Microsoft Introduces New Format for Security Vulnerability Data
/ 3 min read
Quick take - The Microsoft Security Response Center is enhancing transparency around security vulnerabilities by introducing the Common Security Advisory Framework (CSAF) for automated processing, while continuing to support existing Common Vulnerabilities and Exposures (CVE) systems and collaborating with industry partners on cybersecurity initiatives.
Fast Facts
- The Microsoft Security Response Center (MSRC) is enhancing transparency on security vulnerabilities through new initiatives, including the Common Security Advisory Framework (CSAF).
- CSAF is a machine-readable format designed for automated processing, integrated with existing Common Vulnerabilities and Exposures (CVE) information.
- Customers can access CVE data via the Security Update Guide or an API based on the Common Vulnerability Reporting Framework (CVRF), which has been the standard since 2004.
- Microsoft has implemented a security.txt file to help locate security-related information and has included a link to the CSAF directory in the Security Update Guide.
- The initiative aims to improve transparency not only for Microsoft’s supply chain but also for Open Source Software, with collaboration across the industry to tackle security challenges.
Microsoft Security Response Center Enhances Transparency on Security Vulnerabilities
The Microsoft Security Response Center (MSRC) is currently focusing on enhancing transparency regarding security vulnerabilities through a series of initiatives. MSRC’s primary mission is to safeguard customers, communities, and Microsoft itself from various security and privacy threats.
Introduction of the Common Security Advisory Framework
As part of this effort, Microsoft is introducing a new standard machine-readable format known as the Common Security Advisory Framework (CSAF). This new format will be integrated into existing Microsoft Common Vulnerabilities and Exposures (CVE) information. The CSAF format is specifically designed for automated processing by computers rather than for human readability. This new format will be available alongside existing CVE data channels, ensuring that it does not replace the current systems.
Customers can access Microsoft’s CVEs through the Security Update Guide or via an API that is based on the Common Vulnerability Reporting Framework (CVRF). Notably, CVRF has been the standard for vulnerability data dissemination since 2004. Initially, CVRF was managed by the Industry Consortium for Advancement of Security on the Internet (ICASI), but in 2021, the management of CVRF was transitioned to First.org.
Implementation of Security.txt and Collaboration Efforts
Additionally, the Internet Engineering Task Force (IETF) published RFC 9116, which outlines a security.txt file that provides essential information on how to locate security-related information about a company. Microsoft has implemented a security.txt file that indicates the storage location of the CSAF files, further facilitating access to this information. A link to the CSAF directory has also been incorporated into the Security Update Guide.
This initiative is not only aimed at improving transparency concerning vulnerabilities within Microsoft’s own supply chain but also extends to include Open Source Software. Furthermore, Microsoft is actively collaborating with other companies in the industry to address interconnected security challenges, reflecting a commitment to collective cybersecurity efforts.
User Engagement and Leadership
To foster engagement and gather insights from users, Microsoft encourages feedback through a rating banner featured on CVE pages within the Security Update Guide. Lisa Olson has been identified as the Principal Program Manager overseeing Security Release, highlighting the leadership driving these transparency improvements.
Original Source: Read the Full Article Here
