During the last few years we have witnessed how the cyber security threat landscape has evolved. The emergence of the Internet of Things combined with recent events have profoundly changed how we protect our systems and people, and drive us to think about new approaches for vendors to disclose security vulnerabilities to customers and consumers. But beyond disclosing vulnerabilities, we need to accelerate how their customers consume and respond to disclosures in an automated way.

Let’s face it, no software or hardware is immune to security vulnerabilities. Which means that the scope of managing them is a big task for administrators. In order to effectively protect their network, we as an industry need to make it easier for customers to identify and address known vulnerabilities within their networks.

To that end, today I am joining forces with the OASIS standards body to launch the Common Security Advisory Framework (CSAF) Technical Committee (TC). The purpose of the CSAF Technical Committee is to standardize the practices for structured machine-readable security vulnerability-related advisories. And then we will further refine those standards over time.

The CSAF TC will base its efforts on the Common Vulnerability Reporting Framework (CVRF) specification originally developed by the Industry Consortium for Advancement of Security on the Internet (ICASI).

If you are not familiar with OASIS, here is a quick recap from their website:

“OASIS members broadly represent the marketplace of public and private sector technology leaders, users and influencers. The consortium has more than 5,000 participants representing over 600 organizations and individual members in more than 65 countries.

OASIS is distinguished by its transparent governance and operating procedures. Members themselves set the OASIS technical agenda, using a lightweight process expressly designed to promote industry consensus and unite disparate efforts. Completed work is ratified by open ballot. Governance is accountable and unrestricted. Officers of both the OASIS Board of Directors and Technical Advisory Board are chosen by democratic election to serve two-year terms. Consortium leadership is based on individual merit and is not tied to financial contribution, corporate standing, or special appointment.”

Prior to creation of the TC, the CVRF standard has been adopted by several technology vendors and MITRE, which produce information in the CVRF format. And a number of organizations are consuming information produced in the CVRF format. But there is a significant opportunity to build upon the existing CVRF standard, and enable a more universal adoption of this process that saves customers time and increases the security of their networks in a more real-time manner. The new TC can offer immediate value and quickly support future development to improve the interoperability and utility of the framework in support of providing structured machine-readable security advisories.

The CSAF TC will make substantive additions and other changes to the CVRF, supporting documentation, and create open source tooling.

If you would like to join the OASIS CSAF go to https://www.oasis-open.org/committees/csaf 


Omar Santos

Distinguished Engineer

Cisco Product Security Incident Response Team (PSIRT) Security Research and Operations