Security Content Automation Protocol
Maintaining the security of enterprise systems is challenging due to the number and variety of systems to secure, the need to respond quickly to new threats, and the lack of interoperability among security management tools. In response, the National Institute of Standards and Technology (NIST) created the Security Content Automation Protocol (SCAP), which enables enterprises and government agencies to verify the presence of patches, check for proper system configuration settings, and generate reports in an automated, consistent, and repeatable way.
SignaCert's Integrity provides a NIST-validated SCAP solution that enables customers to centrally manage, assess, and report on SCAP compliance. The results include compliance scores and links to the Common Vulnerability Enumeration (CVE) and Common Configuration Enumeration (CCE) databases. Additional information about SignaCert's SCAP implementation can be found here.
SignaCert Integrity is a NIST-validated FDCC Scanner, Authenticated Configuration Scanner, and Authenticated Vulnerability and Patch Scanner.
Many SCAP validated vendors provide the ability to perform vulnerability assessment and configuration compliance such as Federal Desktop Core Configuration (FDCC). SignaCert adds a third vital component, the ability to measure managed IT systems against known-provenance, reference images, which ensures systems are both SCAP compliant and deployed as intended. This is critical, because a system may be free of vulnerabilities and satisfy a given best-practices security checklist, but still have unauthorized applications installed. For example, the system could have a peer-to-peer file sharing application installed or the wrong version of an application may have been deployed during a change window. These conditions can have serious consequences and would not be detected by other SCAP validated products.
Other vendors claim to be able to detect unauthorized software, but they rely solely on product metadata to determine which versions of software are installed. These techniques are not secure and lead to supply-chain concerns. Only SignaCert's patented known-provenance technology securely verifies that systems only have approved, authentic software from known and trusted providers.