Home » Products » SCAP Sync » SCAP Sync: CVE Applicability

SCAP Sync: CVE Applicability

We rolled out some major upgrades to SCAP Sync this week! We will be highlighting its new capabilities in a series of upcoming blog posts. Our goal is to show you how you can use SCAP Sync in your day-to-day security work to improve productivity and automate tedious workflows.

The first new feature that we are covering is CVE Applicability. This new feature makes it easy for you to research whether an announced vulnerability affects you or your employer.

CVE Applicability

The National Vulnerability Database (NVD) is a fantastic research tool for understanding the specifics of a particular vulnerability: when was it announced, who announced it, what products does it affect, where I can learn more, etc. The NVD can be difficult to use and understand, however, which was one of the primary motivations behind the creation of SCAP Sync.

Let us look at an example. Security researchers at Google recently announced a vulnerability in Adobe Flash Player called CVE-2013-3343. Assume that I work for the security team of an organization. What does this CVE mean for me and my employer? Are we affected? What is our exposure and risk?

Let us compare and contrast the NVD and SCAP Sync by trying to answer this seemingly simple set of questions. We begin by looking up this CVE number on both the NVD and SCAP Sync.

a side-by-side comparison of the NVD and SCAP Sync.

NVD & SCAP Sync side-by-side.

The visual design of SCAP Sync focuses on simplicity and readability, making the most important information immediately accessible to you, the user.

This particularly vulnerability is very severe: it scores a 10 out of 10! The NVD does not tell us why this vulnerability is so severe, but if we look at SCAP Sync, we can see that the vulnerability can be exploited over a network with a low complexity attack, and it completely compromises confidentiality, integrity, and availability. Yikes!

The next logical question is: is this CVE applicable to myself or my employer? Let us first try to answer this question by using the NVD. If we scroll down the page on the NVD, we  find a section titled “vulnerable software and versions”.

example of "affected products" section of an NVD entry

An example of the “affected products” section of an NVD entry.

The NVD contains thousands of rows of data about what products are affected by this vulnerability. A screenshot does not do justice to the amount of data involved here. If you were to print this data, it would require 15 sheets of 8.5 x 11 paper!

To complicate matters further, this complex vulnerability doesn’t just affect specific products, it affects specific combinations of products. Therefore, within this 15 pages of data, the NVD encodes a set of boolean conditions that express which combinations of products are affected by this vulnerability.

Exercise for the reader: Look at this NVD data and determine if the computer you are currently using is affected by this vulnerability or not. I won’t blame you if you give up quickly – it’s really complicated and tedious! There has to be a better way… right?

Let’s look at SCAP Sync again. If we scroll down the page, we find a section titled “vulnerable products“.

An example of SCAP Sync's "affected products" feature.

SCAP Sync’s “affected products” feature.

When you view a CVE with complicated applicability rules, SCAP Sync hides that complex data and instead offers to help guide you through the process of answering the question, “am I affected by this vulnerability?”

An example of a more complicated "affected products" section in SCAP Sync.

A more complicated “affected products” section.

SCAP Sync guides you through this process by asking you a series of yes/no questions about what kinds of OS and software applications you are using. Under the hood, SCAP Sync is using that same, complex data from the NVD to determine what questions to ask and how to interpret your answers. In doing so, we make it much easier and faster for you to figure out your exposure to this vulnerability.

SCAP Sync tells you if you are vulnerable.

SCAP Sync tells you if you are vulnerable.

At the end of this series of questions, SCAP Sync unambiguously tells you if you are vulnerable to this CVE or not.

Conclusion

At Lunarline, we are huge fans of automation in cyber security, and therefore we think that SCAP is an awesome idea. At the same time, SCAP is not widely used by most security practitioners in their day-to-day work, whether they be CISOs, security analysts, SOC engineers, or sysadmins. We see a huge need to make SCAP more useful and relevant to the average security practitioner.

This CVE applicability feature is one small but important step in that direction. We hope you agree! If you have feedback, please leave a comment below.

About Mark Haase

Mark Haase is the head of product engineering at Lunarline. This is a fancy way of saying that he hires people smarter than him to do the real work, then basks in the glory naturally associated with all IT software.