systems -- the Security Content Automation Protocol (SCAP) -- can save time and improve security. The National Institute of Standards and Technology (NIST) recently released four new publications that detail specifications to be used by the latest version of SCAP.

"A primary goal of automated security in a large organization's computer environment is to make sure everything is configured securely as required by management, and that all patches are applied to eliminate known vulnerabilities," said computer scientist David Waltermire. SCAP-enabled tools can scan computer systems to reveal software vulnerabilities and security configuration problems to be corrected.

SCAP relies on a fundamental component called Common Platform Enumeration (CPE), which is a standardized method of describing and identifying classes of applications, operating systems and hardware devices in an organization's computer systems. A new version of CPE has been released -- version 2.3 -- and the four new NIST Interagency Reports (NISTIRs) provide specifications for this version, which will be used with the new SCAP version.

For SCAP to work, CPE needs to have a unique name to identify all of the same types of products. For example, without CPE, different terms, such as "Windows XP" and "Win XP," typically are used to refer to a single type of product, which can cause confusion and waste resources. CPE provides a single standardized unique name that covers all of these variants. NISTIR 7695 defines and explains the naming specification for CPE version 2.3.

Once a unique name is defined, CPE needs to compare names to determine whether they refer to some or all of the same products or platforms. For example, a product may have a unique name, but as in the Windows XP example, there may be subsets such as "Service Pack 1" or "Service Pack 2" that may further distinguish types of products. NISTIR 7696 provides the CPE name matching specification, which defines procedures for comparing two CPE names.

A dictionary specification for CPE is defined in NISTIR 7697, which includes the semantics of its data model and the rules associated with the CPE dictionary creation and management. NIST hosts the official CPE dictionary at http://nvd.nist.gov/cpe.cfm so organizations can search for and find identifier names.

With the naming, name matching and dictionary specifications defined, researchers moved to language specifications. NISTIR 7698 provides the applicability language specification, which allows construction of logical expressions built from CPE names. These expressions can be used by SCAP to identify more complex vulnerability and configuration situations, such as a problem that only exists when two applications are running together or an application is running on particular computing platforms. A real-life example is writing an applicability language expression that tells SCAP to search for situations in which Adobe Flash player version 10.3 or earlier is running on Mac OSX, Linux, Sun Solaris or Microsoft Windows.

A new publication announcing SCAP Version 1.2 is expected to be published soon. For more information on SCAP and other security automation projects, see scap.nist.gov.


Story Source:

The above story is based on materials provided by National Institute of Standards and Technology (NIST). Note: Materials may be edited for content and length.


Cite This Page:

National Institute of Standards and Technology (NIST). "Four new reports update Security Content Automation Protocol." ScienceDaily. ScienceDaily, 14 September 2011. <www.sciencedaily.com/releases/2011/09/110914100548.htm>.
National Institute of Standards and Technology (NIST). (2011, September 14). Four new reports update Security Content Automation Protocol. ScienceDaily. Retrieved October 22, 2014 from www.sciencedaily.com/releases/2011/09/110914100548.htm
National Institute of Standards and Technology (NIST). "Four new reports update Security Content Automation Protocol." ScienceDaily. www.sciencedaily.com/releases/2011/09/110914100548.htm (accessed October 22, 2014).

Share This



More Computers & Math News

Wednesday, October 22, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Chameleon Camouflage to Give Tanks Cloaking Capabilities

Chameleon Camouflage to Give Tanks Cloaking Capabilities

Reuters - Innovations Video Online (Oct. 22, 2014) — Inspired by the way a chameleon changes its colour to disguise itself; scientists in Poland want to replace traditional camouflage paint with thousands of electrochromic plates that will continuously change colour to blend with its surroundings. The first PL-01 concept tank prototype will be tested within a few years, with scientists predicting that a similar technology could even be woven into the fabric of a soldiers' clothing making them virtually invisible to the naked eye. Matthew Stock reports. Video provided by Reuters
Powered by NewsLook.com
Internet of Things Aims to Smarten Your Life

Internet of Things Aims to Smarten Your Life

AP (Oct. 22, 2014) — As more and more Bluetooth-enabled devices are reaching consumers, developers are busy connecting them together as part of the Internet of Things. (Oct. 22) Video provided by AP
Powered by NewsLook.com
Free Math App Is A Teacher's Worst Nightmare

Free Math App Is A Teacher's Worst Nightmare

Newsy (Oct. 22, 2014) — New photo-recognition software from MicroBlink, called PhotoMath, solves linear equations and simple math problems with step-by-step results. Video provided by Newsy
Powered by NewsLook.com
Rate Hike Worries Down on Inflation Data

Rate Hike Worries Down on Inflation Data

Reuters - Business Video Online (Oct. 22, 2014) — Inflation remains well under control according to the latest consumer price index, giving the Federal Reserve more room to keep interest rates low for awhile. Bobbi Rebell reports. Video provided by Reuters
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
 
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:  

Breaking News:

Strange & Offbeat Stories

 

Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:  

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile iPhone Android Web
Follow Facebook Twitter Google+
Subscribe RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins