Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/23/2010
03:25 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Core Security Gains NIST SCAP Validation

IMPACT Pro users can now export information in an XML format using SCAP standards

BOSTON, MA – July 21, 2010 – Core Security Technologies, the market’s leading provider of IT security testing solutions, today announced that its CORE IMPACT Pro automated penetration testing solution has been officially validated by the National Institute of Standards and Technology (NIST) as conforming to the Security Content Automation Protocol (SCAP) and its component standards.

First conceived by NIST and the National Security Agency (NSA) as a common format for exchanging IT security data, SCAP specifically comprises a suite of specifications used for organizing and expressing security-related information in standardized manner.

Derived from input solicited from across the government sector, SCAP integrates a number of open standards used to enumerate software vulnerabilities and configuration issues to enable automated vulnerability management, measurement, and policy compliance evaluation – specifically related to mandates including the Federal Information Security Management Act (FISMA).

IMPACT Pro users can now export information in an XML format using SCAP standards to help with continuous monitoring, vulnerability data management and security assessment, thereby meeting their expanded interoperability needs and streamlining their overarching vulnerability management efforts.

“SCAP was created to help government organizations bridge their security assessment and vulnerability management efforts across multiple processes, technologies and solutions, and as Core IMPACT helps people lend greater speed and consistency to their work in identifying and addressing real-world risks, we’re very proud to gain this validation from NIST,” said Fred Pinkett, vice president of Product Management at Core. “We’ll continue to embrace the standards and recommendations coming out of NIST and other influential government organizations to ensure that our customers feel confident that we’re helping them stay ahead of their security testing requirements.”

In support of SCAP, IMPACT Pro v10.5 incorporates the following data into its reports and is also able to export the data in XML format for use in centralized security databases:

Common Vulnerabilities and Exposures (CVE) Numbers

Common Vulnerability Scoring System (CVSS) Ratings

Common Platform Enumeration (CPE)

NIST officials have also said repeatedly that their security automation agenda is far broader than the vulnerability management application of modern day SCAP, encompassing many different security activities and disciplines that can benefit from standardized expression and reporting of vulnerability data – including compliance, remediation, and network monitoring.

Industry leaders spanning both the public and private sectors have endorsed broader adoption of SCAP as an important opportunity for government organizations to markedly improve their ability to identify, test and remediate their critical points of IT risk.

“SCAP represents a significant step forward in strengthening the public/private partnership needed to improve our nation's cyber security,” said Marcus Sachs, the executive director for National Security and Cyber Policy at Verizon who works closely with government and business stakeholders in Washington as part of the National Security/Emergency Preparedness (NS/EP) community.

“Neither the government, academia, nor the private sector can secure cyberspace by themselves, it really is a team effort,” said Sachs, who is also secretary of the U.S. Communications Sector Coordinating Council and director of the SANS Internet Storm Center. “Initiatives like SCAP streamline the process of exchanging technical information between the organizations and companies working together to mutually protect all of us online.”

About Core Security Technologies Core Security Technologies enables organizations to both get ahead of threats and bridge the gap between security data and critical business risks. Using our test and measurement solutions, security professionals proactively validate their security controls while revealing actual risk paths that traverse IT layers to expose critical assets. As a result, our customers gain unprecedented visibility into threats to the business, while measuring risk on a continual basis. Core’s security testing and measurement solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, Mass. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: http://www.coresecurity.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.