Save a Kitten, Write SCAP Content

Posted August 7th, 2009 by

Apparently I’m the Internet’s SCAP Evangelist according to Ed Bellis, so at this point all I can do is shrug and say “OK, I’ll teach people about SCAP”.

Right now there is a “pretty OK” framework for SCAP.  IE, we have published standards, and there are some SCAP-certified tools out there to do patch and vulnerability management.

What’s missing right now is SCAP content.  I don’t think this is going to get solved en-masse, it’s more like there needs to be an awareness campaign directed at end-users, vulnerability researchers, and people who write small-ish tools.

So I sat around at home trying to figure out how to get people to use/write more SCAP content and finally settled on “Everytime you use SCAP content, a kitten runs free”.

Anyway, this is a presentation I gave at my local OWASP chapter.

Similar Posts:

Posted in NIST, Speaking, Technical | 4 Comments »

4 Responses

  1.  Vlad Says:

    Content is not good enough. It needs to be official content. I am happy to say that we are working towards official Red Hat Enterprise Linux (RHEL) 5 content. We are also working towards official Firefox content.

    Next may come some Mac and Solaris content. We need customers like yourself to ask for content and we would prefer writing content with the help of the OS or application vendors.

    DISA is moving in the direction of producing XCCDF and OVAL instead of STIGs. I am not part of DISA but I hope to help them develop content. If you have hardening guides, I may be able to help you too…



  2.  SCAP Insider Says:

    I just looked over your slides and wanted to clarify something.

    What is SCAP really?

    FDCC! There is no other content that anyone would use except maybe the Red Hat errata which is just OVAL. Of course FDCC is a protected brand now that OMB and NIST do not want to dilute. Other guidance will be called Defense Configuration Baselines.

  3.  Anonymous But You Know Me Says:

    Weakness: OVAL is mandated and [some say] OVAL is not very efficient across large number of systems….

  4.  The SCAP Realist Says:

    For those following closely, SCAP is but one small part of the overall specifications-based Security Automation agenda.

    Although SCAP Insider states that “SCAP is really FDCC!” the SCAP Insider might want to take a closer look “inside” to see all of the data that is being expressed, tagged, and measured as a function of SCAP specifications during regular computing operations. While it is true that FDCC popularized SCAP, the security automation agenda includes many more specifications and protocols whereas FDCC/SCAP was the most public of many use cases.

    Just a hunch, but in following some of the trends and talks, FY10 promises to see specifications for network events, enterprise transactions, assets, remediation, etc. See a talk I recently attended provided by NIST at the 2009 Federal Identity Management and Cybersecurity Conference (

    Adopt SCAP and save a kitten? Perhaps. Adopt SCAP? You are late to the game (but better late than never). Getting on the security automation train? You are right on time.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: