Skilled IT, networking, and security professionals spend inordinate amounts of time surfing for human-readable vulnerability advisories and remediation information from various vendor and industry sources. The manual processes behind this hunting and pecking are continuous—especially for operational technology and industrial control system vulnerabilities—as vendors update software and firmware on an ad-hoc basis.
Final versions of vulnerability advisories, meanwhile, are not standardized in presentation nor in structure or distribution formats (PDF, HTML, TXT), and many of which are not consumable by vulnerability management platforms, SIEMs, or SOARs.
On this episode of Claroty's Nexus podcast (No. 30), experts Thomas Schmidt of the German Federal Office for Information Security and Martin Scheu, an OT Security Engineer at SWITCH-CERT in Switzerland, advocate for the Common Security Advisory Framework (CSAF).
Version 2.0 of the framework is available, and Schmidt and Scheu share a common message: standardize security advisories on CSAF. Additionally, they plead with vendors to produce machine-readable advisories, and additionally, they urge asset owners to pressure vendors to do so.
"The biggest problem here is that the asset owners aren't asking for machine-readable security advisories. And as nobody is asking for them, nobody is producing them," Schmidt said. "And nobody is asking for them because they don't know that something like CSAF exists."
CSAF, according to OASIS, the nonprofit standards body behind the framework, "supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties."
CSAF advisories are in JSON format, which is consumable by most security platforms, and are structured in three parts: 1) document-level metadata, which includes tracking numbers, versions of advisory, revision history, title, and other generic information; 2) the product tree of affected products and version; and 3) a description of vulnerabilities, the products to which they apply, severity scores, and remediation actions and recommendations.
At a minimum, CSAF-structured advisories can eliminate the manual labor behind searching for vendor advisories, and matching them to a machine-readable asset database.
"It helps a lot, especially if there is an update to an advisory," Scheu said. "You can easily compare or filter out differences, and compare to an asset database and cross-check. You can do this all automatically."
Vendors and industry groups can also check out a freely available CSAF 2.0 editor called Secvisogram, which is available on GitHub under an MIT license. The editor is a tool used to create and edit CVE information in a JSON format. It aims to simplify the process of turning advisory details in a CSAF format.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
