Laying the foundation for holistic vulnerability management
If your security team is feeling increasingly burdened with the volume of advisories available to them, they are not alone. As cyber awareness grows, so does industry’s ability to process information and respond with timely, product-version-specific security advisories. While it is a good trend to see vendors being more transparent and communicating about software vulnerabilities, the security consumers are overwhelmed by the task of triaging information sourced through various means in inconsistent formats. Enter Common Security Advisory Framework Version 2.0 (CSAF).
CSAF 2.0 is a reference language for creating, updating, and exchanging security advisories as structured information regarding products, vulnerabilities, impact, and remediation. The intent of the framework is to further enable the machine-to-machine exchange of security advisories using structured methods to share information quickly. CSAF is the replacement for the Common Vulnerability Reporting Framework (CVRF) which was an XML-based taxonomy as opposed to the JSON based language used for CSAF. CSAF and all the documentation can be found on the OASIS site (https://docs.oasis-open.org/csaf/csaf/v2.0/csaf-v2.0.html)
Note that the specification includes the concept of an aggregator. An aggregator would collect CSAFs and help with orchestrated distribution. Germany’s BSI — Federal Office for Information Security, the U.S.’s equivalent of CISA has committed to this approach and while CISA has made no formal announcement they did recently release a blog post- https://www.cisa.gov/blog/2022/11/10/transforming-vulnerability-management-landscape that seems to support the CSAF approach.
Have any vendors already committed to CSAF? So far, Oracle, RedHat, and TIBCO have all put out documentation. Hopefully many more Product Security Incident Response Teams (PSIRTs) find the specification useful and ultimately adopt the format for communicating advisories. The schema is designed to communicate any type of notification of security issues in products to or from product vendors, product resellers and distributors, and others. The focus of the specification is on the security aspect impacting specific product-platform-version combinations. Developers of security scanning tools in are likely to find CSAF formatted files very useful. CSAF also includes mitigating countermeasures if there is no patch available.
In an ideal situation, a security analyst would be able to leverage asset management data with CSAF data to obtain an operational picture of which systems in their environment have advisories, and receive ratings and recommendations on how to manage the vulnerabilities all from a single pane of glass.
Contact Us
contact@hunterstrategy.net
