What is SCAP?
The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization. It is a U.S. standard maintained by National Institute of Standards and Technology (NIST) which provide specifications for the format of how various data types relating to vulnerability management are stored, handled and transferred.
Specifications within the SCAP standard include:
- Asset Identification schema (constructs to uniquely identify assets based on known identifiers and/or known information about the assets)
- An Asset Reporting Format (ARF) (a data model to express the transport format of information about assets, and the relationships between assets and reports)
- Open Vulnerability and Assessment Language (OVAL) ( includes a language to encode system details and how to assess and report upon the security state of computer systems)
What is OpenSCAP?
The OpenSCAP project is a collection of open source tools for implementing and enforcing the SCAP standard. Additionally, the OpenSCAP ecosystem provides multiple tools to assist administrators and auditors with assessment, measurement, and enforcement of security baselines. The fundamental platform on which the tools are all based is OpenSCAP Base, which provides the raw functionality of reading SCAP content in its various defined formats, schemas and languages.
What is the purpose of SCAP compliance?
Security Content Automation Protocol (SCAP) checklists standardize and enable automation of the linkage between computer security configurations; that is they improve interoperability between different systems used in vulnerability management and policy compliance by providing a standard set of frameworks and languages for communication between them.
How is SCAP compliance assessed?
The SCAP Validation Program tests the ability of products to employ SCAP standards. The NIST National Voluntary Laboratory Accreditation Program (NVLAP) accredits independent laboratories under the program to perform SCAP validations.
Is AppCheck built using SCAP or OpenSCAP standards?
At this time, AppCheck has not been validated to the SCAP standard, and this is not on the current development roadmap. However, please contact your account manager if SCAP standards compliance is a key requirement for your business.