Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Tenable’s SecurityCenter 5 Achieves SCAP 1.2 Certification

Note: Tenable SecurityCenter is now Tenable.sc. To learn more about this application and its latest capabilities, visit the Tenable.sc web page.

XCCDF, OVAL, CVE, CPE, ARF, CVSS, CCE, TMSAD -- collectively known as the Security Content Automation Protocol (SCAP) -- might come across as the alphabet soup of standards. But for many in the government—especially in the security community—SCAP might be the best thing since the Internet. Issued by the National Institute of Standards and Technology (NIST), SCAP is a combination of open security standards that were developed from community participation. It is a methodology used to evaluate vulnerability management, measurement, and policy compliance of security software solutions. SCAP certification assures an organization that the security solution they have invested in meets NIST's and FISMA's highest standards. In particular, an SCAP certified security solution complies with the reporting requirements of NIST and FISMA, and exports validated data in a standardized XML format.

SecurityCenter 5 is now fully certified against SCAP 1.2

We are pleased to announce that Tenable’s SecurityCenter 5 is now an SCAP validated tool, certified to perform SCAP 1.2 compatible assessments.

Why is SCAP so important?

In the early days before the SCAP 1.0 standard was released, whenever a government agency tried to evaluate security software solutions for configuration auditing or vulnerability assessment, no two vendors produced the same result against the same target; and worse, the reports created by the vendors’ products were completely incompatible with each other and required specialized software to interpret. So there was no easy way to compare products and their results.

Agreeing on even simple items such as password length was a challenge. For example, if a policy required a password length of 8 and the target was configured for password length of 10, one vendor might flag it as fail (not an exact match), and another vendor might pass the same check (interpreted as stricter than the policy value). Even though each vendor was right, imagine repeating the same process over thousands of individual security specifications and trying to measure results. Government agencies didn’t have a good way to compare vendors or to test products consistently. All they could do was look at the software price, toss a coin and hope that the chosen software worked as expected once it went live. Of course I am over simplifying, but you get the point: SCAP is all about standardization.

History

Eventually, government agencies called for standardization. The result was an amalgamation of standards under the umbrella of a single protocol called the Security Content Automation Protocol (SCAP).

NIST then required that all vendors who wanted to sell to the government must define settings in the same way (XCCDF), evaluate targets the same way (OVAL), determine if targets are applicable for a test the same way (CPE), and generate reports that are identical for the same target (ARF). The result? Reports generated by one tool could be easily imported into another product for analysis and comparison as long as the product was SCAP certified. Any vendor innovation would come from ease of use or speedier scans for example, not from specialized evaluations of tests or exotic reports.

This was a welcome development for Tenable, because it meant we no longer had to convert large benchmark PDF files into our proprietary .audit files. We were one of the first vendors to get SCAP 1.0 certified in 2008. Any customer with access to SCAP content was able to run scans with it using SecurityCenter.

SCAP 1.0/1.1

For all the promise that the initial versions SCAP (1.0/1.1) held, SCAP did not initially achieve all its goals. Many vendors supported it, and a lot of content was generated for SCAP. But some goals remained unrealized: the reports from vendors were not always importable, and coverage for all OVAL tests was spotty.

In retrospect, the standard was put together hastily, the requirements were open to interpretation, and testing was sketchy. Compared to the current SCAP version, the standards to achieve certification were far simpler and less detailed. The result was that not all SCAP validated tools were created equal.

SCAP 1.2

If SCAP 1.0/1.1 was a toddler, then SCAP 1.2 is the grown-up. That’s the level of transformation and complexity added to SCAP. We now have more clarity.

SCAP 1.2 ushered in a completely new content format. Previous SCAP versions had four different files for XCCDF, OVAL and CPE content; they are now all merged into one big XML file. NIST released the SCAP validation test suite so that all vendors know exactly what they will be tested against. And the new standard mandates backward compatibility with SCAP 1.0/1.1 so that the existing SCAP 1.0/1.1 content will still work.

The SCAP test suite has 46 different requirements and 75,000 tests

The SCAP test suite has 46 different requirements and 75,000 tests. Failing just one test means failing SCAP certification completely. After months of hard work, we are happy to report that SecurityCenter 5 is now fully certified against SCAP 1.2.

Wrap-up

Any vendor who has been through SCAP certification knows how rigorous it is and how rewarding it is to deliver an SCAP validated solution to our customers. We are honored to work with government agencies that trust Tenable with their security needs. SecurityCenter provides you with the highest standard in continuous network monitoring and SCAP solutions.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training