Ed Bellis’s Little SCAP Project

Posted March 19th, 2009 by

So way back in the halcyon days of 2008 when Dan Philpott, Chris Burton, Ian Charters, and I went to the NIST SCAP Conference.  Just by a strange coincidence, Ed Bellis threw out a twit along the lines of “wow, I wish there was a way to import and export all this vulnerability data” and I replied back with “Um, you mean like SCAP?

Fast forward 6 months.  Ed Bellis has been busy.  He delivered this presentation at SnowFROC 2009 in Denver:

So some ideas I have about what Ed is doing:

#1 This vulnerability correllation and automation should be part of vulnerability assessment (VA) products.  In fact, most VA products include some kind of ticketing and workflow nowadays if you get the “enterprise edition”. That’s nice, but…

#2 The VA industry is a broken market with compatibility in workflow.  Everybody wants to sell you *their* product to be the authoritative manager. That’s cool and all, but what I really need is the connectors to your competitor’s products so that I can have one database of vulnerabilities, one set of charts to show my auditors, and one trouble ticket system. SCAP helps here but only for static, bulk data transfers–that gets ugly really quickly.

#3 Ed’s correllation and automation software is a perfect community project because it’s a conflict of interest for any VA vendor to write it themselves. And to be honest, I wouldn’t be surprised if there aren’t a dozen skunkwork projects that people will admit to creating just in the comments section of this post. I remember 5 years ago trying to hack together some perl to take the output from the DISA SRR Scripts and aggregate them into a .csv.

#4 The web application security world needs to adopt SCAP. So far it’s just been the OS and shrinkwrapped application vendors and the whole race to detection and patching. Now the interesting part to me is that the market is all around tying vulnerabilities to specific versions of software and a patch, where when you get to the web application world, it’s more along the lines of one-off misconfigurations and coding errors. It takes a little bit of a mindshift in the vulnerability world, but that’s OK in my book.

#5 This solution is exactly what the Government needs and is exactly why SCAP was created. Imagine you’re the Federal Government with 3.5 million desktops, the only way you can manage all those is through VA automation and a tool that aggregates information from various VA products across multiple zones of trust, environments, and even organizations.

#6 Help Ed out! We need this.

Similar Posts:

Posted in Technical, What Works | 4 Comments »

4 Responses

  1.  Vlad the Impaler Says:

    So like where can I find this elegant hack?

    Since I will be standing up an enterprise nessus architecture and will shortly have Remedy 7 implemented here, I would love to give this a shot.


  2.  Ian99 Says:


    Nice blog. To be frank I am very excited about the promise of SCAP technology. I think it ranks in the top three most important security developments in the past few years and to be sure, I am a bit mystified that there isn’t more discussion of SCAP technology and development in the SCAP field.

    Until your blog I didn’t know what Ed has been up to lately.

    And in the at context I have to share a little story with you. Just last week a vendor for an innovative security appliance contacted me asking if I would comment on their technical presentation. Just to give you a little background, while the product in question has a fair range of capabilities event and data correlation and automated analysis and action was at the core of its capabilities. So, the first question I asked them was concerning SCAP compatibility. I was distressed to hear that it wasn’t compliant. They asked me if I thought that was really important. I shared that it certainly is in the Federal market.

    You know I really liked these guys and their product, and perhaps they will put SCAP compatibility into the requirements for updates to the product. But, I feel the security community let them down. The word on SCAP has to get out there. And it that context, nothing speaks like results. Like you I applaud Ed Bellis’ effort to keep the ball moving.

  3.  Anton Chuvakin Says:

    Is there a slide version, not video? Trying and failing to find it…

  4.  rybolov Says:

    Hi Anton

    You can ask Ed directly.

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.

Visitor Geolocationing Widget: