Inspec assessments vs Openscap

[SLSAKrit]

Hi,
I am trying to add STIG assessment to our automated compliance management portal. I am exploring Openscap and MITRE SAF.

MITRE SAF has more security content - benchmarks for Databases, Webservers etc in addition to Operating systems and containers while Openscap benchmarks are only available at present for operating systems and containers only. Openscap installations can be done only on Linux distributions.

Are there any other advantages of MITRE SAF? Why was MITRE SAF created when the Openscap effort is ongoing?
How does MITRE SAF automation differ from that of OpenScap?

Any clarification in this regard will help me greatly choose the right framework for our needs to automate our assessment.

Thanks in advance

[aaronlippold]

Hello, thank you for your question. ... we are generating a response :)

[p-oneil]

@SLSAKrit

The advantage of using the MITRE Security Automation Framework (SAF) over SCAP lies in its ability to leverage the OASIS Heimdall Data Format (OHDF) and the extensive automation we've developed around it. This allows users to easily and programmatically:

1. Add manual attestations,
2. Gate CI/CD pipelines,
3. Visualize results in Heimdall,
4. Generate additional or alternative reports such as POA&Ms, and more.

InSpec was developed because the SCAP standard was no longer receiving proper funding and because its clients do not adequately assess everything they ought to as you've discovered. It's important to note that the MITRE SAF is independent of both InSpec and the various SCAP clients, which are merely tools. The MITRE SAF is designed to automate security processes throughout the entire security lifecycle, not just the validation phase, which can be handled by various tools—InSpec is simply our preferred choice. In fact, we have integrations with a variety of validation tools including multiple SCAP clients so you can leverage the content you get out of those tools within the rest of the MITRE SAF.

Here is a Powerpoint that goes through differences between SCAP and Inspec that you may find helpful. I also encourage you to explore our website, saf.mitre.org. We'll also be adding a section to our training materials that highlights these differences between SCAP and the MITRE SAF.

If you would like to discuss the challenges you're facing and how the MITRE SAF can assist, please feel free to email Amndeep Singh Mann @Amndeep7 [email protected], and you can set up a meeting to chat about the MITRE SAF.