Open Source security
Looking from the outside in, OpenSCAP and associated projects like Fedora's secstate look like a very positive direction for security in general, and especially compliance with STIGs and SRRs within the DoD. I am excited to see the confluence of OVAL, CVE, CCE to a useful, actionable format in XCCDF. A set of easy to use tools built around an extensible framework that describes both issues and remediation is nearly holy grail material in the security space.
Am I overly excited by these projects? Is there real traction around NIST's push to SCAP? Is HBSS gaining the sort of momentum it should be within DISA? Will there be enough support behind the OSS implementations of SCAP to make this a "universal" tool inside and outside the government?
Thanks for your input!
Am I overly excited by these projects? Is there real traction around NIST's push to SCAP? Is HBSS gaining the sort of momentum it should be within DISA? Will there be enough support behind the OSS implementations of SCAP to make this a "universal" tool inside and outside the government?
Thanks for your input!
Replies to This Discussion
-
Permalink Reply by Gunnar Hellekson on -
As FISMA moves to something useful and actionable, and especially since SCAP represents the best hope we have for ongoing risk management, I think we'll see much greater uptake of SCAP generally, and OpenSCAP specifically. When open source and open standards work together, it's hard to beat.
-
-
Permalink Reply by Matthew Micene on -
Do you think that SCAP will be adopted in the new reporting requirements for agencies? Delivering XML over a secure transport with a standards based XSD (like SCAP and its associated parts) seems to fit the bill quite well. It could take the focus of the delivery / integration and onto creation / consumption of data. Or am I way off base?
-
Social Media Stats
Tools & Resources
© 2012 Created by GovLoop.
