From Chaos to Consistency: The Role of CSAF in Streamlining Security Advisories

TL;DR

This study investigates whether the Common Security Advisory Framework (CSAF) can streamline the handling of security advisories. Through qualitative interviews (n=3) and a larger online survey (n=197 valid responses), it maps how advisories are currently gathered, processed, and used to make risk decisions, highlighting extensive manual effort and inconsistencies in product identifiers. The results indicate a strong interest in automation and standardization, but widespread adoption remains hampered by resource constraints, vendor variability, and the need for compatible asset-management systems. The findings suggest CSAF could reduce manual workload and improve automated processing, yet its impact depends on vendor quality of advisories and organizations' readiness to adopt automation. Overall, CSAF is promising but not yet widely adopted, with clear directions for future research and vendor engagement to realize its benefits.

Abstract

Security advisories have become an important part of vulnerability management. They can be used to gather and distribute valuable information about vulnerabilities. Although there is a predefined broad format for advisories, it is not really standardized. As a result, their content and form vary greatly depending on the vendor. Thus, it is cumbersome and resource-intensive for security analysts to extract the relevant information. The Common Security Advisory Format (CSAF) aims to bring security advisories into a standardized format which is intended to solve existing problems and to enable automated processing of the advisories. However, a new standard only makes sense if it can benefit users. Hence the questions arise: Do security advisories cause issues in their current state? Which of these issues is CSAF able to resolve? What is the current state of automation? To investigate these questions, we interviewed three security experts, and then conducted an online survey with 197 participants. The results show that problems exist and can often be traced back to confusing and inconsistent structures and formats. CSAF attempts to solve precisely these problems. However, our results show that CSAF is currently rarely used. Although users perceive automation as necessary to improve the processing of security advisories, many are at the same time skeptical. One of the main reasons is that systems are not yet designed for automation and a migration would require vast amounts of resources.

Figures (7)

• Figure 1: Statements and participants' agreement for information gathering $(N = 197)$.
• Figure 2: Agreement for "It is easy to match the affected systems of a security advisory to our IT setup" in relation to company size $(N = 197)$.
• Figure 3: Statements and participants' agreement for information processing $(N = 197)$.
• Figure 4: Factors that may influence decision-making regarding the security issue described in an advisory, and their importance to the participants $(N = 197)$.
• Figure 5: Use of automation in relation to CSAF familiarity $(N = 197)$; $\chi^2(6) = 18.19$, $p < 0.05$, Cramér's $V = 0.215$.