As in my last post, I will start with a rant. The airline lost my checked luggage on my way to the conference in Baltimore so I was stuck wearing my very casual travelling clothes. Had I known, I would have brought a baseball cap with an S on it (S-CAP, get it?) since airport security confiscated my hair gel too and my backup tube was in my luggage that was somewhere between Toronto, Philadelphia and the moon. I had to wear swag shirts as a last resort but luckily, Splunk had really cool ones saying quotes like: "Taking the SH out of IT.", "Because ninjas are too busy." and "Finding faults, just like your mother.". My colleagues might have frowned a little bit if I had been wearing a Nessus shirt. On top of that, I got terribly lost on my first night in town trying to look for a restaurant still open after I landed, in the city with the second highest murder rate per capita in the US. I somehow managed to survive but I almost didn't see anybody in the streets, I guess they knew better than to be out in the streets at that ungodly hour.
The conference itself was fantastic. I met great people and the presentations were interesting. It allowed me to get a better idea of the bigger picture behind SCAP and what it represents. It can be confusing at first with all the alphabet soup of acronyms like CVE, CPE, CCE, CWE, CVSS, XCCDF, OVAL, FDCC, USGCB, EMAP, IF-MAP, ARF and many others but the conference offered an introductory track called SCAP 101 on the first day. The previous editions of the conference used to be called simply SCAP but as mentioned in the "Program Summary" workshop on the third day, it has become much more than that, hence the need for a change of name. The main focus is now security automation in a wider sense going from automated SCAP content generation to automated remediation. This would have been a good venue to submit a paper on our experience here at nCircle as a vendor with SCAP-certified products and how we automated security policy generation by automating the import process of SCAP-compliant benchmarks but there is always next year. The first two days of presentations were really interesting to me although I had to leave early the third day during the workshops. Some tracks were highly technical and might not be easily understandable to the management types but with five concurrent tracks, there always seemed to be something either interesting on a personal level or that I could apply in my day-to-day work on SCAP-related tasks at nCircle. It is always good to know the big picture of where the standards are going and how we can prepare for them in advance to help deliver a faster response time once they are officially established. Being compliant today doesn't mean that you will still be tomorrow as the standards evolve.
nCircle has always been a proud supporter of SCAP since the first moments and we look forward to continue to work closely with the program to help define the next generation of digital information security standards. In the big picture, it benefits everyone's safety and privacy, whether they are our customers or not. Even if I'm only a scruffy engineer, working with a clearly established standard makes my job much easier.
