Avoiding inconsistencies in the Security Content Automation Protocol

The Security Content Automation Protocol (SCAP) provides a standardized approach to specifying system configuration, vulnerability, patch and compliance management. SCAP comprises a family of existing standards, such as the Open Source Vulnerability Language (OVAL) and the Common Platform Enumeration (CPE). Defining new or extending existing SCAP content is non-trivial and potentially error-prone. For example, specifying a vulnerability in OVAL may appear straightforward, however, the challenge is to specify the vulnerability in such as way that it is consistent with respect to, not just other OVAl data, but also data described under any other standards in SCAP. This paper identifies a number of consistency problems that can occur in SCAP specifications and these are illustrated using examples from existing OVAL, CPE, CVE and CCE repositories. It is argued that an ontology-based approach can be used as a means of providing a uniform vocabulary for specifying SCAP data and its relationships. A SCAP ontology is developed based on Semantic Threat Graphs and it is argued that its use can help to ensure consistency across large-scale SCAP repositories.