Standards

There is pleothora of standards in the domain of security compliance.

• SCAP - Security Content Automation Protocol - A multi-purpose framework of specifications that supports automated configuration, vulnerability and patch checking, technical control compliance activities, and security measurement.
  • XCCDF - Extensible Configuration Checklist Description Format - The language is used to describe the security checklists. The language is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.
  • OVAL - Open Vulnerability and Assessment Language - OVAL is declarative language for making logical assertions about the state of system. It is main component of the SCAP standard. It is used to describe security vulnerabilities or desired configuration of systems. OVAL definitions define a secure state of some objects in a computer, for example configuration files, file permissions, processes. OVAL definitions are evaluated using an interpreter called scanner.
  • ROLIE - Resource-Oriented Lightweight Information Exchange - A profile of XML/ATOM to for an SCAP Content Repository that allows security automation content to be discovered, syndicated, and exchanged
  • OCIL - Open Checklist Interactive Language - The language for representing checks that collect information from people or from existing data stores made by other data collection efforts.
• OSCAL - Open Security Controls Assessment Language - High-level yet detailed framework for defining catalogs, baselines, system security plans, results and follow-ups.
• SACM - Security Automation and Continuous Monitoring - Work Group under IETF attempting to formalize asset life-cycle management and software identification.
• Software Identification - Software Identification, Package Enumeration and the Bill of Materials
• VEX - Vulnerability Exploitability eXchange - Security Advisory File Format