SCAP - Security Content Automation Protocol

SCAP, pronounced “S-CAP”, is a synthesis of interoperable specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.

In other words, SCAP is a vendor neutral way of expressing security policy. As such it enjoys significant adoption in modern enterprises. SCAP specifications create an ecosystem where the format of security content is well known and standardized while the implementation of scanner or policy editor is not mandated. Such status enables organizations to build their security policy (SCAP content) once, no matter how many security vendors do they employ.

Alberto Explains
Look, it is easy. SCAP is just a group of XML based declarative languages that describe the desired state of audited host. SCAP has its limitations in the modern cloud environments. It won't audit your AWS account or assess kubernetes API. Yet it is the most matured standard for assessing a single host and there is plenty of these XML policies available for anyone to use.

There is nothing more easier than grabbing an SCAP scanner and SCAP policy and run an audit of your host system right now.

SCAP Components

In its first version, SCAP encompassed six underlying standards, the others were added in later versions. A following diagram visualizes relationships between major SCAP components.

SCAP Adoption

According to the National Institute of Standards and Technology (NIST) Special Publication 800-126r2, "SCAP has achieved widespread adoption by major software and hardware manufacturers and has become a significant component of large information security management and governance programs". This statement is well documented by number of products processing SCAP, and number of policies publically available.

SCAP v2

Almost everything ever written about SCAP relates to SCAP 1.x. However, there is a decade long effort to create follow-up standard called SCAP v2.

The effort started with announcement of SACM - Security Automation and Continuous Monitoring, continued with SCAPv2 attempts (ROLIE - Resource-Oriented Lightweight Information Exchange, SWID - Software Identification Tagging, etc.) and nowdays mostly concerned with OSCAL - Open Security Controls Assessment Language. However, the efforts have not yet concluded.

To learn more about the motivations of SCAP v2 and the limitations of SCAP v1 refer to Chapter 2. Gaps in SCAP v1 of NIST.CSWP.7, Transitioning to the SCAP Version 2.

Key Online Resources

Security Content Automation Protocol, Project Homepage [Online, 2024-04-03]
NIST SP 800-126 Rev. 3, SCAP 1.3 Definition, [Published: February 2017]
NIST.CSWP.7, Transitioning to the Security Content Automation Protocol (SCAP) Version 2 [Published: September, 2018]

info alert: This article is a stub.

Last modification was made over 1 year ago.