A plethora of vulnerabilities is discovered after conducting a vulnerability assessment against your company’s official web site. You decide to implement continuous monitoring over the web server and automate the patching process. Which of the following is the best vehicle?
A. DevOps
B. Change control
C. Continous deployment
D. Security Content Automation Protocol (SCAP)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Security Content Automation Protocol (SCAP).

The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation of systems deployed in an organization, including e.g., FISMA (Federal Information Security Management Act, 2002) compliance. The National Vulnerability Database (NVD) is the U.S. government content repository for SCAP. An example of an implementation of SCAP is OpenSCAP.

To guard against security threats, organizations need to continuously monitor the computer systems and applications they have deployed, incorporate security upgrades to software and deploy updates to configurations. The Security Content Automation Protocol (SCAP), pronounced “ess-cap”, but most commonly as “skap” comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security. Applications which conduct security monitoring use the standards when measuring systems to find vulnerabilities, and offer methods to score those findings in order to evaluate the possible impact. The SCAP suite of specifications standardize the nomenclature and formats used by these automated vulnerability management, measurement, and policy compliance products.

Source: Wikipedia

DevOps

In 2009, the first conference named devopsdays was held in Ghent, Belgium. The conference was founded by Belgian consultant, project manager and agile practitioner Patrick Debois. The conference has now spread to other countries.

DevOps is a set of practices that combines software development (Dev) and IT operations (Ops). It aims to shorten the systems development life cycle and provide continuous delivery with high software quality. DevOps is complementary with Agile software development; several DevOps aspects came from Agile methodology.

Academics and practitioners have not developed a unique definition for the term “DevOps”. The term DevOps, however, has been used in multiple contexts.

Source: Wikipedia

Continuous Deployment (CD)

Continuous deployment (CD) is a software engineering approach in which software functionalities are delivered frequently through automated deployments. CD contrasts with continuous delivery, a similar approach in which software functionalities are also frequently delivered and deemed to be potentially capable of being deployed but are actually not deployed.

Source: Wikipedia

Change Control

Change control within quality management systems (QMS) and information technology (IT) systems is a process—either formal or informal[1]—used to ensure that changes to a product or system are introduced in a controlled and coordinated manner. It reduces the possibility that unnecessary changes will be introduced to a system without forethought, introducing faults into the system or undoing changes made by other users of software. The goals of a change control procedure usually include minimal disruption to services, reduction in back-out activities, and cost-effective utilization of resources involved in implementing change.

Source: Wikipedia

Reference

• Zero-day (computing)
• Zero-day vulnerability: What it is, and how it works
• Common Weakness Enumeration
• CVE List Home
• What’s the difference between CVE and CWE?
• Common Vulnerability Scoring System SIG
• Common Vulnerability Scoring System version 3.1: Specification Document
• Security Content Automation Protocol

A BLUEPRINT FOR YOUR SUCCESS IN CISSP

My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

• It is available on Amazon.
• Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.

對您公司的官方網站進行漏洞評估後，發現大量漏洞。 您決定對Web服務器實施連續監視，並自動化執行修補(patching)的過程。 以下哪項是最好的工具？
A. DevOps
B. Change control
C. Continous deployment
D. Security Content Automation Protocol (SCAP)