As free versions of commercial vulnerability management vendors do not provide compliance scanning options, we can use freely available tools such as SCC (DISA) and CAT Lite (CIS) from learning perspective.
I have created a document depicting the use of SCC from DISA. You can google basic concepts such as CIS, DISA, STIG, SRG, CIS Benchmarks, SCAP, OVAL, CVE, CPE, XCCDF, CCE and OCIL etc.
I find Wikipedia definition perfect, "SCAP comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products.
A vendor of a computer system configuration scanner can get their product validated against SCAP, demonstrating that it will interoperate with other scanners and express the scan results in a standardized way."
Point of this post was as free tools, resources and videos are available, let's make use of these and come out of the mindset that we can learn only when we will join some organization. I agree, there is no substitute to industry experience but nobody can stop you from learning. Let's create labs, read documentation, demonstrate PoCs, and share the gained knowledge with community. Thanks to all content creators on YouTube and Linkedin, I have learned a lot from you and I am still learning.
Happy Learning !!
No comments:
Post a Comment