Sunday, December 18, 2022

Introducing A New Vulnerability Reporting Framework: Automation & Efficiency

 


If you ever go through some of the Cyber news headlines like I do on a daily basis, you will, over a period of time, come to notice that each vendor comes out in a certain time of the month to announce the latest software patches and upgrades that they have come up with. 

Probably the best example of this is the Microsoft Patch Tuesday.  This event occurs on the second Tuesday of each month, and every time, there are about 70 different kinds of vulnerabilities that these patches try to repair.

Following suit are the other tech vendors, such as Oracle, Apple, Google, Cisco, Adobe, etc.  But from what I have seen, these guys only announce patches and upgrades on as needed basis.  Between this batch, it seems that Google and Adobe have the greatest number of them, but not nearly as what Microsoft has. 

The gaps and weaknesses that they are supposed to repair are based upon the vulnerabilities of which other people have discovered, such as in the Bug Bounty Programs.

But the main problem is that each vendor has their own reporting style for discovered vulnerabilities.  This can make it very confusing not only for the end user to understand, but also for the people of the IT Security team that are charged with parsing through all of them and deploying whatever is needed. 

But just in the nick of time, there has been a new framework which has been designed to help streamline this process of reporting.

It is formally known as the Common Security Advisory Framework (CSAF) 2.0.  More details about it can be seen at the link below:

https://oasis-open.github.io/csaf-documentation/

This framework was created and developed by both people from the Cyber industry and even outside.  It is built upon a previous methodology, which was known as the OASIS Open.  More information about this can be seen at the link below:

https://www.oasis-open.org/

One of the powerful advantages that this new framework has is that it is machine readable.  This means that just about any device can read them, and with the appropriate add ons, compare it to with what is already in existence in the projects of their customers, or in the IT/Network Infrastructure of third-party vendors, and even the in the Software Bill of Materials (this is merely a listing of all of the development modules that are going to be used for the building of a Web apps product).

Another key advantage here is that the CSAF is also an automated one.  So, if you have the right AI/ML tools in place, your device should be able to rank the vulnerability reports from top to bottom in just a matter of a few minutes (I am assuming that the top ones will be the most critical vulnerabilities and the bottom ones will the least critical). 

In the end, this alleviates a lot of pressure for the IT Security team having to go through each report.

From within this framework, there are four types of baseline profiles that are some of the most important to keep your eye on.  They are as follows:

*The Base Profile: 

This creates the standard of what information is mandatory for filling in the fields when compiling a threat report.

*The Security Advisory Profile:

This gives information and detail about the products/services that are affected from the vendor, where the patches and upgrades can be downloaded, and any other remediation strategies which should be taken.

*The Information Advisory Profile:

This functionality provides information about other weaknesses and gaps that have been discovered, but don’t immediate attention, and thus, they can be triaged towards the latter part of the rung.

*The Security Incident Response Profile:

This part provides a summary finding of actual security breaches that have occurred on the business world, and the kind of impact that it has had on the company, third party suppliers, other business partners, and most importantly, customers and employees.

There are other some key components as well, which are as follows:

*The Secvisogram:

This is essentially an online editor which allows you to fill in the required fields in order to submit a full fledged CSAF report.  You can see the fields at the link below:

https://secvisogram.github.io/

*The  CSAF CMS back end:

This can be considered to be the back-end provider, where all of the CSAF documentation is kept, and can always be queried for at a subsequent point in time, if necessary.

*The CSAF Provider:

This functionality also allows one to create CSAF based reports, but they are static in nature only.  In other words, they can only be created and updated via manual processes, such as using HTML coding.

*The CSAF Checker:

This part confirms that all parts of the CSAF report have been completed, before it is actually submitted for publication.

*The CSAF Downloader:

This functionality allows one to actually download the CSAF report to an allocated spot.

My Thoughts On This:

To be honest, I don’t deal very much with these kinds of security reports, no matter who the vendor is.  The closest I came is when I wrote a few blogs some years ago on the Microsoft patches that came out.  But I am glad to see that there are some efforts being made here to create some sort of best practices and standards for the Cyber industry.  Many people that I have talked to on my podcasts are for this.

Another point of centralization that is needed is when it comes to the data privacy laws.  Once again, many people feel that this should be done at the Federal level, rather than having each state come up with its own set laws.  That way, businesses will be all on the same footing, and who knows, by having this, maybe the world will be ready to have a set of Cyber best practices and standards for everybody to follow.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...