Over the past few months, we have been methodically adding bits and pieces to SCAP Sync. A blog post detailing all of our changes is long overdue, so I would like to catch you up on what we have been doing! We have introduced some new security changes and we are synchronizing lots of new data sources in order to provide a more comprehensive database of SCAP content.
The most apparent new changes in SCAP Sync revolve around site security. The first thing you will notice is that the service is not available by HTTP anymore; it is only available by HTTPS. To ease this transition, we have put permanent redirects from our HTTP sites to the HTTPS sites.
Permanent HTTPS may seem like overkill for a site that merely syndicates security content, but we believe it is necessary for the future of SCAP Sync and, therefore, there’s no reason not to start doing it right now. Requiring HTTPS protects the confidentiality of your usage of SCAP Sync, possibly preventing information leaks to any man-in-the-middle attacker who is trying to guess what kinds of security problems you are currently dealing with.
Moreover, requiring SSL protects the integrity of the SCAP content that you retrieve from our site. In the automated cybersecurity future that we envision, timely access to accurate security content will be essential for maintaining a strong risk posture. An attacker may be able to blind you to a particularly weakness if that attacker can manipulate the stream of security content that you are basing your decisions on. Therefore, we are taking proactive steps now to make SCAP Sync safer and more secure.
Rate Limits & Authentication
We have also introduced some new API rate limits to prevent abuse of the SCAP Sync API. Anonymous users are allowed 100 API requests per day. You can increase your quota to 1000 requests per day simply by registering for a free account on SCAP Sync. If you require more than 1000 requests per day, please contact us and we will negotiate higher quotas for your account or for your whole organization. You can find more technical details about the API rate limit here: https://scapsync.com/api/rate_limit.html.
In order to register for a free account, just click on the “Log In” button in the top right corner of any page. You will be prompted to log in using your Google account. (We plan to offer expanded support for other OpenID providers in the near future.) On your first login, you will be presented with terms of service and some configuration options for your account.
One of our new data sources is called Common Attack Pattern Enumeration and Classification (CAPEC). This is a high-level standard that documents and categorizes the security concepts behind exploitation. The standard provides a taxonomy for attack methods such as reconnaissance, spoofing, privilege escalation, etc.
Attack patterns are mapped to weaknesses (CWE) and vice-versa, so that you can use SCAP Sync to research how an attacker will attempt to exploit a certain weakness.
Another new data source is called Open Vulnerability and Assessment Language (OVAL). OVAL is a popular and widely used protocol for defining automated ways to assess computers and devices for specific configurations or vulnerabilities. Many popular vulnerability and configuration scanners support OVAL, but they require you to obtain the OVAL content separately. Now with SCAP Sync, you can find all of the OVAL content you need all in one place.
This OVAL data is also accessible through our REST API. Instead of finding OVAL content on your own and then loading it into your vulnerability scanner by hand, you can use our API to automate this tedious process! We will be publishing another blog post soon showing an example of combining OVAL data from the REST API with an open source OVAL interpreter.
The third – and perhaps most exciting – new data source is Default Password Enumeration (DPE). This standard is not a formal part of the SCAP suite of standards, but it’s such a great idea that we immediately recognized the value of integrating it into SCAP Sync. DPE was conceived and created by Nabil Ouchn (who is also the maintainer toolswatch.org) as a way to capture known default passwords for all types of software and computing equipment in a machine-readable format. The DPE standard links default passwords to specific products using the CPE protocol, thus providing tight integration with SCAP.
Here’s an example of a RedHat Linux CPE that is annotated with default password data from DPE.
If you’re a pen tester, you’ve probably spent time Googling default passwords for the devices you find during your recon scans. By integrating DPE with our REST API, it is now possible to write scripts that automatically retrieve those default passwords in a few seconds!
One of the primary goals of SCAP Sync is to provide a centralized repository of SCAP content that is always up to date, and to provide that content back to the community in a variety of useful formats. All of the content discussed in this article is displayed on our easy-to-use web site; it is also available in XML and JSON formats via our REST API.
We encourage feedback! Please leave a comment below if you have suggestions on how to improve SCAP Sync.