print preview

Back Homepage


Successful cooperation between the Cyber-Defence Campus and the German Federal Office for Information Security (BSI)

The armasuisse Science and Technology (S+T) Cyber-Defence (CYD) Campus is working together with the BSI (Bundesamt für Sicherheit in der Informationstechnik) to provide open-source tools for creating and managing machine-processable security advisories. The goal thereby is to make the exchange of information on security vulnerabilities easier.

20.12.2021 | Damian Pfammatter, Scientific project manager, Cyber-Defence Campus

A Computer-Cursor on the written word "Security"

 

Information on IT vulnerabilities, which have become known, are usually summarised in so-called security advisories. Amongst other things, these advisories typically contain information on the type and criticality of the identified vulnerabilities, which products and versions they affect and how they can be resolved.

In Switzerland, for example, this type of information is collected by the National Cyber Security Centre (NCSC) and forwarded to the entities concerned after appropriate cross-checking. Also, the German Federal Office for Information Security (BSI) collects, reviews and distributes such security advisories as part of its activities.

However, the increasing number of security advisories poses major challenges for operators, manufacturers and authorities. As security advisories from different sources usually strongly differ with regard to file format, structuring, quality of the information and formatting, automatic processing by the assessing entity is usually either not or only on a very restricted basis possible. However, at the same time, this information is indispensable for risk assessment and prioritisation of the corresponding update measures.

As part of the national strategy for protecting Switzerland against cyber risks (NCS 2018-2022), the Cyber-Defence (CYD) Campus is working together with the BSI to promote the development and distribution of the Common Security Advisory Framework (CSAF). The CSAF standard not only defines the machine-processable format for security advisories, but also how and where these should be provided. In this way, security advisories can be retrieved automatically and being matched against own inventory databases. CSAF will thus make a crucial contribution to helping companies maintain an overview and securing their systems. The BSI therefore also promotes the CSAF standard in its 2021 Annual Report. Also, the National Cyber Security Centre (NCSC) estimates in its 2021/I Semi-Annual Report that CSAF could become a helpful resource for automated collection and processing of security information in the future.

To demonstrate the feasibility of CSAF, the CYD Campus is working together with the German BSI. Over the course of the year, two Proof of Concepts (PoCs) have thus emerged, which are being successively developed into complete open-source tools:

Secvisogram

The first open-source tool, Secvisogram, is helping to create CSAF documents. It offers an interface in which users can assemble an advisory by clicking. During this process, the advisory is transferred internally into the technically required data format. In order to restrict access to sensitive CSAF documents as much as possible, Secvisogram has been created such that it can be used in isolated mode in a user’s browser without having to send content to a server component. Also, a human-readable security advisory can then be generated from its technical format.

CSAF backend

The second open-source tool is a PoC, which aims to enable the management of CSAF documents. Secvisogram only allows creating or editing of individual CSAF files. However, this is too laborious for manufacturers who publish hundreds of security advisories each year. The CSAF backend provides functionality for management and for the workflow process. Based on the findings of the PoC developed by the CYD Campus, a tender was published by the BSI. The aim is to convert the CSAF backend into a tool that can be used productively.

Using these publicly available open-source tools, operators, manufacturers and authorities from all countries will be able to exchange vulnerability information more efficiently in the future and thus improve their cyber security.


Back Homepage