Browse > Article
http://dx.doi.org/10.30693/SMJ.2022.11.3.54

A Study on the Classification of OVAL Definitions for the Application of SCAP to the Korea Security Evaluation System  

Kim, Se-Eun (공주대학교 인공지능학과)
Park, Hyun-Kyung (공주대학교 인공지능학과)
Ahn, Hyo-Beom (공주대학교 인공지능학과)
Publication Information
Smart Media Journal / v.11, no.3, 2022 , pp. 54-61 More about this Journal
Abstract
With the increase in the types of information systems managed by public institutions and companies, a security certification system is being implemented in Korea to quickly respond to vulnerabilities that may arise due to insufficient security checks. The korea security evaluation system, such as ISMS-P, performs a systematic security evaluation for each category by dividing the categories for technical inspection items. NIST in the United States has developed SCAP that can create security checklists and automate vulnerability checks, and the security checklists used for SCAP can be written in OVAL. Each manufacturer prepares a security check list and shares it through the SCAP community, but it's difficult to use it in Korea because it is not categorized according to the korea security evaluation system. Therefore, in this paper, we present a mechanism to categorize the OVAL definition, which is an inspection item written in OVAL, to apply SCAP to the korea security evaluation system. It was shown that 189 out of 230 items of the Red Hat 8 STIG file could be applied to the korea security evaluation system, and the statistics of the categorized Redhat definition file could be analyzed to confirm the trend of system vulnerabilities by category.
Keywords
System Maintenance; OVAL; SCAP; Categorization;
Citations & Related Records
연도 인용수 순위
  • Reference
1 지윤석, 이용석, 윤덕중, 신용태, "美 NIST 보안성 자동평가프로토콜(SCAP)분석을 통한 공공기관의 정보보안관리실태 평가제도 개선방안 연구", Journal of Information Technology Application 제26권, 제4호, 31-39쪽, 2019년 8월
2 D. Gonzalez, H.Hastings, M. mirakhorli, "Automated Characterization of Software Vulnerabilities", Proceedings of IEEE International Conference on Software Maintenance and Evolution (ICSME), vol. 2019, no. 1, pp. 135-139, Cleveland, OH, USA, Sep. 2019
3 과학기술정보통신부, "기술적 취약점 분석.평가방법 상세가이드," 한국인터넷진흥원, pp 10-13, 2021
4 정성수, 고갑승, 문길종, 이남일, 류동주, "안전한 U-City 인프라 구축을 위한 미국의 공통보안규격제도 분석," Proceedings of KIIT Conference, vol. 2012, no. 5, pp. 45-48, May, 2012.
5 KISA ISMS-P 인증제도 소개, https://isms.kisa.or.kr/main/ispims/intro/ (accessed Nov. 26. 2021)
6 Security Content Automation Protocol,https://csrc.nist.gov/projects/security-content-automation-protocol (accessed Dec. 27.2021)
7 Radack, S. and Kuhn, D., "Managing Security: The Security Content Automation Protocol," IT Professional, IEEE, vol. 13, no. 1, pp. 9-11, Feb. 2011.   DOI
8 D. Waltermire, S. Quinn, H. Booth, K. Scarfone, and D. Prisaca, "The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3," NIST Special Publication 800-126. Revision 3, National Institute of Standards and Technology, Feb. 2018
9 NCP Checklist Repository, https://ncp.nist.gov/repository (accessed Jan. 12, 2022)
10 J. Baker, M. Hansbury, D. Haynes, "The OVAL® Language Specification Version 5.11," NIST Special Publication 800-126. Revision 5, Mitre, December 2014
11 김선광. "서버 보안기준 준수 평가를 위한 SCAP 적용 타당성 연구", 중앙대학교 대학원 석사학위논문, 2019.8
12 이재각, "방산업체 ISMS 인증제도 적용방안 연구", 정보보호학회지, 제25권, 제6호, 53-58쪽, 2015년 12월
13 신동천, 김선광, "서버 중심의 취약성 관리를 위한 SCAP 적용 가능성," 한국데이터베이스학회지, 제26권, 제4호,, 19-30쪽, 2019년 8월
14 국가사이버안전센터, "정보보안 관리실태 평가 소개," 정보보호학회지, 제23권, 제5호, 9-11쪽, 2013년 10월
15 OVAL Core Definition Schema Element Diectionary, https://oval.mitre.org/language/version5.11/ovaldefinition/documentation/oval-definitions-schema.html (accessed Nov, 30. 2021)
16 Harold. B. and Melanie, C., "Security Content Automation Protocol(SCAP) Version 1.2 Content Style Guide," Technical Report, NIST, May. 2015