The world of security advisories is disjointed, with disparate systems holding critical documentation in various formats. To make matters more challenging, despite living in a digital-first era, most of these documents are not legible for machines and must be parsed, reviewed, or referenced by humans.
As system administrators contend with a rapidly changing threat landscape and the need to remain agile in the face of innovative cyber criminals, manually reading advisories, reviewing listed products and versions, and evaluating risk and potential actions is burdensome, at best.
In the world of cybersecurity, time itself can be a risk. Administrators and security professionals need to be able to initiate vulnerability remediation swiftly. They also need to be able to rely on software and hardware vendors to disclose security vulnerabilities in a timely and accessible way.
Background of the Common Security Advisory Framework
The Common Security Advisory Framework (CSAF) was developed to address the need for accessible and machine-readable security documentation. CSAF is a standard used to disclose vulnerabilities in a machine-readable format, allowing hardware and software vendors to automate their vulnerability assessments.
The CSAF standard supports the automation of security advisories across all stages: their production, distribution, and consumption. US government entity, the Cybersecurity & Infrastructure Security Agency (CISA), insists upon the widespread adoption of CSAF, calling it one of the three “critical steps to advance the vulnerability management ecosystem” due to its ability to shorten the timeline between disclosure and remediation of vulnerabilities.
CSAF 2.0 introduced provider metadata. An excerpt from the CSAF specification:
"The party MUST provide a valid provider-metadata.json according to the schema CSAF provider metadata for its own metadata. The publisher object SHOULD match the one used in the CSAF documents of the issuing party but can be set to whatever value a CSAF aggregator SHOULD display over any individual publisher values in the CSAF documents themselves.”
The schema for collecting provider metadata ensures consistency across the ecosystem and compiles this data from aggregators, listers, and end users.
VEX and SBOMs
Developed in the SBOM community, the Vulnerability Exploitability Exchange (VEX) is a profile within CSAF. This profile was designed as an effective means of issuing a negative security advisory - that is, for vendors to communicate that their product is not affected by a vulnerability.
A VEX profile contains an account of products and information about the nature of each vulnerability related to each product. Vendors can mark product lines with statuses Under Investigation, Fixed, Known Affected, or Known Not Affected. Marking a product as Not Effective is not enough. VEX requires a justification for this status.
While CSAF offers automation as a relief to manual processes, VEX takes things one step further. By being able to clearly review vulnerability statuses for specific products, administrators can take action based on up-to-date information without submitting a support request for insight.
Adding an SBOM to the equation means administrators can use VEX documents and asset management systems to assess and set priorities for the most pertinent vulnerabilities relevant to their environment.
Tools to Aid the Adoption of CSAF
To support organizations in the adoption of the CSAF framework, OASIS CSAF technical committee offers a suite of tools for creating, editing, uploading, validating, and more on GitHub:
Secvisogram - used for creating and editing advisories in a human-readable CSAF format.
CSAF Visualizer - to visualize the CSAF JSON schema.
CSAF Provider - offers an HTTPS-based management service and implements the role of CSAF Trusted Provider.
CSAF Uploader - command line-based tool for uploading CSAF documents to the Provider.
CSAF Aggregator - implements the role of CSAF Aggregator.
CSAF Checker - using Section 7 of the CSAF Standard as a guideline, a tool used for testing a CSAF Trusted Provider.
CSAF Downloader - a tool to access and download CSAF content from a domain or provider.
CSAF Validator Service - REST-based service used to validate documents against CSAF standards.
BSI Secvisogram CSAF Backend CMS - supports the production of CSAF documents with workflows, automation, backend code, and documentation.
With these carefully-crafted tools, adopting a CSAF workflow becomes easier for vendors and their customers.
Building Consistency and Availability
More than a framework, CSAF builds consistency and availability of security vulnerability information, shortening the timeline between discovery and remediation. In a fast-paced world of ever-evolving threats, vendors owe it to themselves and their customers to avail this information in a way that can be automated, parsed, and acted upon promptly without manual processes.
About the Author:
Having spent her career in various capacities and industries under the “high tech” umbrella, Stefanie Shank is passionate about the trends, challenges, solutions, and stories of existing and emerging technologies. A storyteller at heart, she considers herself one of the lucky ones: someone who gets to make a living doing what she loves.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.