Vendor Provided Validation Details - Patchlink Update Server 1.2
The following text was provided by the vendor during testing to describe how the product implements the specific capabilities.

Statement of FDCC Compliance:
Lumension asserts that their Patchlink Update Server version 1.2 product does not alter the FDCC settings on Microsoft Windows XP.

Statement of SCAP Implementation:
PatchLink Security Configuration Management is an open, standards-based solution that enables customers to leverage the wealth of knowledge and content from leading security think tanks like the National Institute of Standards and Technology's (NIST) repository, the world's largest open repository of vulnerability, patch, and configuration assessments, dramatically reduce their 'time to security', and deliver instant value from their investment. The best practices content in this repository, created and approved by the security community, is based upon the SCAP open set of standards, a combination of six common vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and CVSS in a future stage.

PatchLink Security Configuration Management will allow Administrators to upload the SCAP Archive thru the Configuration Policy Manager Web Page. This page allows the Administrators to select the desired benchmark and profile for quick assessment. The Configuration Policy Manager also allows multiple benchmarks to be assigned to a policy for mixed or heterogeneous environments.

Statement of CVE Implementation:
Common Vulnerabilities and Exposures (CVE) is a list or dictionary that provides common identifiers for publicly known information security vulnerabilities and exposures. Using a common identifier makes it easier to share data across separate databases and tools that until CVE were not easily integrated.

PatchLink Security Configuration Management adopts CVE by displaying CVE ID's for missing security patches or software vulnerabilities. Users can also select the CVE ID to hyperlink directly to the public National Vulnerability Database (NVD) hosted by NIST. The CVE references can be viewed by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > drill thru the tree and select the hyperlink of the test to launch the detailed assessment results page.
Users can also search for CVE ID's by navigating to the Vulnerabilities Page and enter the CVE ID in the Name/CVE No search field to display detail results and to identify additional systems that are applicable to the software vulnerability.

Statement of CCE Implementation:
The Common Configuration Enumeration (CCE) provides common identifiers to system configurations in order to facilitate fast and accurate correlation of configuration data across multiple information sources and tools. The CCE ID's are included in the SCAP data streams to map security best practices to computer configurations. PatchLink Security Configuration Management will display the CCE ID's after a computer has completed the scan and is hosted in XML format on the SCM Server for further analysis. CCE ID's are also available when exporting the scan results.

PatchLink Security Configuration Management is an open, standards-based solution that enables customers to leverage the wealth of knowledge and content from leading security think tanks like the National Institute of Standards and Technology's (NIST) repository, the world's largest open repository of vulnerability, patch, and configuration assessments, dramatically reduce their 'time to security', and deliver instant value from their investment. The best practices content in this repository, created and approved by the security community, is based upon the SCAP open set of standards, a combination of six common vulnerability identification standards including CVE, OVAL, CPE, CCE, XCCDF and CVSS.

Statement of CPE Implementation:
The Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. CPE is simply a standards based dictionary of software product names.

PatchLink Security Configuration Management adopts CPE to verify that configuration scans are not conducted on systems that are not applicable. This allows Administrators to include security benchmarks that are applicable to Windows 2000, XP, 2003, and Vista systems into a single configuration policy. Administrators can assign this configuration policy to the built-in Windows System Group which can be cascaded down to child groups like Windows 2000, XP, 2003, Vista systems. Administrators can easily review the scan results for each operating system version to get a complete view of their assessment results. This will ensure no additional resource overhead will exist on systems being scanned for a benchmark that is not applicable to that system.

Statement of CVSS Implementation:
The Common Vulnerability Scoring System (CVSS) is an open standard for assigning scores to a vulnerability that indicates its relative severity compared to other vulnerabilities. It offers visibility into how each score was calculated by revealing the underlying vulnerability characteristics that are inputs to the score calculation.

PatchLink Security Configuration Management adopts CVSS by displaying CVE ID's for missing security patches or software vulnerabilities. Users can also select the CVE ID to hyperlink directly to the public National Vulnerability Database (NVD) hosted by NIST. The CVE references can be viewed by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > drill thru the tree and select the hyperlink of the test to launch the detailed assessment results page. Once the detailed assessment results page has been launched, users can click on the CVE ID that will hyperlink to the NVD website where the CVSS severity score is displayed.

Statement of XCCDF Implementation:
The Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring.

XCDDF is used by the PatchLink Security Configuration Management Agent (SCM Agent) that interprets the checklist, scans the system, and posts the results to the PatchLink Security Configuration Management Server to collect the results. The results can be viewed by:
Statement of OVAL Implementation:
The Open Vulnerability and Assessment Language (OVAL) is an open standard XML language to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services.

PatchLink Security Configuration Management uses OVAL during the scan or assessment for the selected system to evaluate, carry out, and report the results of the OVAL Definitions for that platform.

The OVAL Definition ID can be retrieved to by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > Expand the desired check > click on the check name to display the Detailed Assessment Results Page using the XML View.

The OVAL Test ID can retrieved to by navigating to Groups > Compliance Detail > Select a Device Name that has been scanned > Expand the Benchmark > Expand the desired check > click on the check name to display the Detailed Assessment Results Page using the Table View.