Boston, MA, USA, 21 November, 2022 – OASIS Open, the international open source and standards consortium, announced the approval of the Common Security Advisory Framework (CSAF) 2.0 as a full OASIS standard, a status that signifies the highest level of ratification. This new version of CSAF includes support for the Vulnerability Exploitability Exchange (VEX) profile, which is especially helpful in efficiently consuming SBOM data. 

The current threat landscape has profoundly changed how systems and people are protected, driving new approaches to cybersecurity, especially around vendor advisories dealing with vulnerability disclosure issues. The OASIS CSAF Technical Committee’s work developing machine readable security advisories makes it possible for cyber defenders to quickly and automatically assess the impact of vulnerabilities and respond in an automated way. 

“Security advisories play a crucial role in securing on-premises and cloud-based assets as they contain critical information about how to remediate vulnerabilities,” said OASIS CSAF chair, Omar Santos, of Cisco. “CSAF v2.0 brings more than machine readable advisories in JSON format; it specifies the distribution mechanism and how new CSAF documents can be discovered and disclosed. It’s the result of an international, industry-wide effort to standardize the reporting of security issues. CSAF enables software producers and consumers to modernize their vulnerability management and response programs.” 

Participation in the OASIS CSAF TC is open to all through membership in OASIS. Providers of products and services that produce, consume, or process security vulnerability remediation information, along with their customers who consume this information, and all other interested parties, are invited to join the group.

The CSAF TC is holding a webinar on Thursday, 1 December at 11am ET, “Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale.” Speakers include Diane Morris of Cisco, Justin Murphy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Omar Santos of Cisco, and Thomas Schmidt of the Federal Office for Information Security Germany (BSI). Attendance is free and open to all. View more specifics here.

The CSAF TC is holding a webinar on Thursday, 1 December at 11am ET, “Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale.” Speakers include Diane Morris of Cisco, Justin Murphy of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Omar Santos of Cisco, and Thomas Schmidt of the Federal Office for Information Security Germany (BSI). Attendance is free and open to all. View more specifics here.

The OASIS CSAF Technical Committee will hold a webinar next week reviewing the standard and explaining its potential impact on vulnerability management. The webinar is free and open to all. See the link below for sign up details.   
Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale

Thursday, 1 December

11:00 AM ESTSign up details are here.

Come learn why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed the widespread adoption of CSAF as one of “three critical steps to advance the vulnerability management ecosystem.”

By Trainer

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »