If you ever go through some of the Cyber news headlines like
I do on a daily basis, you will, over a period of time, come to notice that
each vendor comes out in a certain time of the month to announce the latest
software patches and upgrades that they have come up with.
Probably the best example of this is the Microsoft Patch
Tuesday. This event occurs on the second
Tuesday of each month, and every time, there are about 70 different kinds of vulnerabilities
that these patches try to repair.
Following suit are the other tech vendors, such as Oracle,
Apple, Google, Cisco, Adobe, etc. But
from what I have seen, these guys only announce patches and upgrades on as
needed basis. Between this batch, it
seems that Google and Adobe have the greatest number of them, but not nearly as
what Microsoft has.
The gaps and weaknesses that they are supposed to repair are
based upon the vulnerabilities of which other people have discovered, such as
in the Bug Bounty Programs.
But the main problem is that each vendor has their own reporting
style for discovered vulnerabilities. This
can make it very confusing not only for the end user to understand, but also
for the people of the IT Security team that are charged with parsing through
all of them and deploying whatever is needed.
But just in the nick of time, there has been a new framework
which has been designed to help streamline this process of reporting.
It is formally known as the Common Security Advisory
Framework (CSAF) 2.0. More details about
it can be seen at the link below:
https://oasis-open.github.io/csaf-documentation/
This framework was created and developed by both people from
the Cyber industry and even outside. It
is built upon a previous methodology, which was known as the OASIS Open. More information about this can be seen at the
link below:
One of the powerful advantages that this new framework has
is that it is machine readable. This
means that just about any device can read them, and with the appropriate add
ons, compare it to with what is already in existence in the projects of their
customers, or in the IT/Network Infrastructure of third-party vendors, and even
the in the Software Bill of Materials (this is merely a listing of all of the
development modules that are going to be used for the building of a Web apps
product).
Another key advantage here is that the CSAF is also an automated
one. So, if you have the right AI/ML
tools in place, your device should be able to rank the vulnerability reports
from top to bottom in just a matter of a few minutes (I am assuming that the top
ones will be the most critical vulnerabilities and the bottom ones will the
least critical).
In the end, this alleviates a lot of pressure for the IT Security
team having to go through each report.
From within this framework, there are four types of baseline
profiles that are some of the most important to keep your eye on. They are as follows:
*The Base Profile:
This creates the standard of what information is mandatory
for filling in the fields when compiling a threat report.
*The Security Advisory Profile:
This gives information and detail about the
products/services that are affected from the vendor, where the patches and upgrades
can be downloaded, and any other remediation strategies which should be taken.
*The Information Advisory Profile:
This functionality provides information about other weaknesses
and gaps that have been discovered, but don’t immediate attention, and thus,
they can be triaged towards the latter part of the rung.
*The Security Incident Response Profile:
This part provides a summary finding of actual security
breaches that have occurred on the business world, and the kind of impact that
it has had on the company, third party suppliers, other business partners, and most
importantly, customers and employees.
There are other some key components as well, which are as follows:
*The Secvisogram:
This is essentially an online editor which allows you to
fill in the required fields in order to submit a full fledged CSAF report. You can see the fields at the link below:
https://secvisogram.github.io/
*The CSAF CMS back
end:
This can be considered to be the back-end provider, where all
of the CSAF documentation is kept, and can always be queried for at a subsequent
point in time, if necessary.
*The CSAF Provider:
This functionality also allows one to create CSAF based
reports, but they are static in nature only.
In other words, they can only be created and updated via manual processes,
such as using HTML coding.
*The CSAF Checker:
This part confirms that all parts of the CSAF report have
been completed, before it is actually submitted for publication.
*The CSAF Downloader:
This functionality allows one to actually download the CSAF report
to an allocated spot.
My Thoughts On This:
To be honest, I don’t deal very much with these kinds of
security reports, no matter who the vendor is.
The closest I came is when I wrote a few blogs some years ago on the Microsoft
patches that came out. But I am glad to
see that there are some efforts being made here to create some sort of best
practices and standards for the Cyber industry.
Many people that I have talked to on my podcasts are for this.
Another point of centralization that is needed is when it
comes to the data privacy laws. Once
again, many people feel that this should be done at the Federal level, rather
than having each state come up with its own set laws. That way, businesses will be all on the same footing,
and who knows, by having this, maybe the world will be ready to have a set of
Cyber best practices and standards for everybody to follow.
No comments:
Post a Comment