Abstract
Security of systems is most often compromised by misconfiguration rather than a lack of security mechanisms. As a result, configuration validation is of utmost importance within organizations. However, security policies, best-practices, and documentation of vulnerabilities are usually available in natual language and thus configuration validation is usually a manual and error-prone activity. Initiatives such as the Security Content Automation Protocol foster the automation of configuration validation and the exchange of configuration information by providing a standard language. However they only focus on single systems and are not flexible with respect to the creation of new security content. This paper proposes a tool for configuration validation as a service able to assess check and checklists defined over configurations of both generic and specific distributed systems.
This work was partially supported by the FP7-ICT-2009.1.4 Project PoSecCo (no. 257129, www.posecco.eu ).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
7Safe, the University of Bedfordshire: Uk security breach investigations report 2010 (2010), http://www.7safe.com/breach_report/Breach_report_2010.pdf
Verizon: 2009 data breach investigations report. Verizon (2009), http://www.7safe.com/breach_report/Breach_report_2010.pdf
Williams, J., Wichers, D.: Top 10 most critical web application security risks. OWASP (2010), https://www.owasp.org/index.php/Top_10_2010-A6
NIST: (National vulnerability databases), http://nvd.nist.gov
NIST: (Security content automation protocols), http://scap.nist.gov
Casalino, M.M., Mangili, M., Plate, H., Ponta, S.E.: Detection of configuration vulnerabilities in distributed (web) environments. In: Proceedings of Security and Privacy in Communication Networks, SecureComm (to appear, 2012)
Waltermire, D., Quinn, S., Scarfone, K.: The technical specification for the security content automation protocol (scap): Scap version 1.2. NIST (2011), http://csrc.nist.gov/publications/nistpubs/800-126-rev2/SP800-126r2.pdf
OWASP: (Securing Tomcat), https://www.owasp.org/index.php/Securing_tomcat
SANS Security: (Seven security (mis)configurations in java web.xml files), http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files
Opengroup: (OpenPegasus), https://collaboration.opengroup.org/pegasus/?gpid=18
Distributed Management Task Force: Common information model (CIM) core model. White Paper DSP0111, DMTF (2000)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Casalino, M.M., Plate, H., Ponta, S.E. (2013). Configuration Assessment as a Service. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2012 2012. Lecture Notes in Computer Science, vol 7731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35890-6_16
Download citation
DOI: https://doi.org/10.1007/978-3-642-35890-6_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35889-0
Online ISBN: 978-3-642-35890-6
eBook Packages: Computer ScienceComputer Science (R0)