The world of security advisories is fragmented, with diverse systems storing crucial documentation in a variety of file formats. While living in a digital-first society, the vast majority of these publications are not machine-readable and must be parsed, evaluated, or referenced by humans.
Manually reading warnings, assessing listed products and versions, and evaluating risk and potential actions is, at best, cumbersome for system administrators who must struggle with an ever-changing threat landscape and the need to remain flexible in the face of cybercriminals’ creativity.
In the realm of cybersecurity, time itself might represent a threat. Administrators and security experts must be ready to begin remediation of vulnerabilities quickly. Consumers must also be able to rely on software and hardware manufacturers to promptly and easily disclose security problems.
Common Security Advisory Framework History
The Common Security Advisory Framework (CSAF) was created in response to the demand for machine-readable and accessible security documentation. CSAF is a standard for disclosing vulnerabilities in a machine-readable format, thereby enabling providers of hardware and software to automate their vulnerability assessments.
The CSAF standard facilitates the automation of security advisory development, delivery, and consumption at all stages. The Cybersecurity & Infrastructure Security Agency (CISA) insists on the widespread use of CSAF, describing it as one of three “essential steps to enhance the vulnerability management ecosystem” due to its capacity to reduce the time between vulnerability disclosure and remedy.
CSAF 2.0
CSAF 2.0 introduced provider metadata. An excerpt from the CSAF requirements:
“The party MUST supply a valid provider-metadata.json file that conforms to the CSAF provider metadata format for its own metadata. The publisher object SHOULD correspond to the one used in the CSAF documents of the issuing party, although it can be modified to whatever value a CSAF aggregator SHOULD display over any individual publisher values in the CSAF documents themselves.”
The protocol for gathering provider metadata provides ecosystem-wide consistency and aggregates this information from aggregators, listers, and end-users.
The VEX and SBOM
The Vulnerability Exploitability Exchange (VEX) is a CSAF profile developed by the SBOM community. This profile was created as an efficient method for providing a negative security alert, or for vendors to indicate that their product is not vulnerable.
A VEX profile includes a list of products and details regarding the nature of each vulnerability associated with each product. Product lines can be marked as Under Investigation, Fixed, Known Affected, or Known Not Affected by vendors. Just labeling a product as Not Effective is insufficient. VEX demands that its status be justified.
While CSAF provides automation as an alternative to human operations, VEX goes a step farther. Administrators can take action based on up-to-date information without initiating a support request if they can clearly assess vulnerability statuses for specific products.
Introducing an SBOM to the equation enables administrators to use VEX documents and asset management systems to assess and prioritize their environment’s most critical vulnerabilities.
Helpful Tools for Adoption of CSAF
The OASIS CSAF technical committee offers a suite of tools for generating, modifying, uploading, validating, and more on GitHub to aid organizations in adopting the CSAF framework:
Secvisogram – used for writing and revising warnings in a CSAF format that is legible by humans.
The CSAF Visualizer – shows the CSAF JSON schema.
CSAF Provider – provides an HTTPS-based management service and fulfills the CSAF Trusted Provider role.
CSAF Uploader – a tool for uploading CSAF documents to the Provider through command line.
CSAF Downloader – a tool used to access and download CSAF content from a provider or domain.
CSAF Aggregator – carries out the responsibilities of CSAF Aggregator.CSAF Checker
CSAF Checker – utilizes Section 7 of the CSAF Standard as a reference to evaluate a CSAF Trusted Provider.
CSAF Validator Library – is a JavaScript library containing logic that may be shared amongst CSAF-based applications.
BSI Secvisogram CSAF Backend CMS – supports the generation of CSAF documents using processes, automation, backend code, and documentation.
CSAF Validator Service – A REST-based service used to validate documents in accordance with CSAF standards.
With these meticulously built solutions, adopting a CSAF workflow is simplified for both vendors and clients.
Establishing Consistency and Accessibility
CSAF is more than a framework; it improves the consistency and accessibility of security vulnerability information, hence reducing the time required for vulnerability identification and treatment. In a world where threats are always evolving, vendors owe it to themselves and their customers to provide this information in a format that can be quickly automated, processed, and acted upon without manual processes.
