2 Replies Latest reply on Feb 12, 2015 12:44 PM by Edward Finneran

    Technologies and approaches the group should endorse and recommend

    Edward Finneran
      Share This:

      In support of other initiatives that folks have identified, I believe that being able to completely, uniquely, and accurately define a vulnerability or set of configuration items that need to be set in order to be compliant with a customer's internal security policies, or externally-driven regulatory requirements, that something like SCAP is a step in the right direction.


      SCAP is a standard methodology promulgated by the National Insitute of Standards. It is closely related to the overall CVE definitions that a lof of people are familiar with. It has a few different versions, but includes 6 inter-related XML standards in order to accomplish this communication.


      There are various tools out there that are compliant with one or more of the SCAP versions.  BMC's Bladelogic Server Automation (BSA) is one of them. I believe SCAP 1.2 compliance is added in BSA 8.6.  I will add the caveat that I have not looked at BSA's SCAP capabilities yet, but it is on my short list of things I'd like to do.


      Thank you.


      Edward Finneran

      Cloud and Automation Engineering

      The Hartford