RE: SCAP Tool V2.0

17 views
Skip to first unread message

Ma, Dan N CIV TRANSCOM TCJ6 (USA)

unread,
Sep 21, 2021, 4:28:04 PMSep 21
to Fitzgerald-McKay, Jessica M CIV (USA), sc...@nist.gov, scap...@nist.gov
Hi Ms Fitzgerald-McKay!
I got your name from the NIST Cybersecurity White Paper on the SCAP tool. If you don't mind, would you answer my questions below. Thanks



-----Original Message-----
From: Ma, Dan N CIV TRANSCOM TCJ6 (USA)
Sent: Monday, September 21, 2020 4:04 PM
To: sc...@nist.gov
Subject: SCAP Tool V2.0

Hi!
1) please tell if the SCAP Tool version 2.0 is the latest release?

2) Could this release be used to scan for vulnerabilities in the COTS products like Web, App, DB server,....? Or the SCAP v2.0 is still limited to detect vulnerabilities in the OS (Windows, Red Hat, Apple OS)?

2.1) I think NIST should further develop the SCAP tool to include ability to scan for vulnerabilities in the COTS products. That would make a lot of system administrators happy.

3) Is the tools offered at open-scap.org on par with your SCAP tool?
Thank you.



______________
Systems Engineer
Phone: 618-220-5989
Dan.N....@mail.mil




Jonathan Goetsch

unread,
Sep 21, 2021, 4:55:46 PMSep 21
to Ma, Dan N CIV TRANSCOM TCJ6 (USA), sc...@nist.gov, scap...@nist.gov
Dan,
If you are planning to integrate a DHS style CDM (https://www.cisa.gov/cdm)
Cybersecurity capability, you may want to consider the following integrated
Cybersecurity capabilities found in ANAMO, a fully integrated commercial CDM
Cybersecurity platform, delivered as a SaaS.

As seen at The White House and the Pentagon: Here's what it does:

Anamo handles 100% of the COTS (macOS, Windows (both Server and
Workstation), and Linux:

1. Asset Management
2. Vulnerability Management
3. Attack Surface Management
4. Identity Access Management
5. Security Incident Event Management
6. Cybersecurity Risk Data Management
7. FileTree/Permissions/Port Management
8. User & Group Modification Management

Anamo handles COTS "minimum essential" benchmarking and deep software
vulnerability analytics, separated into the OS, Patch and Kernel levels -
using:
1. Anamo AI Algorithms
2. Microsoft KB Updates
3. NVD Updates
4. CIRCL CVE
5. HYDRA API (for Red Hat)
6 Other (undisclosed)

Anamo "CDM Fundamentals Plus" is currently commercially available only to
select private sector applicants and the GSA has provided provisional SIN's,
pending final vetting, etc.

For mor information, reply privately.

Regards,
Jonathan


Jonathan Goetsch
President & CEO
US ProTech & Anamo
Phone: 949-629-3900 x 225
Jonathan...@Anamo.io
--
To post to this group, send email to scap...@list.nist.gov
To unsubscribe from this group, send email to
scap-dev+u...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send an
email to scap-dev+u...@list.nist.gov.
1 AA Anamo Dashboard ASM Crop.jpg

Landfield, Kent (Enterprise)

unread,
Sep 21, 2021, 5:03:52 PMSep 21
to Jonathan Goetsch, Ma, Dan N CIV TRANSCOM TCJ6 (USA), sc...@nist.gov, scap...@nist.gov
Please do us a favor and do not send blatent advertising to SCAP related lists. If you wanted to respond you should have done that directly. Spamming hundreds or thousands for your self serving purposes is unprofessional.

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
--
Kent Landfield
+1.817.637.8026
kent_la...@mcafee.com


On 9/21/21, 3:55 PM, "scap...@list.nist.gov on behalf of Jonathan Goetsch" <scap...@list.nist.gov on behalf of j...@usprotech.com> wrote:

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Anthony Borelli

unread,
Sep 21, 2021, 5:05:34 PMSep 21
to scap...@list.nist.gov, jessica.m.fitzg...@mail.mil, sc...@nist.gov, scap...@nist.gov
On the DB side of this question, the STIGs themselves do not come with SCAP compliant benchmarks, and so SCAP tools cannot provide SCAP results for (as an example) SQL Server STIGs.

Non-SCAP vulnerability scanning tools exist, including my own Automated SQL Security Evaluation Tool (ASSET), that can scan SQL Server and produce SQL 2014 or 2016 checklists.  If you would like to see it in action let me know offline and I can provide a trial version for free.

Regards,

Anthony Borelli
Borelli Security Software Inc.



-----Original Message-----
From: 'Ma, Dan N CIV TRANSCOM TCJ6 (USA)' via SCAP Discussion and Development <scap...@list.nist.gov>
To: Fitzgerald-McKay, Jessica M CIV (USA) <jessica.m.fitzg...@mail.mil>
Cc: 'sc...@nist.gov' <sc...@nist.gov>; scap...@nist.gov <scap...@nist.gov>
Sent: Tue, Sep 21, 2021 3:28 pm
Subject: [scap-dev] RE: SCAP Tool V2.0

--
To post to this group, send email to scap...@list.nist.gov
To unsubscribe from this group, send email to scap-dev+unsub...@list.nist.gov
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev+unsub...@list.nist.gov.

Jonathan Goetsch

unread,
Sep 21, 2021, 5:39:09 PMSep 21
to Landfield, Kent (Enterprise), sc...@nist.gov, scap...@nist.gov, Ma, Dan N CIV TRANSCOM TCJ6 (USA)
If you aspire to be professional one day then you should act like one
yourself. This would include the old adage "praise in public... and punish
in private."

Very happy to take this chat off-line with you, anytime - unless someone
kicked your cat or you just need to remain being a jerk.

Bryan, Clifton W CIV USN (USA)

unread,
Sep 21, 2021, 5:57:57 PMSep 21
to Jonathan Goetsch, Landfield, Kent (Enterprise), sc...@nist.gov, scap...@nist.gov, Ma, Dan N CIV TRANSCOM TCJ6 (USA)
This is why we can't have nice things.
(https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fwww.cisa.gov%2Fcdm&amp;data=04%7C01%7Cclifton.w.bryan.civ%40us.navy.mil%7C5a1df0e6585b4572b55408d97d4846a4%7Ce3333e00c8774b87b6ad45e942de1750%7C0%7C0%7C637678571648424373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=pfye9biHLzss1rFxNqAV9Ps4Eoa1QH0iJruOiItGMrE%3D&amp;reserved=0)
Visit this group at https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fno-click.mil%2F%3Fhttps%3A%2F%2Flist.nist.gov%2Fscap-dev&amp;data=04%7C01%7Cclifton.w.bryan.civ%40us.navy.mil%7C5a1df0e6585b4572b55408d97d4846a4%7Ce3333e00c8774b87b6ad45e942de1750%7C0%7C0%7C637678571648424373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=dclfRTl3MZGkjcpC1dMnpCC2B71JrCEDEIkC2YQv4Sg%3D&amp;reserved=0
---
To unsubscribe from this group and stop receiving emails from it, send an
email to scap-dev+u...@list.nist.gov.

--
To post to this group, send email to scap...@list.nist.gov
To unsubscribe from this group, send email to
scap-dev+u...@list.nist.gov
Visit this group at https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fno-click.mil%2F%3Fhttps%3A%2F%2Flist.nist.gov%2Fscap-dev&amp;data=04%7C01%7Cclifton.w.bryan.civ%40us.navy.mil%7C5a1df0e6585b4572b55408d97d4846a4%7Ce3333e00c8774b87b6ad45e942de1750%7C0%7C0%7C637678571648424373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=dclfRTl3MZGkjcpC1dMnpCC2B71JrCEDEIkC2YQv4Sg%3D&amp;reserved=0
---
To unsubscribe from this group and stop receiving emails from it, send an email to scap-dev+u...@list.nist.gov.

--
To post to this group, send email to scap...@list.nist.gov To unsubscribe from this group, send email to scap-dev+u...@list.nist.gov
Visit this group at https://usg01.safelinks.protection.office365.us/?url=https%3A%2F%2Fno-click.mil%2F%3Fhttps%3A%2F%2Flist.nist.gov%2Fscap-dev&amp;data=04%7C01%7Cclifton.w.bryan.civ%40us.navy.mil%7C5a1df0e6585b4572b55408d97d4846a4%7Ce3333e00c8774b87b6ad45e942de1750%7C0%7C0%7C637678571648424373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=dclfRTl3MZGkjcpC1dMnpCC2B71JrCEDEIkC2YQv4Sg%3D&amp;reserved=0

Landfield, Kent (Enterprise)

unread,
Sep 21, 2021, 9:05:20 PMSep 21
to Jonathan Goetsch, sc...@nist.gov, scap...@nist.gov, Ma, Dan N CIV TRANSCOM TCJ6 (USA)
Oh, you are one of those... when corrected instead apologizing and moving on, you have to lash back... Happy to talk offline. Just remember, I said "Please" and "Thank you"... __. Have a good life.

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
--
Kent Landfield
+1.817.637.8026
kent_la...@mcafee.com


Stephen Banghart

unread,
Sep 22, 2021, 10:19:53 AMSep 22
to SCAP Discussion and Development, Landfield, Kent (Enterprise), sc...@nist.gov, scap...@nist.gov, Ma, Dan N CIV TRANSCOM TCJ6 (USA), Jonathan Goetsch
Jonathan,

I would recommend following your own advice in the future, and avoid calling people "jerks" on public NIST-managed mailing lists. This is your first and last warning.

Thanks,
Stephen Banghart

Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send
an

--
To post to this group, send email to scap...@list.nist.gov
To unsubscribe from this group, send email to
Visit this group at https://list.nist.gov/scap-dev
---
To unsubscribe from this group and stop receiving emails from it, send
Reply all
Reply to author
Forward
0 new messages