How to Get More Sleep using VSC

It’s the night before launch. To put it more accurately, it’s launch morning. You’ve been working long hours for the last six weeks to get your company’s latest web application ready for your adoring public. You’ve been testing and re-testing to make sure it’s free of bugs and any other issues your users might have as they interact with your new product for the first time. But now you’re finally satisfied. Your PM is satisfied, and you’re ready to launch, and you’re fantasizing about all the full nights of sleep you have ahead of you.

That is, until your boss’s boss pops his head in the door as he’s leaving and says, “Hey, are we sure this thing is secure? Run a few of our scanner-doo-dads on it and write up a report of any vulnerabilities we should be aware of.” His words just sort of hang in the air as your sleep-deprived brain tries to process the meaning. Secure? Vulnerabilities? Write a report? Gwah?

Continue reading

Posted in Uncategorized | Leave a comment

SCAP Sync Shakes Hands With jOVAL To Automate Assessments

Automation has always been a crucial mission of computing. In fact, that’s all computers do. They automate our tasks and turn what used to be lengthy and boring activities into a few clicks, on in our case today, a few keystrokes. (One may ask, why “a few” clicks? Why not “a single click”, or even “no clicking at all”? That’s a question I will attempt to elaborate on later.) This article describes our attempt to automate the periodical assessment of a system against newly found vulnerabilities using 2 of the few freely available SCAP tools: SCAP Sync and jOVAL.

Continue reading

Posted in Cyber Security, SCAP Sync, Technology | Leave a comment

Security & New SCAP Content

Over the past few months, we have been methodically adding bits and pieces to SCAP Sync. A blog post detailing all of our changes is long overdue, so I would like to catch you up on what we have been doing! We have introduced some new security changes and we are synchronizing lots of new data sources in order to provide a more comprehensive database of SCAP content.

Continue reading

Posted in SCAP Sync | 3 Comments

Introducing Vulnerability Scan Converter

Detecting Vulnerabilities is a necessity for any IT department hoping to keep their infrastructure secure or any IT security professional administering a Security Control Assessment. For that purpose, there is no lack of tools to scan the various facets of an organization’s pivotal technology: the Cisco Router Assessment Tool, Tenable Network Security’s Nessus, Hewlett Packard Web Inspect, App Detective and the open source Nmap. Though these scanners excel at finding vulnerabilities, none of them are readily able to work with the others to communicate their findings back to IT personnel. At Lunarline, we’ve been watching this problem for some time, so we decided to build a solution.

Vulnerability Scan Converter (VSC) is that solution, and we’re unveiling it today in advance of its commercial launch later this year. Continue reading

Posted in Uncategorized | Leave a comment

CVE Applicability

We rolled out some major upgrades to SCAP Sync this week! We will be highlighting its new capabilities in a series of upcoming blog posts. Our goal is to show you how you can use SCAP Sync in your day-to-day security work to improve productivity and automate tedious workflows.

The first new feature that we are covering is CVE Applicability. This new feature makes it easy for you to research whether an announced vulnerability affects you or your employer.

Continue reading

Posted in SCAP Sync | Tagged , | 3 Comments

SCAP Content Feed

Over the weekend, Lunarline rolled out several new features to SCAP Sync. In this post, I am going to point out three of my favorite new features: it is easier to use, it has a feed for monitoring updated SCAP content, and it has version history for SCAP Content.

By the way, if you are going to be at the ITSAC conference in Baltimore this week, please come say hello! We are speaking about SCAP Sync from 2:30 – 3:00 on Wednesday, October 3rd in Room 344. We also have a booth for the duration of the conference. Our booth is #19, which is along the left wall as you enter the exhibitors’ hall.

Continue reading

Posted in SCAP Sync | Leave a comment

Announcing SCAP Sync

We are proud to announce that SCAP Sync (http://scapsync.com) is now live! SCAP Sync is a search engine and content repository for SCAP. Lunarline is offering this as a free service, starting today.

SCAP Sync crawls SCAP content from multiple original sources (including NIST and MITRE) then syndicates that content in several convenient formats for both security practitioners as well as application developers who are looking to use SCAP content in their own applications.

Continue reading

Posted in SCAP Sync | Tagged , , , , , | Leave a comment

Out With the DIACAP, In With the DIARMF?

We haven’t posted on DoD’s pending transition from the DoD Information Assurance Certification & Accreditation Process (DIACAP) to what is called – at least for now – the DoD IA Risk Management Framework (RMF).  Now, after reading the articles by noted security experts Len Marzigliano and Richard Bejtlich, it’s time to take a look at what this transition might really mean for DoD and its supporting contractors.

For those of us who have been around a while, we remember the emergence of the DoD Information Technology C&A Process (DITSCAP) and the somewhat reluctant transition from that C&A process to the DIACAP in 2007/2008. We watched while the DIACAP, which was intended to be a standardized process that would be applied consistently across the entire DoD to support reciprocity and cost savings, was subjected to modification and interpretation by each of the services.  The result – standardization and consistency flew out the window and the DoD was back to incompatible, non-standardized processes and the inability (and perhaps unwillingness) to support full reciprocity across the DoD.  In the end, despite all of the best intentions of the DoD authors of the DIACAP, it became yet another resource-intensive, paperwork centric process.  But, 5 years into the transition and some of the wrinkles are getting sorted out.

And now, DoD wants to change yet again?  Whoa, and we are just getting used to the DIAC AP!

So, why now, and why the RMF?  It all goes back five years or so ago to a series of discussions hosted by then Director of National Intelligence, Hon. Dale Meyerrose, along with the DoD CIO, Hon. John Grimes.  The goal of their conversations  was to jointly find solutions to long-standing problems relating to the extensive resources the IC and DoD historically expend for C&A, ensure that C&As accomplished by one agency would be valid for all agencies,  and to deliver systems to the customer faster.  Concurrently, the National Institute of Standards and Technology (NIST) was working on a revision of the C&A processes used for Federal Information Systems.  And then it dawned….. why not work together across the Federal government to create a single process that would be applicable across the entire Federal government to include the DoD and Intelligence Community (IC)?

The result is the NIST RMF and the IC and DoD have agreed to adopt this standard as their own – with some minor modifications, of course.  Stay tuned for our next posting where we will continue this journey.

Lunarline is on the front lines of this new transition.  Please be sure to take a look at our White Paper at http://lunarline.com/Services/Whitepapers.aspx.  With our extensive experience in applying the NIST RMF, our participation in Federal, DoD and IC C&A transition working groups,  and our NSA/CNSS certified training in this process, we can support you today and help prepare you for tomorrow.

Posted in Cyber Security, Lunarline | Tagged , , , , , | Leave a comment

FCD-1 Revision 1

I had an opportunity to review the draft of the upcoming revision 1 to Federal Continuity Directive 1 (FCD-1).  I had several issues with it.  It talks about about “establishing contingency plans for the performance of essential functions.”  Unfortunately this contradicts SP 800-34 which says “An Information System Contingency Plan (ISCP) Provides procedures and capabilities for recovery an information system.”

Just to clarify -  Until this draft, the government has used the term “contingency plan” to denote the policies and procedures for the recovery of a single system.  “COOP Plan” has been used as the policies and procedures for recovering Primary Mission Essential Functions (PMEFs) and Mission Essential Functions (MEFs).

There are several other instances where the drafters of this revision crossed terms as used in other publications, particularly the NIST Special Publications.  I’d like to see more consistency across publications to reduce confusion. Continue reading

Posted in Uncategorized | Leave a comment

Cyber Security Company Lunarline Ranked as One of America’s Fastest Growing Companies

For the second year in a row, Lunarline, Inc. is named to the Inc. 500|5000 list, jumping 366 spots to rank No. 1846. This is the fifth year Inc. magazine has compiled their exclusive list of the nation’s fastest growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs.

Read more…

Posted in Cyber Security, Lunarline, News | Tagged , , , , | Leave a comment