Skip to content

About CSAF

Introduction

A reported and fixed vulnerability is only the beginning of the vulnerability handling process on the operator side. In order to be protected from the vulnerability as a user, the corresponding update must be installed. As the installation of updates can have far-reaching consequences, a prior risk assessment is advisable. In order to carry out such an assessment, all relevant information on the vulnerability must be provided to the user promptly and efficiently. So far, human-readable security information, so-called security advisories, have been published by the manufacturers or the coordinating bodies. Those advisories do not follow an international standard and are published in a wide range of medias.

Increasingly labor-intensive evaluation

In order to assess the risks to IT infrastructure and products used, operators need to sift through these security advisories. Researching newly published advisories and evaluating their relevance regularly requires a great deal of time and personnel. This is due to the fact that manufacturers and other publishing bodies use a wide variety of notification channels for their customers and the public. For example, e-mail notifications are sometimes sent (with a delay) or there is an RSS feed that has to be subscribed to, or new advisories only appear on a (possibly protected) website that has to be accessed manually. On the other hand, more and more bodies are publishing an increasing number of security advisories. Furthermore, it is generally not trivial to check whether the products referenced in the advisories are used in the area for which they are responsible.

As security advisories from different sources usually differ greatly in terms of file format, structure, quality of information and formatting, automated processing by the evaluating body is not possible or only possible to a limited extent. Manual processing, on the other hand, ties up well-trained specialists with trivial tasks. In addition, the manual approach is not scalable as the number of security advisories increases, meaning that more and more complex advisories have to be analyzed with the same number of personnel. As a result, operators often do not evaluate this important source of information constantly or regularly. They only act on an ad hoc basis, for example following media reports.

CSAF enables automation

Together with national and international partners, the German BSI is therefore working on a solution to make it easier for users to find, evaluate and implement security advisories. The machine-processable format for security advisories, the so-called Common Security Advisory Framework (CSAF) 2.0, will make a decisive contribution to helping companies maintain an overview and secure their systems. The security advisories can be automatically retrieved from the manufacturers and compared with the company's own inventory database. The BSI has already published the first tool for creating CSAF documents Servisogram.

sematicon has adopted this standard to make sure humans and also machines can read security advisories which follow strict guidelines to secure our company, products and customers.

CSAF FAQ

What is the Common Advisory Security Framework (CSAF)?

The Common Security Advisory Framework (CSAF) is the definitive reference for the language which supports creation, update, and interoperable exchange of security advisories as structured information on products, vulnerabilities and the status of impact and remediation among interested parties. You can access the CSAF 2.0 standard here.

What problems are addressed by CSAF?

CSAF enable individuals and organizations to successfully disclose and consume security advisories in machine readable format. It also specifies the distribution and discovery of CSAF documents

Is CSAF a replacement for CVE?

No. CSAF is not a replacement for CVE. A CSAF document may include one or many security vulnerabilities that have been assigned a CVE. Not all vulnerabilities are assigned a CVE. CSAF also allows for any organization to be able to disclose or consume security vulnerabilities or responses that do not have an assigned CVE.

What is VEX and how is it supported in CSAF?

The Vulnerability Exploitability eXchange (VEX) allows a software supplier or other parties to assert the status of specific vulnerabilities in a particular product. CSAF supports VEX to allow suppliers and other parties to provide the status of the vulnerabilities that may affect a product. As stated in CISA's VEX Use Case documentation, VEX is a form of a security advisory, similar to those already issued by mature product security teams today. There are a few important improvements for the VEX model over ‘traditional’ security advisories. First, VEX documents are machine readable, built to support integration into existing and novel security management tools, as well as broader vulnerability tracking platforms. Second, VEX data can support more effective use of Software Bills of Materials (SBOM) data.

Is CSAF the replacement for CVRF?

Yes. CSAF is the replacement for the Common Vulnerability Reporting Framework (CVRF). It enhances the capabilities of CVRF including different profiles (e.g., CSAF Base, Informational Advisory, Incident Response, VEX, etc.). Each profile extends the base profile "CSAF Base" - directly or indirect through another profile from the standard - by making additional fields from the standard mandatory. A profile can always add, but never subtract nor overwrite requirements defined in the profile it extends. CSAF also provides several additional enhancements that were not supported in CVRF. In addition, CSAF uses JSON vs. XML (which was used in CVRF).

CSAF Tools

All tools required to use CSAF are avialable in the OSAIS-Github here