Your Software IS/NOT Vulnerable: CSAF, VEX, and the Future of Advisories

Conference:  BlackHat USA 2021



The presentation discusses the need for automation in cybersecurity and the use of the Common Security Advisory Framework (CSAF) to make security advisories machine-readable and automatable.
  • The increasing number of vulnerabilities discovered requires a more efficient and automated process for vulnerability management.
  • CSAF is a machine-readable format that enables automation of security advisories.
  • Negative security advisories can also be used to communicate that something is potentially not affected.
  • Automation in cybersecurity can have real benefits for human health and safety, particularly in the healthcare sector.
  • Actions that can be taken include requesting suppliers to provide advisories in CSAF, writing advisories in CSAF, and spreading awareness about the need for automation in cybersecurity.
The healthcare sector is an example of an industry where security management can impact patient care. Automating the process can make it more efficient and reduce the cost of security updates. This highlights the importance of automation in cybersecurity beyond just protecting data.


As more attention is paid to security and the underlying components used in developing software, more organizations will be sending out security advisories. As SBOMs become more widespread, many of these advisories will actually be "false positives," when the underlying component vulnerability isn't actually exploitable. Organizations developing and using software will thus face an increasing amount of information to process and prioritize if they want to address the constantly evolving risk.The German and US governments have ended up partnering to coordinate industry-led initiatives to help automate the production, consumption, and scale of advisories, with particular attention to non-traditional software areas like ICS and healthcare. The Common Security Advisory Framework (CSAF) is an OASIS project that seeks to help automate the creation, management, and use of machine-readable vulnerability-related advisories. This talk will further introduce a key idea at the intersection of advisories and SBOM: the "Vulnerability Exploitability eXchange" (VEX) that allows software providers to explicitly communicate that they are *not* affected by a vulnerability. We close with an overview of the policy context to help practitioners understand where the world of SBOM and advisories is heading.