Announcing SCAP Sync

We are proud to announce that SCAP Sync is now live! SCAP Sync is a search engine and content repository for SCAP. Lunarline is offering this as a free service, starting today.

SCAP Sync crawls SCAP content from multiple original sources (including NIST and MITRE) then syndicates that content in several convenient formats for both security practitioners as well as application developers who are looking to use SCAP content in their own applications.

Security Practitioners

For security practitioners, SCAP Sync provides a central location to search and view SCAP content in a user-friendly format. You don’t need to know technical details like XML or CVSS – we handle all of that stuff for you. Our goal is to demystify SCAP content and to make it more relevant and useful for the average security practitioner.

This is best illustrated with a hypothetical example… Let’s say you’re conducting a security assessment for a Voice-Over-IP deployment, and you want to evaluate potential risks associated with a specific VOIP product. You go to SCAP Sync and you type in the name of a VOIP product, then click Search.

SCAP Sync Home Page

SCAP Sync Home Page

In the search results, you can see a lot of results labeled with CPE: Common Platform Enumeration. CPEs represent specific hardware and software products, which is not really what we’re interested in.

Search Results

Search Results

To focus the search on vulnerabilities, click the CVE option under Filters. This will refine the search to show vulnerabilities only. If you’re interested in the most critical vulnerabilities, then try clicking on the 8-10 option under “CVSS Base Score”.

Search Results With Filters Applied

Search Results With Filters Applied

To view details of a vulnerability, just click on it.

Details Of A Specific Vulnerability

Details Of A Specific Vulnerability

NIST publishes CVE content in XML format, but SCAP Sync syndicates this information in a more human-friendly format. (If you want to see the original XML format, click on the XML button in the top right corner of the page.) For example, SCAP Sync reformats the CVSS (Common Vulnerability Scoring System) data so that you can easily see how this vulnerability impacts confidentiality, integrity, and availability.

This is just a quick example, but we think there are lots and lots of uses for having a single, centralized, searchable repository of SCAP content!

Application Developers

In addition to making SCAP content more useful for security practitioners, we also intend to make SCAP content more useful for application developers. SCAP Sync is being launched with a full REST API so that you can get SCAP data into your own applications quickly and easily.

The current API is pretty basic, but nonetheless it provides a valuable service that is unavailable anywhere else: the ability to retrieve any single piece of SCAP content in machine-readable format.

Let’s look at another example. CCE-14300-8 is a piece of content in the Common Configuration Enumeration, which is a SCAP standard that lists many possible security configuration items. This particular element is a configuration that states that password hashes should be stored in /etc/shadow instead of /etc/passwd.

If you wanted to get this one piece of content – and only this piece of content – you would need to download the full 10.6 MB CCE List from Mitre, load the entire file into memory, parse it, and then traverse the DOM tree looking for the element CCE-14300-8. Depending on your network speed, CPU, and IO, this might take 5-10 minutes, just to get a single record that is under 800 bytes!

Even if you did go through all of this effort to get this one record, Mitre may update the CCE list tomorrow, and there is no way to tell if that update contains any changes specific to CCE-14300-8 without downloading the whole file all over again, parsing it all over again, etc.

With SCAP Sync, you can just load this piece of content directly in a matter of seconds, and rest assured that you’re always getting the latest version of that content. We do all of the heavy lifting so that you can focus on your application.

Next Steps

SCAP Sync is launching today with support for CCE (configuration data), CPE (product data), CVE (vulnerability data), and CWE (weakness data). We are continuing to work on SCAP Sync to offer more types of content and more ways of viewing and using that content.

We are also soliciting feedback from the security community. What features would you like to see in an ideal SCAP search engine and/or repository? What types of additional SCAP content would you like to see? Please contact us by leaving a comment on this post or by e-mailing me directly at mark.haase@lunarline.com.

About Mark Haase

Mark Haase is the head of product engineering at Lunarline. This is a fancy way of saying that he hires people smarter than him to do the real work, then basks in the glory naturally associated with all IT software.