The Common Security Advisory Framework (CSAF) is an effective and efficient means by which manufacturers can communicate their recommendations for action on vulnerabilities. Graphical interfaces for use with CSAF, such as Secvisogram (available free of charge), facilitate input and maintenance of data in compliance with the standard.
Source: https://secvisogram.github.io/
New EU regulations place greater responsibility on manufacturers of products with digital elements.
For example, Article 14 (8) of the Cyber Resilience Act (CRA) sets out "reporting obligations of manufacturers", together with strict deadlines.
These require security vulnerabilities to be made known swiftly to all affected parties, and eliminated. Before now, however, alerts concerning vulnerabilities were often issued only after a considerable delay, if at all. Even where this did take place, affected parties then had to search for the information themselves in private forums or on the manufacturers’ own mailing lists. In addition, the data and documents concerned were provided in a wide range of formats. Searching for and interpreting information manually in this way is time-consuming and labour-intensive.
This situation presents manufacturers, operators and public authorities with the challenge of converting the data efficiently into a structured, machine-readable format that lends itself well to further automatic processing. An essential part of the solution can be found under the abbreviation "CSAF".
What is CSAF?
CSAF, the Common Security Advisory Framework, is an open standard for providing information in standardized form on vulnerabilities in digital products or products containing digital elements.
CSAF is based on JSON (JavaScript Object Notation), a machine-readable data format. It enables security advisories (security-related information) to be generated, published and communicated automatically in a form suitable for machine processing. CSAF documents describe vulnerabilities in specific products and their criticality, and provide recommendations for action.
The benefits of CSAF
-
Scalability
CSAF considerably facilitates vulnerability management, particularly in large infrastructures involving multiple systems of different kinds. Operators can use it to create an inventory list of thousands of components. A software application can then query operators’ CSAF databases automatically for each individual component, for example overnight, and deliver a report the following morning containing recommendations for action, referring only to affected components used by the operator.
-
Automation and speed
The machine-readable format with its standardized structure enables the security notifications to be processed more swiftly. Operators can then use a special program to query automatically whether any of their systems are affected by a vulnerability, and initiate appropriate measures if required. A manufacturer can even specify in the CSAF document that although a particular product uses a library exhibiting a critical vulnerability, the product in its current form is not affected by it.
At the end of 2021, security vulnerabilities in the log4j library reached the headlines worldwide and affected millions of products. Operators had to ask manufacturers themselves whether the latter’s products were affected. A generic solution such as CSAF did not yet exist at that time. Many operators waited months for information, and manufacturers’ hotlines were unable to cope with demand. This led to uncertainty, and had a high economic cost.
Even where products are not affected by reported security vulnerabilities, all parties concerned benefit from this information being made public quickly. It can be included and distributed in the VEX (Vulnerability Exploitability eXchange) profile in CSAF.
The following example shows the efficacy of CSAF in conjunction with the VEX profile:
In December 2021, the manufacturer of a control panel was using the log4j library with the CVE-2021-44228 vulnerability. In this particular implementation of the library, however, the vulnerability had no effect on the panel. The manufacturer can now use CSAF/VEX to communicate clearly that his product is not affected.
-
Consistency and clarity
CSAF standardizes the manner in which security information is made available. The criticality is presented in standardized rating scales, and a standardized vocabulary is also used for semantic description of the vulnerability. The data fields have a uniform structure, enabling them to be translated easily and presented accessibly. This reduces misunderstandings and facilitates integration into security processes that are already in place.
-
Efficient cooperation between manufacturers and operators
Cooperation between manufacturers and operators is crucial if vulnerability management is to be effective. Operators benefit from the information provided, which they use to assess risks and prioritize measures. In turn, they can provide manufacturers with feedback when the information requires amendments or additions. CSAF thus supports close and transparent cooperation. At a time when networking and the complexity of digital products is increasing, this is of crucial importance.
Conclusion
In the field of IT security, CSAF constitutes an essential element of modern vulnerability management. It promotes efficiency, consistency and speed in the exchange of information relevant to security. Standardization of the form taken by cooperation between manufacturers and operators improves the security of IT systems and speeds up the response to vulnerabilities.
