Apparently I’m the Internet’s SCAP Evangelist according to Ed Bellis, so at this point all I can do is shrug and say “OK, I’ll teach people about SCAP”.
Right now there is a “pretty OK” framework for SCAP. IE, we have published standards, and there are some SCAP-certified tools out there to do patch and vulnerability management.
What’s missing right now is SCAP content. I don’t think this is going to get solved en-masse, it’s more like there needs to be an awareness campaign directed at end-users, vulnerability researchers, and people who write small-ish tools.
So I sat around at home trying to figure out how to get people to use/write more SCAP content and finally settled on “Everytime you use SCAP content, a kitten runs free”.
Anyway, this is a presentation I gave at my local OWASP chapter.