logo
allArticlesConferencesPresentations

Your Software IS/NOT Vulnerable: CSAF, VEX, and the Future of Advisories

Conference:  BlackHat USA 2021

2021-08-04

Summary

The presentation discusses the need for automation in cybersecurity and the use of the Common Security Advisory Framework (CSAF) to make security advisories machine-readable and automatable.
  • The increasing number of vulnerabilities discovered requires a more efficient and automated process for vulnerability management.
  • CSAF is a machine-readable format that enables automation of security advisories.
  • Negative security advisories can also be used to communicate that something is potentially not affected.
  • Automation in cybersecurity can have real benefits for human health and safety, particularly in the healthcare sector.
  • Actions that can be taken include requesting suppliers to provide advisories in CSAF, writing advisories in CSAF, and spreading awareness about the need for automation in cybersecurity.
The healthcare sector is an example of an industry where security management can impact patient care. Automating the process can make it more efficient and reduce the cost of security updates. This highlights the importance of automation in cybersecurity beyond just protecting data.

Abstract

As more attention is paid to security and the underlying components used in developing software, more organizations will be sending out security advisories. As SBOMs become more widespread, many of these advisories will actually be "false positives," when the underlying component vulnerability isn't actually exploitable. Organizations developing and using software will thus face an increasing amount of information to process and prioritize if they want to address the constantly evolving risk.The German and US governments have ended up partnering to coordinate industry-led initiatives to help automate the production, consumption, and scale of advisories, with particular attention to non-traditional software areas like ICS and healthcare. The Common Security Advisory Framework (CSAF) is an OASIS project that seeks to help automate the creation, management, and use of machine-readable vulnerability-related advisories. This talk will further introduce a key idea at the intersection of advisories and SBOM: the "Vulnerability Exploitability eXchange" (VEX) that allows software providers to explicitly communicate that they are *not* affected by a vulnerability. We close with an overview of the policy context to help practitioners understand where the world of SBOM and advisories is heading.
Materials:
Tags:

Post a comment

Related work

SBOMs, VEX, and Kubernetes

Conference:  Cloud Native SecurityCon North America 2023
Authors: Allan Friedman, PhD, Kiran Kamity, Jonathan Meadows, Andrew Martin, Rose Judge

OmniBOR: Bringing the Receipts for Supply Chain Security

Conference:  Cloud Native SecurityCon North America 2023
Authors: Frederick Kautz

SBOM Ingestion and Analysis at New York-Presbyterian Hospital - Katie Bratman & Adam Kojak, NewYork

Conference:  SupplyChainSecurityCon 2022
Authors: Katie Bratman, Adam kojak
2022-06-21

From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation for Arbitrary Types of Kernel Vulnerabilities

Conference:  BlackHat USA 2018
Authors:
2018-08-09

How I Learned to Stop Worrying and Love the SBOM

Conference:  BlackHat USA 2018
Authors:
2018-08-08

Shield with Hole: New Security Mitigation Helps Us Escape Chrome Sandbox to Exfiltrate User Privacy

Conference:  BlackHat EU 2020
Authors:
2020-12-09