See also local files:


Global issues





Government and regulation


High level

Solution providers


Information and threat exchange


The term 'SCAP Security Guide (SSG)' is an umbrella term to refer to a security policy written in a form of SCAP documents. 'SCAP content' typically refers to documents in the XCCDF, OVAL and Source DataStream formats.


SCAP content is published in repositories

XCCDF - to describe security checklists

Extensible Configuration Checklist Description Format (XCCDF) is a specification language for writing security checklists, benchmarks, and related kinds of documents. An XCCDF document represents a structured collection of security configuration rules for some set of target systems. The specification is designed to support information interchange, document generation, organizational and situational tailoring, automated compliance testing, and compliance scoring. The specification also defines a data model and format for storing results of benchmark compliance testing. The intent of XCCDF is to provide a uniform foundation for expression of security checklists, benchmarks, and other configuration guidance.

XCCDF documents are expressed in XML, and may be validated with an XML Schema-validating parser.

XCCDF uses OVAL as its default configuration checking technology.

OVAL - for making logical assertions about the state of a system

Open Vulnerability and Assessment Language (OVAL): to assess and report upon the machine state of computer systems

CPE - Common Platform Enumeration

CPE serves to identify IT platforms and systems using unequivocally defined names. CPE also includes a method for checking names against a system, and a description format for binding text and tests to a name. Use: vulnerability CVE-2009-1234 applies to "cpe:/a:vend:prod:8.0", which can be refined into a unique identifier for a specific product "cpe:/a:vend:prod:8.0:-:win"

Other components of SCAP



Refer also to LTK Open-SCAP info.


Project creates security policy content for various platforms -- Red Hat Enterprise Linux, Fedora, Ubuntu, Debian, SUSE Linux Enterprise Server (SLES),... -- as well as products -- Firefox, Chromium, JRE, ... in all the commonly used formats (SCAP, Ansible, bash fix files).

This project started in 2011 as a collaboration between government agencies and commercial operating system vendors. The original name was SCAP Security Guide. The original scope was to create SCAP datastreams. Over time, it grew into the biggest open-source beyond-SCAP content project. The next few years saw the introduction of not just government-specific security profiles but also commercial, such as PCI-DSS.

Later, the industry starts moving towards different security content formats, such as Ansible, Puppet, and Chef InSpec. The community reacted by evolving the tooling and helped transform SSG into a more general-purpose security content project. This change happened over time in 2017 and 2018. In September 2018, the name of the project was changed to avoid confusion.

The future will be format-agnostic. That's why an abstraction is used instead of XCCDF for the input format.

CERTs - see also ENISA

CERTs - large scale

CERTs - country-level


Belgian focus


TOR and I2P

Anonymous - Telecomix



Fighting botnets etc

Virus and vulnerabilities



Mobile devices