Use of vulnerabilities information in output

General support questions for the Secutor Prime product.
blankind
Contributor
Posts: 10
Joined: Tue Feb 09, 2010 8:32 am

Use of vulnerabilities information in output

Postby blankind » Tue Feb 09, 2010 9:06 am

I have noticed that there is a vulnerabilities check that is run by Secutor Prime Standard (version 3, build 3015) at least when running on Windows Vista. I am finding that with the NIST FDCC Q4 2009 VHD with Office Professional 2007 installed, only 1866 of the 1944 vulnerability tests pass. Is this simply information provided as a convenience that doesn't necessarily impact a formal statement of FDCC compliance?

gunnar
Site Admin
Posts: 81
Joined: Fri Feb 23, 2007 8:08 pm
Contact:

Postby gunnar » Tue Feb 09, 2010 9:43 pm

Secutor Prime includes the ability to run a full suite of vulnerability tests based on the Open Vulnerability and Assessment Language (OVAL: http://oval.mitre.org/ ), which implements the suite of known vulnerability tests tracked by the National Vulnerability Database (NVD: http://nvd.nist.gov/ ) for multiple platforms.

This additional functionality is provided in the Secutor line of products as part of more thorough security assessment tools, but the OVAL scoring is not currently part of the FDCC compliance.

Note, however, that the majority of vulnerabilities enumerated in the NVD have vendor remedies, usually in the form of a software patch, and incomplete patching is reflected in the FDCC score.

In the case of Microsoft Office vulnerabilities, most missing patches will not show up when running the Operating System benchmark (eg "fdcc-winvista-xccdf.xml"), but should be reflected in the Office benchmark.

blankind
Contributor
Posts: 10
Joined: Tue Feb 09, 2010 8:32 am

Postby blankind » Wed Feb 10, 2010 6:50 am

Thanks for the information on OVAL. I am going to check with my internal contact to see whether we are seeking just FDCC certification or whether we need to adhere to any of the OVAL standards.


Return to “Secutor Prime Support”

Who is online

Users browsing this forum: No registered users and 1 guest