Transitioning to the Security Content Automation Protocol (SCAP) Version 2

Waltermire, David; Fitzgerald-McKay, Jessica

doi:10.6028/nist.cswp.09102018

Cited by 3 publications

(6 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…SCAP Composer's release coincides with a new effort underway to improve upon SCAP version 1.3. Within the proposed scope of this "SCAP 2.0" initiative [22] is improved "SCAP content creation, acquisition, and reuse." SCAP Composer can contribute to this goal by making it easier to combine content into new source data streams.…”

Section: Discussionmentioning

confidence: 99%

SCAP composer user guide

Lubell¹

2020

View full text Add to dashboard Cite

Any mention of commercial or other third-party products in this guide is for information purposes only; it does not imply recommendation or endorsement by the National Institute of Standards and Technology (NIST). For any of the web links in the software and this user's guide, NIST does not necessarily endorse the views expressed, or concur with the facts presented on those web sites. SCAP Composer was developed at NIST by employees of the Federal Government in the course of their official duties. Pursuant to Title 17 Section 105 of the United States Code, this software is not subject to copyright protection and is in the public domain. This software is an experimental system. NIST assumes no responsibility whatsoever for its use by other parties, and makes no guarantees, expressed or implied, about its quality, reliability, or any other characteristic. SCAP Composer can be redistributed and/or modified freely provided that any derivative works bear some notice that they are derived from it, and any modified versions bear some notice that they have been modified. NIST would appreciate acknowledgement if the software is used.

show abstract

Section: Discussionmentioning

confidence: 99%

SCAP composer user guide

Lubell¹

2020

View full text Add to dashboard Cite

show abstract

“…In particular, XCCDF [11] is used to represent the test results. XCCDF is a NIST specification and one of the main components of the Security Content Automation Protocol (SCAP) [41]. Unlike previous papers that are mainly focused on security testing aspects, this work integrates security testing results to build augmented MUD profiles to restrict the communication of IoT devices.…”

Section: A Security Testing In Iotmentioning

confidence: 99%

“…It should be noted that XCCDF is intended to be used to automate the verification of checklists using the Open Vulnerability and Assessment Language (OVAL) [69]. While some limitations have been identified for the use of XCCDF in the IoT context [70], the evolution of SCAP [41] aims to enhance different aspects of the current XCCDF specification to be considered in IoT. According to Figure 2, it should be noted that the Extended MUD file is generated based on such Assessment Report and the Original MUD file associated to the device itself.…”

Section: ) Profile Generationmentioning

confidence: 99%

“…Since IANA does not provide numeric identification for application layer protocols, the application protocol is defined though a string representing its name. This application layer protocol is further described with their associated policies (lines [36][37][38][39][40][41][42][43][44][45][46]. Furthermore, since different restrictions can be considered for each application-layer protocol, these fields could be repeated in the extended profile.…”

Section: ) Profile Generationmentioning

confidence: 99%

“…It is a NIST standard, which is supported by SCAP [68]. It should be noted that the next version of SCAP is intended to enhance XCCDF aspects to be considered in IoT scenarios [41] According to the specification, XCCDF documents contain a Benchmark element, which contains one or more elements, such as Rule, Value, TestResult and Group. Optionally it may include the element Profile to customise the benchmarking.…”

Section: A Assessment Report Generation Based On Xccdfmentioning

confidence: 99%

See 2 more Smart Citations

Extending MUD Profiles Through an Automated IoT Security Testing Methodology

et al. 2019

View full text Add to dashboard Cite

Defining the intended behaviour of IoT devices is considered as a key aspect to detect and mitigate potential security attacks. In this direction, the Manufacturer Usage Description (MUD) has been recently standardised to reduce the attack surface of a certain device through the definition of access control policies. However, the semantic model is only intended to provide network level restrictions for the communication of such device. In order to increase the expressiveness of this approach, we propose the use of an automated IoT security testing methodology, so that testing results are used to generate augmented MUD profiles, in which additional security aspects are considered. For the enforcement of these profiles, we propose the use of different access control technologies addressing application layer security concerns. Furthermore, the methodology is based on the use of Model-Based Testing (MBT) techniques to automate the generation, design and implementation of security tests. Then, we describe the application of the resulting approach to the Elliptic Curve Diffie-Hellman over COSE (EDHOC) protocol, which represents a standardisation effort to build a lightweight authenticated key exchange protocol for IoT constrained scenarios.INDEX TERMS Internet of Things, security testing, MUD, EDHOC.

show abstract

References

2020

Transforming Information Security

View full text Add to dashboard Cite

Transitioning to the Security Content Automation Protocol (SCAP) Version 2

Cited by 3 publications

References 10 publications

SCAP composer user guide

SCAP composer user guide

Extending MUD Profiles Through an Automated IoT Security Testing Methodology

References

Contact Info

Product

Resources

About