Security compliance is conformance to security requirements that are usually defined either by industry standards (USGCB, DISA STIG, PCI DSS) or custom policies specified by an organization itself. Unfortunately reaching the compliance is not that easy. Some of the issues users may run into are: * lack of a security guidances, checklists, and associated validation mechanisms * lack of high quality (as in certified) scanners - auditing tools * difficulties with security profiles customization * missing remediation capability in current standards (remediation allow users to alter system configuration in order to put system into compliance) * integration with system management solutions that can facilitate monitoring and reporting
In this talk we will introduce various components (scanner, data, installer and systems management solution) that comes into play when we deal with these kind of challenges. We will also describe work-flow these components have established and we will show you where and how you can start contributing in order to make the security compliance more suitable for your needs. Our main focus will be on contribution to the compliance requirements repository which is hosted by the scap-security-guide project.
