The Security Content Automation Protocol (SCAP) is a standard that defines how software flaws and configuration errors are classified. Four components make up SCAP.
Common Configuration Enumeration (CCE)
The Common Configuration Enumeration (CCE) is a list of best practices maintained by the National Institute of Standards and Technology (NIST). They may be downloaded from the index page.
Common Platform Enumeration (CPE)
The Common Platform Enumeration (CPE) is how devices, operating systems, and applications are identified for use in the vulnerability databases. NIST maintains a listing of them here.
Common Weakness Enumeration (CWE)
The Common Weakness Enumeration (CWE) is a listing of design flaws in software that can cause vulnerabilities to occur. CWE is a joint project between the US Department of Homeland Security (DHS), NIST and the company MITRE. MITRE hosts the list here.
Common Vulnerabilities and Exposures (CVE)
The Common Vulnerabilities and Exposures (CVE) are the vulnerabilities posted about operating systems and applications. Often times these will be referenced by vendors when patches are provided. The CVEs are listed here.
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is the predefined way to assign quantitative rankings to vulnerabilities on a scale of 0-10.
3 thoughts on “CompTIA CySA+ – Security Content Automation Protocol (SCAP)”