Vendor Provided Validation Details - SignaCert Enterprise Trust Server 4.0

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Implementation

SignaCert asserts that the Enterprise Trust Server (ETS) version 4.0 product operates correctly on FDCC configured Microsoft Windows XP and Vista systems and does not require a change to FDCC settings in order to install and operate the ETS.

Statement of SCAP Implementation

SignaCert¡¯s Enterprise Trust Server (ETS) enables government and enterprise customers to centrally manage, assess, and report on SCAP compliance using industry standard SCAP expressed data streams. The ETS implements the following SCAP specifications: XCCDF, OVAL, CCE, CVE, CPE, and CVSS. Specifically, the ETS provides mechanisms for importing benchmarks (XCCDF) and vulnerability assessment (OVAL) documents. The import process generates a policy and tests that are used to evaluate the target device. The compliance results, scores, and related CVE and CCE identifiers can be viewed in the web console and summary, detailed, and historical reports. The ETS supports HTML, PDF, and XML report formats, as well as the XCCDF and OVAL results formats.

Unique to SignaCert, customers can simultaneously assess file system, registry, database, and virtual machine image state against common references to validate that the same software and configuration settings are deployed across multiple devices and domains. The SignaCert architecture is extensible and device-agnostic enabling new types of data to be modeled, assessed, and reported on.

SignaCert¡¯s verification process makes use of both a local and global content repository consisting of authentic software reference measurements and provides both summary and detailed reports on observed compliance. SignaCert¡¯s Global Trust Repository (GTR) is the world¡¯s largest known-provenance database of software measurements and is built to industry standards with participation from leading software vendors. The ability to correlate deviations with references defined in the ETS and GTR enables customers to quickly determine what changed and whether the change was intended (as part of an authorized change process) or not.

CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability (http://www.first.org/cvss).

SignaCert¡¯s Enterprise Trust Server (ETS) provides CVSS support via direct links to each Common Vulnerability Exposure (CVE) issue identified during a scan. Following a given CVE hyperlink will display the details, including the CVSS severity score, via the National Vulnerability Database (NVD). Additionally, the ETS provides a variety of reports which consolidate the full list of CVE¡¯s discovered during a scan into a single list of hyperlinked CVE identifiers, each of which links to the detailed description of the CVE including CVSS severity score.

ETS reports can be generated on a scheduled basis and either emailed to one or more recipients, or included in an at-a-glance dashboard used to quickly assess the exposure of one or more sets of devices.

Statement of CVSS Implementation

CVSS is a vulnerability scoring system designed to provide an open and standardized method for rating IT vulnerabilities. CVSS helps organizations prioritize and coordinate a joint response to security vulnerabilities by communicating the base, temporal and environmental properties of a vulnerability (http://www.first.org/cvss).

SignaCert¡¯s Enterprise Trust Server (ETS) provides CVSS support via direct links to each Common Vulnerability Exposure (CVE) issue identified during a scan. Following a given CVE hyperlink will display the details, including the CVSS severity score, via the National Vulnerability Database (NVD). Additionally, the ETS provides a variety of reports which consolidate the full list of CVE¡¯s discovered during a scan into a single list of hyperlinked CVE identifiers, each of which links to the detailed description of the CVE including CVSS severity score.

ETS reports can be generated on a scheduled basis and either emailed to one or more recipients, or included in an at-a-glance dashboard used to quickly assess the exposure of one or more sets of devices.

Statement of CVE Implementation

Common Vulnerability Exposure (CVE) Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities (http://cve.mitre.org/).

When a benchmark (XCCDF) or vulnerability assessment (OVAL) is imported into SignaCert¡¯s Enterprise Trust Server (ETS), a test is created for each XCCDF rule or OVAL definition, and CVE identifiers and hyperlinks are added to the test as metadata. The CVE identifiers link directly to the MITRE CVE database where a full description of the vulnerability is available, as well as any recommended remediation steps.

The ETS displays CVE identifiers and hyperlinks with test failures in the console, as well as detailed report output formats.

Users can also perform searches in the ETS console using CVE identifiers. For example, to identify specific vulnerabilities that either currently exist or existed at some time in the past.

User-defined dashboards can be created and customized to display vulnerability specific information. Additional reports can be created and linked to from the dashboard providing at-a-glance summary and detailed information including CVE identifiers and hyperlinks.

Statement of CCE Implementation

CCE¢â provides unique identifiers to system configuration issues in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools (http://cce.mitre.org/). CCE identifiers are often used in best-practice documents, checklists, and configuration assessment tools.

When a benchmark (XCCDF) or vulnerability assessment (OVAL) is imported into SignaCert¡¯s Enterprise Trust Server (ETS), a test is created for each XCCDF rule or OVAL definition, and CCE identifiers are added to the test as metadata. The ETS displays CCE identifiers with test failures in the console, as well as detailed report output formats.

Users can also perform searches in the ETS console using CCE identifiers. For example, to identify specific configuration issues that either currently exist or existed at some time in the past.

User-defined dashboards can be created and customized to display configuration specific information. Additional reports can be created and linked to from the dashboard providing at-a-glance summary and detailed information including CCE identifiers.

Statement of CPE Implementation

CPE¢â is a structured naming scheme for information technology systems, platforms, and packages. Based upon the generic syntax for Uniform Resource Identifiers (URI), CPE includes a formal name format, a language for describing complex platforms, a method for checking names against a system, and a description format for binding text and tests to a name (http://cpe.mitre.org/).

SignaCert¡¯s Enterprise Trust Server (ETS) uses CPE information to determine which platforms are applicable for a given XCCDF benchmark. ETS evaluates the device against the CPE information contained in the benchmark, profiles, groups, and rules, to determine the applicability of each rule. Only rules that are applicable contribute to the overall default and flat score as described in the XCCDF specification. Specifically, ¡°not applicable¡± rules are treated as though they were not ¡°selected¡± for that device, and do not contribute to or reduce the overall score.

This functionality enables an assessment to be performed on a group of devices using a shared set of policies, and only tests that apply to the device will be performed.

Statement of OVAL Implementation

Open Vulnerability and Assessment Language (OVAL¢ç) is an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services (http://oval.mitre.org/oval/about/index.html).

SignaCert¡¯s Enterprise Trust Server (ETS) can perform vulnerability assessment using industry standard OVAL documents. During OVAL import, the ETS validates the document and captures relevant metadata such as CVE and CCE information for subsequent display and reporting.

The import process generates an OVAL policy and a set of tests – one test per definition contained in the document. The policy can be applied to one or more devices or device groups and individual tests can be enabled or disabled. Both policies and tests can be managed hierarchically.

The SignaCert Client contains an OVAL interpreter that performs compliance checking. The Client evaluates the definitions, generates OVAL results, and sends all of the information to the ETS, where it is processed and stored.

The ETS console displays OVAL results and provides the ability to generate summary and detailed OVAL reports, which can be used to prove current and historical compliance. The ETS also preserves the original OVAL results, which can be exported at any time.

Statement of XCCDF Implementation

XCCDF is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems (http://scap.nist.gov/specifications/xccdf/index.html).

SignaCert¡¯s Enterprise Trust Server (ETS) can perform compliance checking using industry standard XCCDF benchmarks either as an SCAP expressed data stream or stand-alone documents.

During XCCDF import, the ETS validates the benchmark and performs the loading and traversal phases as described in the XCCDF specification. As such it resolves profiles, groups, rules, and values, applies selectors, and resolves properties according to the appropriate inheritance model. It also captures relevant metadata such as CVE and CCE information for subsequent display and reporting.

The import process generates an XCCDF policy and a set of tests – one test per rule contained in the benchmark. The policy can be applied to one or more devices or device groups and individual tests can be enabled or disabled. Both policies and tests can be managed hierarchically.

The SignaCert Client contains an XCCDF interpreter that performs compliance checking. The Client evaluates the CPE definitions in the XCCDF benchmark to determine which rules are applicable for the platform on which the Client is running. The Client evaluates the rules using the specified check system, including exporting any necessary variables to the check system. The Client captures the resulting check system results, generates XCCDF results, calculates the default and flat scores, and sends all of the information to the ETS, where it is processed and stored.

The ETS console displays XCCDF results and provides the ability to generate summary and detailed XCCDF reports, which can be used to prove current and historical compliance. The ETS also preserves the original XCCDF results, which can be exported at any time.