From Chaos to Consistency: The Role of CSAF in Streamlining Security Advisories

TL;DR

This paper investigates the challenges in security advisory standardization, evaluates CSAF's potential to address these issues, and finds that CSAF is underutilized despite recognized automation needs and existing structural problems.

Contribution

It provides empirical insights into security experts' perceptions of CSAF and highlights the gap between its potential benefits and current adoption levels.

Findings

Problems in advisories stem from inconsistent formats

CSAF aims to standardize and automate advisories

CSA F is rarely used despite perceived automation benefits

Abstract

Security advisories have become an important part of vulnerability management. They can be used to gather and distribute valuable information about vulnerabilities. Although there is a predefined broad format for advisories, it is not really standardized. As a result, their content and form vary greatly depending on the vendor. Thus, it is cumbersome and resource-intensive for security analysts to extract the relevant information. The Common Security Advisory Format (CSAF) aims to bring security advisories into a standardized format which is intended to solve existing problems and to enable automated processing of the advisories. However, a new standard only makes sense if it can benefit users. Hence the questions arise: Do security advisories cause issues in their current state? Which of these issues is CSAF able to resolve? What is the current state of automation? To investigate these questions, we interviewed three security experts, and then conducted an online survey with 197 participants. The results show that problems exist and can often be traced back to confusing and inconsistent structures and formats. CSAF attempts to solve precisely these problems. However, our results show that CSAF is currently rarely used. Although users perceive automation as necessary to improve the processing of security advisories, many are at the same time skeptical. One of the main reasons is that systems are not yet designed for automation and a migration would require vast amounts of resources.