Advancing a standard format for vendors to disclose cybersecurity vulnerabilities
Technology providers and their customers are joining forces to advance a standard format for vendors to disclose cybersecurity vulnerabilities.
The work of the new OASIS Common Security Advisory Framework (CSAF) Technical Committee will enable greater interoperability among products and ensure that structured, machine-readable security advisories can be produced and consumed much more broadly.
“Defenders need to be able to quickly and automatically assess the impact of a security vulnerability on any of the products they have deployed. We need to get beyond just disclosing vulnerabilities and make it possible to consume and respond to disclosures in an automated way, without the need for special semantic handling of each source,” said Art Manion, a Technical Manager of the CERT/CC at the Carnegie Mellon University Software Engineering Institute.
“No software or hardware is immune to security vulnerabilities,” said Omar Santos of Cisco, chair of the OASIS CSAF Technical Committee. “Our goal with CSAF is to make it easier for administrators to identify and address known vulnerabilities within their networks, regardless of the platforms they’re using.”
CSAF builds on the Common Vulnerability Reporting Framework (CVRF) which was initiated by ICASI, the Industry Consortium for Advancement of Security on the Internet. Several technology vendors (including major Internet backbone providers) already produce advisories in the CVRF format, and many organizations successfully consume this information. ICASI has contributed CVRF 1.1 to the OASIS CSAF Technical Committee for further development.
“Machine readable security advisories help security practitioners manage all the disclosures that may affect their organization, efficiently identify and assess affected systems, and more rapidly determine how to remediate security vulnerabilities,” said Klee Michaelis, Cisco Product Security Incident Response Team (PSIRT) Director.
Oracle Chief Security Officer, Mary Ann Davidson, said, “Oracle has been an early adopter of CVRF. The adoption of the standard by OASIS, and its promotion as CSAF, will help ensure a wider adoption not only by security companies, but also by customers, who will be in a better position to systematically assess vulnerabilities and prioritize their patching effort. CSAF will be particularly valuable in helping deal with the growing number of vulnerabilities discovered in widely-used open source components.”