Specification for the extensible configuration checklist description format (XCCDF) version 1.2

Waltermire, David; Schmidt, Chalres; Scarfone, Karen; Ziring, Neal

doi:10.6028/nist.ir.7275r4

Cited by 14 publications

(12 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this format, checklist items can be associated with checks, such as OVAL definitions, and preconditions, such as preliminary checks that are represented by the <xccdf:require> element. A common example for an require element highlighted in the XCCDF specification [9] is "<xccdf:requires idref="xccdf_org.example_rule_passwd-exists"/>". This kind of preliminary requirement is found in checklist items to evaluate certain file system privileges.…”

Section: Related Workmentioning

confidence: 99%

“…SCAP also employs the eXtensible Configuration Checklist Description Format (XCCDF [9]). In this format, checklist items can be associated with checks, such as OVAL definitions, and preconditions, such as preliminary checks that are represented by the <xccdf:require> element.…”

Section: Related Workmentioning

confidence: 99%

“…At this point, our IRP relies on a manually composed, machine-readable discrepancy list that can be processed by an OVAL definition automatically. Every security test to be conducted in the VE has to be provided in the Extensible Configuration Checklist Description Format (XCCDF [9]). Each checklist item of this security test checklist refers to a security test represented by an OVAL definition element.…”

Section: Security Testing Supported By the Irpmentioning

confidence: 99%

See 2 more Smart Citations

Enhancing Security Testing via Automated Replication of IT-Asset Topologies

Birkholz

Sieverdingbeck

Kuntze

et al. 2013

2013 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Security testing of IT-infrastructure in a production environment can have a negative impact on business processes supported by IT-assets. A testbed can be used to provide an alternate testing environment in order to mitigate this impact. Unfortunately, for small and medium enterprises, maintaining a physical testbed and its consistency with the production environment is a cost-intensive task. In this paper, we present the Infrastructure Replication Process (IRP) and a corresponding Topology Editor, to provide a cost-efficient method that makes security testing in small and medium enterprises more feasible. We utilize a virtual environment as a testbed and provide a structured approach that takes into account the differences between a physical and a virtual environment. Open standards, such as SCAP, OVAL or XCCDF, and the utilization the Interconnectedasset Ontology-IO-support the integration of the IRP into existing (automated) processes. We use the implementation of a prototype to present a proof-of-concept that shows how typical challenges regarding security testing can be successfully mitigated via the IRP.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Security Testing Supported By the Irpmentioning

confidence: 99%

See 1 more Smart Citation

Enhancing Security Testing via Automated Replication of IT-Asset Topologies

Birkholz

Sieverdingbeck

Kuntze

et al. 2013

2013 International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…The Extensible Configuration Checklist Description Format (XCCDF) [9], a SCAP specification, specifies a language to describe security checklists and collect compliance results of targeted systems. SCAP also provides a set of measurement and scoring systems to provide universal scores of known vulnerabilities.…”

Section: Introductionmentioning

confidence: 99%

Enterprise Risk Assessment Based on Compliance Reports and Vulnerability Scoring Systems

Alsaleh

Al-Shaer

2014

Proceedings of the 2014 Workshop on Cyber Security Analytics, Intelligence and Automation

View full text Add to dashboard Cite

The risk of cyberattacks have become increasingly daunting as most of our socioeconomic activities have gone cyberbased. Comprehensive automated risk management is becoming necessity in today's dynamic networks. In this paper, we present an objective metric to assess the risk of cyberattacks on organizations' networks based on the security compliance reports. Our model considers various risk factors, including vulnerabilities distribution, dependency between them, and network configuration. We take advantage of Security Content Automation Protocol (SCAP) languages and measurement and scoring systems to study vulnerabilities and compute the system exposure. We also describe an evaluation plan to validate the presented metric.

show abstract

“…While patterns of events [67] (including event counters, conjunction, disjunction and sequences of events) could be readily reuse or extended to reflect the complexity of events of interest to the cloud stakeholders, existing event specification languages such as ETALIS [69], TESLA [70] and YALES [71] are amongst the most expressive languages that can be adopted for the specification of event patterns pertinent to STMA. Furthermore, given most STMA related events would be related to security, candidate format for representing atomic events of interest may include the Extensible Configuration Checklist Description Format -XCCDF [72] and the Intrusion Detection Message Exchange Format-IDMEF (http:// www.rfc-base.org/txt/rfc-4765.txt), both being an XML based format. While IDMEF is intended to be a standard data format that automated intrusion detection systems can use to report alerts about events that they deem suspicious, XCCDF is used to specify security checklists and benchmarks amongst others.…”

Section: Engineering Cloud Services With Stma In Mindmentioning

confidence: 99%

Security transparency: the next frontier for security research in the cloud

et al. 2015

View full text Add to dashboard Cite

The recent advances in networking and the ubiquity of the Internet have enabled the emergence of cloud computing as a viable solution for a convenient, elastic and economical usage of services. In spite of these apparent advantages, the cloud model presents some challenges that hamper its wider adoption, most of which relate to security and privacy. This paper provides a review of the current initiatives devised by both academia and industry for addressing the security concerns inherent to the cloud model. Our analysis of the state of the art reveals that although initiatives such as SLA and virtual machines monitoring, and recent development in encryption mechanisms, have contributed to addressing some of the salient issues of security and privacy in the cloud, larger initiatives, other than standards, aiming at enabling security transparency and a mutual auditability in the cloud remain to be seen. With this in mind, the paper proposes some routes towards related solutions by discussing a number of desiderata for establishing a better security transparency between a Cloud Service Provider (CSP) and a Cloud Service Consumer (CSC). Given the current reluctance of some major businesses to embrace the trend, owing mainly to the devolution of some of the security aspects to a third party, the authors argue that undertaking some initiatives in that direction is a key to sustaining the current momentum of the cloud.

show abstract

Specification for the extensible configuration checklist description format (XCCDF) version 1.2

Cited by 14 publications

References 0 publications

Enhancing Security Testing via Automated Replication of IT-Asset Topologies

Enhancing Security Testing via Automated Replication of IT-Asset Topologies

Enterprise Risk Assessment Based on Compliance Reports and Vulnerability Scoring Systems

Security transparency: the next frontier for security research in the cloud

Contact Info

Product

Resources

About