Making Security Measurable › CPE - Common Platform Enumeration

A SCAP Database Model Proposal

1 message Options
Embed this post
Permalink
Ken Lassesen-3

A SCAP Database Model Proposal

Reply Threaded More More options
Print post
Permalink
Some javascript/style in this post has been disabled (why?)
A SCAP Database Model Proposal

For the SCAP conference I've gotten permission to share the attached technical notes/ppt on a SCAP Database Model which Lumension would like to propose as a standard or a reference model. I attached late drafts of the documents (finals will not be ready until next week).    

The conclusion illustrates the why.

The use of a XML Database results in a simple physical database that captures all of the wealth of information in SCAP data. It permits the handling of SCAP data as an integrated unit instead of a random collection of XML files. There are some specific strong security advantages, the elimination of stale OVAL elements – if an XCCDF file uses version 1 of an OVAL element and this OVAL element has been corrected and is now at version 5 there is a problem. First, the problem of detecting if there is a newer version available (there’s no clear process at present!) and then getting the file updated (do you update the file yourself and break any XML-Signature on the file – raising a potential red flag for auditors; or do you nag the author to update and wait until they get around to it?). Using a database, you dynamically build the OVAL file for an XCCDF profile using the latest version available for all elements. A complex, security-impacting problem disappears.

There are other advantages which are tied to the ease of access, some items are:

    • ability to identify and eliminate equivalent content (for example OVAL elements)
    • ability to do consistency queries  to flag non-conforming data (for example, 90% of the XCCDF uses CPE to identify the platform, 10% does not)

<<SCAP Data Model.pdf>> <<SCAP Data Model PPT.pdf>>


Ken Lassesen,
Office 206-734-4718 Home: 360-297-4717   Cell: 360-509-2402  Skype: Ken.Lassesen
IM: [hidden email] 

CONFIDENTIALITY NOTICE
The information contained in this electronic message may contain confidential and privileged information and is intended only for use by the individual(s) or entity(ies) to whom it was addressed. Any unauthorized review, use, disclosure, or distribution of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete and destroy the original message.





SCAP Data Model.pdf (268K) Download Attachment
SCAP Data Model PPT.pdf (445K) Download Attachment
Free Embeddable Forum Powered by Nabble Help