I was attending a conference at NIST (the National Institute of Standards) concerning the SCAP program (Security Content Automation Protocol; pronounced ESS-cap). SCAP is focused on providing the Federal government with automated, common, interoperable security solutions. Specifically the SCAP program has developed a common set of standards for reporting security vulnerabilities for use in automated security scanners, security appliances and reporting systems.
Well, why do we need SCAP? If we use the Godfather of all vulnerability management tools, the NESSUS vulnerability scanner as an example, we have seen that industry has produced a number of similar products. Each has its own strengths and rich feature set. However, none of them use the same “language” for detecting or describing or reporting a potential vulnerability. This not only means that these various products can only be used to operate with each other with some measure of difficulty but, trying to aggregate and manage the result of reports from these systems can be tedious.
“Tim Bray at XML 2005″ photo by Roland.
As a result of these efforts and vision of the dedicated employees at NIST, industry is already scrambling to get their related products SCAP certified. And, Federal agencies are also specifying in contracts that products must be SCAP certified in order to be qualified for purchase. This is real progress and great news for the tax payer who will get real better value for their tax dollar. But, it is not a revolution — yet. Where I see the revolution emerging is in six-month to a year time frame when industry takes note of the SCAP program and we begin to see SCAP certified and SCAP interoperable products being ordered. It will not be long after that that we may see the SCAP protocol used in even consumer-level products like personal firewalls. This ability to give us all a common language will significantly reduce the cost of building and supporting vulnerability scanners and vulnerability reporting tools. This cost reduction will allow resources to be freed up to address prevention and mitigation concerns in a more meaningful manner.
For example, industry has tools that enable network and security support professionals to detect a mis-configuration in a desktop machine in their network and correct it. But, only the largest and most well funded security IT security departments have such tools. With the advent of SCAP, these kind of services will be much more affordable and supportable and thus more common. In fact, because much of this can be automated, I can even envision the McAfee, Symantec, and others who are well placed in the vulnerability scanning market to offer support services over the wire to smaller businesses and to consumers. Moreover, as this technology improves and becomes commoditized, I can see ISP’s offering security scanning and mediation as a service to their customers.