A reported and fixed vulnerability is only the beginning of the vulnerability handling process on the operator side. In order to be protected from the vulnerability as a user, the corresponding update must be installed. Since the installation of updates can have far-reaching consequences, a prior risk assessment makes sense. In order to carry out such an assessment, the user must be provided with all relevant information about the vulnerability in a timely and efficient manner. Up to now, human-readable security information, so-called security advisories, have been published by the manufacturers or the coordinating bodies for this purpose.

Increasingly work-intensive evaluation

To assess the risks to IT infrastructure and deployed products, operators must sift through these security advisories. Searching for newly published advisories and evaluating their relevance regularly involves a great deal of time and effort. This is due to the fact that, on the one hand, manufacturers and other publishing bodies use a wide variety of notification channels for their customers or for the public. For example, e-mail notifications are sometimes sent out (with a delay), or there is an RSS feed that must be subscribed to, or new advisories only appear on a (possibly protected) website that must be accessed manually. On the other hand, more and more agencies are publishing an increasing number of security advisories. In addition, checking whether the products referenced in the advisories are used in the area for which the company is responsible is usually not trivial.

Since security advisories from different sources usually differ greatly in terms of file format, structuring and quality of the information, as well as formatting, automated processing by the evaluating body is not possible, or only possible to a limited extent. Manual processing, on the other hand, ties up well-trained specialists with trivial tasks. In addition, the manual procedure is not scalable as the number of security advisories increases, meaning that more and more complex advisories have to be analyzed with the same personnel capacity. As a result, operators often do not evaluate this important source of information on an ongoing or regular basis. They only act on an ad hoc basis, for example, after media coverage or on the advice of the BSI.

CSAF enables automation

Together with national and international partners, the BSI is therefore working on a solution to make it easier for users to find, evaluate and implement security advisories. The machine-processable format for security advisories, known as Common Security Advisory Framework (CSAF) 2.0, will make a decisive contribution to helping companies maintain an overview and secure their systems. The security advisories can be automatically retrieved from the manufacturers and compared with the company's own inventory database. The BSI has already published the first tool for creating CSAF documents (Secvisogram) on its GitHub page. With these activities, the BSI is helping to increase information security in companies and successfully shape digitization in Germany and worldwide.