Is Alert Logic's Vulnerability Scans SCAP (Security Content Automation Protocol) validated?
AnsweredIs Alert Logic's Vulnerability Scans SCAP (Security Content Automation Protocol) validated?
-
Official comment
Alert Logic is always evaluating the requirements of our customers to find security standards to support. With the shifting landscape of compliance and security standards, we review our list of supported standards on a regular basis. SCAP is one of those standards that is being evaluated for possible inclusion.
-
The Alert Logic vulnerability scanning tools are not SCAP validated and not listed on the list of validated products and modules:
https://csrc.nist.gov/Projects/scap-validation-program/Validated-Products-and-Modules
However, Alert Logic uses the SCAP Content Professional feed from SecPod (https://www.secpod.com/scap-feed/ ). This feed with over 160,000 vulnerability checks is standards compliant with well-established standards, such as SCAP, STIX/TAXII. Specifically, Alert Logic vulnerability checks are based on the SCAP feed for OVAL checks during authenticated and agent-based scanning, as well as the NMAP Scripting Engine for network scanning.
In addition, Alert Logic customers use the scanning capabilities in Fortra VM for PCI ASV scanning. Fortra completes an annual PCI certification for being a PCI Approved Scanning Vendor (ASV): https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors0
Please sign in to leave a comment.
Comments
2 comments