Standards
Security Analysis Solution (SAS) is built completely around the SCAP standard, allowing customers to import and manage their XCCDF benchmarks (checklists) which are used for assessing their computers. Security standards and their acronyms are included in the following list: [[Are there any standards to add or remove for the new version? mp05/04/15]]
Acroynm | Name | Description | More Detail | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Security Content Automation Protocol | Specification for expressing and manipulating security data in standardized ways that allow machine-readable assessment and misconfiguration remediation. | |||||||
| Open Vulnerability and Assessment Language | XML specification for exchanging technical details on how to check systems for security-related software flaws, configuration issues and patches. | |||||||
| eXtensible Configuration Checklist Description Format | XML-based specification for structured collections of security configuration rules. | |||||||
| Common Platform Enumeration | Naming convention for hardware, OS and application products. | |||||||
| Common Vulnerabilities and Exposures | Dictionary of publicly-known security-related software flaws. | |||||||
| Common Configuration Enumeration | Dictionary of software security configuration issues. | |||||||
| Common Vulnerability Scoring System | Method for classifying characteristics of software flaws and assigning severity scores based on these characteristics. |
Compliance
Security Analysis Solution supports: [[Are there any supported versions to add or remove for the new version? mp05/04/15]]
...
- FDCC Scanner
- Authenticated Configuration Scanner
- Authenticated Vulnerability and Patch Scanner
Implementation
SCAP
SCAP is a public specification that provides standardized and automated security configurations, and vulnerability assessments. SCAP comprises the following standards:
...
SAS embraces the SCAP standard and can import SCAP content into the Arellia Management Server (AMS). For further details, go to [REVIEW] SAS 8.x Overview.
XCCDF
SAS is compatible with XCCDF benchmarks and other types of checklists that adhere to the XCCDF specification including industry standards from:
...
For further information, go to [REVIEW] Security Configuration Profiles.
OVAL
SAS supports OVAL, a public standard for creating vulnerability, configuration, and patch checks using a declarative XML syntax.
...
OVAL content is delivered to the endpoints where the assessments are performed resulting in OVAL results being sent back and correlated into the AMS, giving the administrators access to the OVAL and XCCDF compliant XML output as well as numerous reports than can correlate these assessments to the managed elements within the AMS.
CCE
SAS supports the public standard CCE, which provides an identification system for common security configuration issues and vulnerabilities. These identifiers are referenced within the SCAP and OVAL content.
...
CCE references are also present in the OVAL results product output, as well as a CSV formatted file output, all accessible through the Resource Explorer user interface.
CPE
Common Platform Enumeration (CPE) is an open standard that describes IT platforms (such as hardware, operating systems and applications). XCCDF Benchmarks define applicable platforms through CPE designations.
...
The CPE references are also viewable within result output and available to use when correlating results and assessed computers within reports and data exchange.
CVE
CVE is a common identification and dictionary for computer and information security vulnerabilities, and is maintained and hosted by the MITRE Corporation (http://cve.mitre.org). The National Vulnerability Database (NVD) publishes vulnerability summaries that provide detailed information for most known computer and information security vulnerabilities. You can access these vulnerability summaries using the CVE identifier for a given vulnerability. NVD also regularly publishes NVD/CVE data feeds that store similar information but in a schema-defined and machine-readable format.
SAS utilizes CVE identifiers to associate vulnerabilities identified in the imported SCAP data stream as well as the assessment results. When viewing the OVAL definitions within a profile, CVE identifiers are displayed with links to detail on the CVE website. Numerous reports are available within the product that show which computers are susceptible to the vulnerabilities identified by their CVE and combined with CVSS scoring metrics. SAS also stores CVE entities as unique resources within the AMS, leveraging the ability to associate and relate these to other AMS resources, giving the administrator rich reporting and targeting data to work from.
CVSS
CVSS is a public standard that defines methods for scoring and rating computer vulnerabilities. These vulnerabilities are referenced using a CVE identifier and allow the administrator to prioritize and remediate those that pose the greatest risk. The CVSS list is maintained on the NIST website , providing and provides scores for common threats and vulnerabilities.
Arellia Security Analysis Solution provides tasks that can be run on managed computers that will gather CVE analysis results and analyze this data to produce CVSS score information for the managed computers. The product also displays CVSS scoring details in reports for managed computers that have been analyzed, including the CVE ID, score level, availability impact, confidentiality impact, integrity impact, and published date information. There are also links to the CVEs in the product output where users that you can navigate to find additional information on the CVSS scores for the vulnerabilities.