From Chaos to Consistency: The Role of CSAF in Streamlining Security Advisories
Pages 187 - 199
Abstract
Security advisories have become an important part of vulnerability management. They can be used to gather and distribute valuable information about vulnerabilities. Although there is a predefined broad format for advisories, it is not really standardized. As a result, their content and form vary greatly depending on the vendor. Thus, it is cumbersome and resource-intensive for security analysts to extract the relevant information. The Common Security Advisory Format (CSAF) aims to bring security advisories into a standardized format which is intended to solve existing problems and to enable automated processing of the advisories. However, a new standard only makes sense if it can benefit users. Hence the questions arise: Do security advisories cause issues in their current state? Which of these issues is CSAF able to resolve? What is the current state of automation?
To investigate these questions, we interviewed three security experts, and then conducted an online survey with 197 participants. The results show that problems exist and can often be traced back to confusing and inconsistent structures and formats. CSAF attempts to solve precisely these problems. However, our results show that CSAF is currently rarely used. Although users perceive automation as necessary to improve the processing of security advisories, many are at the same time skeptical. One of the main reasons is that systems are not yet designed for automation and a migration would require vast amounts of resources.
References
[1]
Harald Cramér. 1999. Mathematical Methods of Statistics. Princeton University Press.
[2]
Sadegh Farhang, Mehmet Bahadir Kirdan, Aron Laszka, and Jens Grossklags. 2020. An empirical study of Android security bulletins in different vendors. In Proceedings of The Web Conference 2020. 3063–3069.
[3]
Stefan Fenz, Andreas Ekelhart, and Edgar Weippl. 2008. Fortification of IT security by automatic security advisory processing. In 22nd International Conference on Advanced Information Networking and Applications (aina 2008). IEEE, 575–582.
[4]
Stefan Fenz, Andreas Ekelhart, and Edgar Weippl. 2008. Semantic potential of existing security advisory standards. In Proceedings of the FIRST 2008 Conference-Forum of Incident Response and Security Teams.
[5]
Spencer E Harpe. 2015. How to analyze Likert and other rating scale data. Currents in pharmacy teaching and learning 7, 6 (2015), 836–850.
[6]
Adam Jenkins, Pieris Kalligeros, Kami Vaniea, and Maria K Wolters. 2020. “Anyone Else Seeing this Error?”: Community, System Administrators, and Patch Information. In 2020 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 105–119.
[7]
Raula Gaikovina Kula, Daniel M German, Ali Ouni, Takashi Ishio, and Katsuro Inoue. 2018. Do developers update their library dependencies? An empirical study on the impact of security advisories on library migration. Empirical Software Engineering 23 (2018), 384–417.
[8]
Frank Li, Lisa Rogers, Arunesh Mathur, Nathan Malkin, and Marshini Chetty. 2019. Keepers of the machines: Examining how system administrators manage software updates for multiple machines. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). 273–288.
[9]
Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice. Proceedings of the ACM on Human-Computer Interaction 3 (2019), 1–23.
[10]
Lucas Miranda, Daniel Vieira, Leandro Pfleger de Aguiar, Daniel Sadoc Menasché, Miguel Angelo Bicudo, Mateus Schulz Nogueira, Matheus Martins, Leonardo Ventura, Lucas Senos, and Enrico Lovat. 2021. On the flow of software security advisories. IEEE Transactions on Network and Service Management 18, 2 (2021), 1305–1320.
[11]
OASIS. 2022. Common Security Advisory Framework Version 2.0, 7.2.3 Role: CSAF trusted provider. https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#723-role-csaf-trusted-provider Accessed in July 2024.
[12]
Roshni R Ramnani, Karthik Shivaram, and Shubhashis Sengupta. 2017. Semi-automated information extraction from unstructured threat advisories. In Proceedings of the 10th Innovations in Software Engineering Conference. 181–187.
[13]
Statista. 2023. Number of Internet of Things (IoT) connected devices worldwide from 2019 to 2023, with forecasts from 2022 to 2030. https://www.statista.com/statistics/1183457/iot-connected-devices-worldwide/ Accessed in March 2024.
[14]
Christian Tiefenau, Maximilian Häring, Katharina Krombholz, and Emanuel Von Zezschwitz. 2020. Security, availability, and multiple information sources: Exploring update behavior of system administrators. In Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020). 239–258.
Index Terms
- From Chaos to Consistency: The Role of CSAF in Streamlining Security Advisories
Recommendations
Software Security
ECBS '13: Proceedings of the 20th Annual IEEE International Conference and Workshops on the Engineering of Computer Based SystemsThe importance of IT security is out of doubt. Data, computer and network security are essential for any business or organization. Software security often remains out of focus, from an organization's, a developer's and from an end-user's point of view. ...
Handling and Reporting Security Advisories: A Scorecard Approach
Vendors and independent response centers have vastly different views regarding security advisories--what to publish and how to organize the information. The authorsý scorecard approach aims to provide a practical guide for how to publish, read, evaluate,...
Tele-lab IT security: an architecture for interactive lessons for security education
SIGCSE '04: Proceedings of the 35th SIGCSE technical symposium on Computer science educationIT security education is an important activity in computer science education. The broad range of existing security threats makes it necessary to teach students the principles of IT security as well as to let them gain hands-on experience. In order to ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2024 Copyright held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 20 November 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- German Federal Ministry of Education and Research
Conference
EuroUSEC 2024
EuroUSEC 2024: The 2024 European Symposium on Usable Security
September 30 - October 1, 2024
Karlstad, Sweden
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 31Total Downloads
- Downloads (Last 12 months)31
- Downloads (Last 6 weeks)31
Reflects downloads up to 01 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderFull Text
View this article in Full Text.
Full TextHTML Format
View this article in HTML Format.
HTML Format