Validation Details - SAINT 7.5
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.
SAINT provides support to The Security Content Automation Protocol (SCAP) specification as an Unauthenticated Vulnerability Scanner and Authenticated Vulnerability and Patch Scanner. SAINT provides support to SCAP requirements defined for each of these components, as defined in SP 800-126, the SCAP specification, and verified by compliance testing again the NIST Derived Test Requirements (DTR) for these capabilities.
SAINT provides support for open standards languages, enumerations and metrics applicable to both ¡®unauthenticated¡¯ and ¡®authenticated¡¯ scanners that currently include OVAL, CPE, CVE and CVSS in the specification. SAINT also provides for SCAP content to determine configuration compliance with OVAL vulnerability definitions – supporting both standalone OVAL definition files and OVAL definitions contained in SCAP-expressed data streams.
SAINT completes this capability by providing Data Analysis and Reporting interfaces, to facilitate both canned and custom presentation of output in many human-readable formats, such as HTML, XML and CSV, as well as providing links to SCAP-related standards bodies and content owners to facilitate continued analysis, assessment and remediation.
Open Vulnerability and Assessment Language (OVAL) is an international information security standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. SAINT product consumes and executes OVAL vulnerability definition(s) to determine and report vulnerabilities on remote systems. SAINT supports OVAL definitions of the patch and vulnerability class for Microsoft Windows only (other platforms to be supported in the future) and adheres to the OVAL 5.8 schema with exception to those tests and features noted in the SAINT OVAL documentation.
SAINT supports OVAL compliance checking by allowing users to import OVAL checks (standalone and/or SCAP-expressed data streams) from the OVAL repository, as well as importing user-developed XML files containing OVAL checks. An SCAP-expressed data stream is defined as ¡°a collection of four or more related XML files containing SCAP data using the SCAP components that provide the data necessary to evaluate systems for compliance with a configuration-based security policy¡±.
SAINT also provides viewing and downloading OVAL result files via the GUI, as well as viewing human readable results using SAINTwriter.
CVE (Common Vulnerabilities and Exposures) is a dictionary of publicly known information security vulnerabilities and other information security exposures. SAINT provides support for CVE with the capability to execute vulnerability scans for vulnerabilities, by CVE ID. SAINT returns all vulnerability checks which detect the CVE and includes CVE numbers in its vulnerability data analysis, reports and tutorials for ease of reference to related tools and resources. At the conclusion of vulnerability scan execution, SAINT provides users with the capability to view the list of vulnerabilities, and continue their analysis by supporting customized scanning by selected CVE for a given vulnerability or by selecting other categories or values relevant to the analysis.
SAINTwriter then provides the capability to produce report output containing CVE ID¡¯s, in a number of formats, such as HTML, XML and CSV. SAINT also provides hyperlinks to related resources, such as the SAINT on-line CVE Index, that includes the CVE ID, Description and custom SAINT tutorials; as well as links directly to the official CVEs descriptions at http://cve.mitre.org to facilitate further analysis, assessment and remediation.
CPE (Common Platform Enumeration) is a structured naming scheme for information technology systems, software, and packages. SAINT provides support for CPE by using the CPE names which are defined in the official CPE dictionary at http://nvd.nist.gov/cpe.cfm , then mapping all known CVE(s) to the corresponding CPE(s) for a given year. SAINT also facilitates CPE content updates directly from the authoritative source, as a product feature, to remove the burden of data maintenance from the user, and to ensure accurate and complete source data when CPE data is used. This CVE-CPE mapping is used within SAINTwriter as an available option in custom reports.
Custom reporting features within SAINTwriter enables users to select all vulnerabilities in a given severity level, as well as define report parameters and options related to specific vulnerability categories and services, such as CPE to display the CPE entries corresponding to displayed vulnerability, if any. SAINTwriter then enables users to select their output format from a number of available formats, such as HTML, XML and CSV.
CVSS (Common Vulnerability Scoring System is ¡°a vulnerability scoring system designed to provide an open and standardized method for rating Information Technology vulnerabilities framework for communicating the characteristics and impacts of IT vulnerabilities. SAINT provides support for CVSS through scanning, analysis and reporting capabilities. SAINT provides the users with the capability to create custom scanning policies that include specified CVSS ranges, when defining scan levels and setting up custom scans.
SAINTwriter provides the capability to show the CVSS base score and CVSS base vector, for each vulnerability detected, as an optional column when creating custom reports. Custom reporting features within SAINTwriter enables users to select all vulnerabilities in a given severity level, as well as define report parameters and options related to specific vulnerability categories and services, such as CVSS base scores and CVSS base vectors to display the CPE entries corresponding to displayed vulnerability, if any. SAINTwriter then enables users to select their output format from a number of available formats, such as HTML, XML and CSV.
Additionally, SAINT provides support for CVSS as part of Payment Card Industry (PCI) Compliance. CVSS base scores are shown in SAINT as part of PCI compliance reports. CVSS base scores are used as the primary factor in determining whether a given device is compliant during a PCI compliance assessment.