SCAP Testing Solutions
Security Content Automation Protocol (SCAP) Testing and certification services for SCAP standards
Intertek EWA-Canada offers efficient and cost-effective help to our clients in obtaining certification of their products to any of the SCAP standards or SCAP capabilities. The Security Content Automation Protocol (SCAP) is a method for using a standards-based approach to automate vulnerability management, measurement and policy compliance evaluation. SCAP comprises the following set of open standards that address identification of software vulnerabilities, platforms and security relevant configuration issues; methods for determining the presence of vulnerabilities or other issues; and methods for assigning a score to discovered security issues in order to rank their severity and impact.
Under the SCAP Validation Program, vendor products may be tested for conformance to the following SCAP component standards:
- Common Vulnerabilities and Exposures (CVE®),
- Common Configuration Enumeration (CCE™),
- Common Platform Enumeration (CPE™),
- Common Vulnerability Scoring System (CVSS),
- eXstensible Configuration Checklist Document Format (XCCDF), and
- Open Vulnerability Assessment Language (OVAL™).
In addition, NIST has defined a variety of SCAP Capabilities that vendors may claim for their products and for which conformance testing has been defined, including:
- Federal Desktop Core Configuration (FDCC) Scanner,
- Authenticated Configuration Scanner,
- Authenticated Vulnerability Scanner,
- Unauthenticated Vulnerability Scanner,
- Intrusion Detection and Prevention,
- Patch Remediation,
- Mis-configuration Remediation,
- Asset Management,
- Asset Database,
- Vulnerability Database,
- Mis-configuration Database, and
- Malware Tool.
Of particular note, the U.S. Federal Office of Management and Budget (OMB) released Memorandum M-07-11 in March of 2007 directing that all agencies operating Windows XP™ or Vista™ must adopt the FDCC security configurations developed by the National Institute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of Homeland Security (DHS) by 1 February 2008. Vendors with products validated as conforming to FDCC Scanner requirements will be in a position to offer their solutions to agencies that will need to be able to confirm the compliance of their desktop system configurations.
As a fully accredited SCAP Test Lab, Intertek EWA-Canada can offer efficient and cost-effective help to our clients in obtaining certification of their products to any of the SCAP standards or SCAP capabilities.