SCA - Security Configuration Assessment

Security Configuration Assessment app on module picker


Get started

Get an overview and steps to start automating configuration assessment and reporting of your assets.

Download User Guide


Why Security Configuration Assessment?

Security Configuration Asssessment (SCA) helps expand your current vulnerability management program and automates configuration assessment and reporting of IT assets in a continuous way. SCA is an add-on option to VM to complete your vulnerability management program.

According to NIST*, there are 3 kinds of vulnerabilities.

These 2 types of vulnerabilities can be assessed using our Vulnerability Management (VM) app and Web Application Scanning (WAS) app: Software Flaws are errors in code or design of software, they only have a negative impact. Sofware Feature Misuse is caused by the software designer making trust assumptions that permit the software to provide important features while also introducing the possibility of someone violating those trust assumptions to compromise security.

Vulnerability assessment alone is not enough to protect systems from compromise! Misconfiguration is a major source of breaches and these issues play a huge role in the recent high profile cyber attacks like Petya and more. And this is where SCA comes in.

The 3rd types of vulnerability is called: Security Configuration Issue. According to NIST this type of vulnerability means the security configuration settings on a host system can have an adverse effect on the security of the software. For example an OS that provides access control lists for privileges of users to access sensitive content. Security Configuration Assessment (SCA) app help you automate the assessment of security configurations.



Tell me the steps

Add assets to SCA Assets that you're scanning using the VM app have VM enabled. You can easily enable the SCA for the same assets. Learn more

Import and Build CIS policy Choose from CIS policies in our library - we have over 200 policies with pre-configured controls to choose from!  Learn more

Start collecting configuration data Launch scans to collect the data as required by the CIS policy. The workflow for launching an SCA scan is similar to the one familiar to you for VM scan. Learn more

Generate reports Your SCA report gives you up to date compliance posture against the CIS benchmarks in your policy. Each report includes references to compliance standards (PCI-DSS, HIPAA, NIST, and more), remediation information, Qualys provided control criticality. Learn more