CSAF Community Days 2024

Welcome & Keynote

Speaker: Justin Murphy (CISA)

Abstract: A warm welcome to the CSAF Community Days 2024, followed by an overview of the key themes and objectives for the event.

Bio: Justin Murphy is a Vulnerability Disclosure Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. He also assists Dr. Allan Friedman in coordinating the global, multi-stakeholder community-led efforts around software bill of materials (SBOM), and other Technology Assurance related projects at CISA. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).

What is New in CSAF 2.1

Speaker: Stefan Hagen (CSAF TC)

Abstract: The talk presents scheduled changes in CSAF v2.1 as compared to CSAF v2.0. In addition to naming, the changes are motivated. Examples demonstrate what may be achieved with CSAF v2.1 that is not - or not as easily - possible with CSAF v2.0. Scenarios are presented as examples on why and how to migrate CSAF v2.0 content to CSAF v2.1.

Bio: Stefan Hagen studied physics at the University of Bonn. He is a senior member of the ACM and was named an OASIS Distinguished Contributor in 2019. Stefan is co-author of the GeoJSON format RFC and is passionate about creating actionable standards. Specifications and standards to which he has contributed include CSAF, CVRF, DSS, MQTT, OData, SAM, and SARIF (Some have received ISO-IEC JTC-1 certification.) He is currently working as a software engineer on ground-based training systems in a Swiss aircraft factory.

Advisory, Quo Vadis?

Speaker: Thomas Proell (Siemens)

Abstract: The number of vulnerabilities identified each year is rapidly increasing, possibly at an exponential rate.

This surge in vulnerabilities is why machine-readable advisories were initially requested and led to the definition of the CSAF standard. Siemens has not only invested in creating CSAF documents but has also scaled up their production significantly. In recent years, Siemens has published and updated over 250 CSAF documents annually, each often detailing multiple products and vulnerabilities.

This project has provided valuable insights into what strategies were effective and which were not. The talk will explore these lessons learned and offer informed predictions about the future direction of this initiative. By examining the successes and challenges faced, we can better understand how to improve our approach to managing and communicating about vulnerabilities.

These insights are not just relevant for other CSAF creators, but also CSAF consumers and aggregators.

Bio: Thomas Proell has been working for Siemens in product security for over 15 years. After five years of penetration testing, he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.

His goal is to push for more transparency in vulnerability handling to give affected stakeholders all necessary information about vulnerabilities to defend their systems. His team publishes over 250 CSAF documents annually and has gathered a clear understanding what the upcoming challenges will come.

CSAF Trusted Provider - Huawei Solution, Progress and Sharing of Experience

Speaker: Sonny van Lingen

Abstract: In this extensive talk, Huawei will present on its adoption and implementation of CSAF 2.0, and its experience in setting up and operating its CSAF Trusted Provider capability. From this context, the presentation will provide discussion points for further industry adoption and expansion of use-cases. The detailed outline is as follows: The presentation will begin by explaining Huawei’s reasoning for supporting the CSAF standard, recognizing the broader trends in the vulnerability management domain and the endorsement of CSAF by the industry.

The discussion will then continue to outline Huawei’s approach of setting up the CSAF Trusted Provider capability, including detailed discussion on the key processes and requirement implementation in order to be able to comply with the requirements laid out in Chapter 7 of the CSAF 2.0 specification. Furthermore, this presentation will provide reflections on how Huawei was able to leverage CSAF Open Source Tools.

We will review some considerations around CSAF’s broader adoption, including CSAF’s potential as a standardized format across security scanners (such a vulnerability scanners and binary scanners), as well as CSAF as a potential approach for more efficient and streamlined regulatory compliance towards EU regulations such as the Cyber Resilience Act.

The final segment will demonstrate Huawei’s additional capabilities for enabling vulnerability management automation through its Machine-to-Machine (M2M) interconnection APIs, which is another mechanism Huawei provides to its customers to retrieve CSAF documents for automation-related use cases.

We will conclude by drawing up the lessons learned from our CSAF Trusted Provider implementation and deployment, offering guidance and insights for organizations that are implementing or are considering the implementation of the CSAF Trusted Provider capabilities.

Bio: Sonny van Lingen is a seasoned cybersecurity professional currently serving as a Vulnerability Governance Principal Engineer, representing Huawei PSIRT in Europe. He has spent over a decade in numerous cybersecurity roles within the financial and telecommunication sectors. In recent years, Sonny has shifted his focus to PSIRT activities, dedicating the past 5.5 years to mastering this domain. His prior key roles include positions such as Program Manager for Ericsson’s E2E Vulnerability Management program and Master Security Specialist at Ericsson PSIRT. Sonny earned his MSc from Utrecht University and holds several security certifications such as CISSP and CISA.

Correlation between CSAF and CVEs

Speaker: Cédric Bonhomme (CIRCL)

Abstract: Vulnerability Lookup facilitates quick correlation of vulnerabilities from various sources, in-dependent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). It is a rewritten and enhanced version of cve-search, an open-source tool originally designed to maintain a local CVE database.

For over a decade, cve-search has been maintained and operated by CIRCL. However, we identified design and scalability limitations in the original implementation, with its public instance currently maxing out at 20,000 queries per second. Another aspect is the diversification of vulnerability sources beyond just the NVD CVE. The new tool now supports additional sources such as CSAF, GitHub, PySec, and GSD. This broadening of sources aligns with our commitment to support the CVD process, and extending vulnerability information in a collaborative manner. Vulnerability Lookup address these two issues: it is fast, versatile and ease the editing of vulnerability advisories. Our aim is to go beyond and implement innovative features tailored for CVE Numbering Authorities (CNAs), cybersecurity vendors, incident response teams, vulnerability reporters, and developers.

One of the main strengths of Vulnerability-Lookup is its modular system for importing data from various vulnerability sources.

We recently introduced features related to Bundling, EPSS (Exploit Prediction Scoring System), Sightings (from Mastodon, RSS/Atom feeds and MISP).

A demo will present the main features and the vulnerability import/correlation mechanism between various sources (CSAF, GHSA, CVE, etc.)

Bio: Cédric Bonhomme is a computer scientist, intensely interested in computer security and privacy. From 2010 to 2017, he served as an R&D Engineer at a public research center, focusing on Multi-Agent Systems and Cybersecurity. Since 2017, he has been part of CIRCL, where he contributes to CSIRT activities and open-source software projects.

CSAF Usage as Part of the EUVD and Beyond

Speaker: Johannes Clos (ENISA)

Abstract: The most recent EU cybersecurity policy initiatives triggered changes with a strong impact on vulnerability disclosure and management in the European Union. The presentation will talk about the latest state of the legislative implementations by ENISA starting with an introduction to the EU vulnerability database (EUVD) before also describing ENISA's initial consideration on the CRA Single Reporting Platform and what CSAF has to do with it.

Bio: Johannes Clos is a National Expert seconded to the Operational Cooperation Unit of ENISA. His main responsibilities include leading the EU Vulnerability Database implementation, contributing to the CSIRTs Network Secretariat, and supporting the Operations and Situational Awareness team.

Before joining ENISA he cultivated a passion for international CSIRT collaboration at CERT-Bund / BSI where he contributed also to building the vulnerability disclosure team and introduced the abuse automation system IntelMQ./p>

Modernizing Vulnerability Management and Disclosure: Using CSAF in an "AI-Driven World" (Panel)

Moderator: Omar Santos (CSAF TC (Chair))

Oddities of finding and files (from an implementers view)

Speaker: Bernhard Reiter (Intevation GmbH)

Abstract: Ever wondered what the smallest or largest CSAF document is? Or about titles: The two most common words are "Security" and "update". :) While the average title length was 54 characters, the shortest one were the two characters 2). This and more examples from measurements of roundabout 340,000 CSAF documents we could openly gather are shown. This research was not done out of curiosity, but because we needed to assess the needed screen and disc space for our web application.

Other surprises happened when we've actually tried to download, distribute and display CSAF documents, such as stone age old signature formats, hitting an overly tight rate limit or finding just too many document updates to handle.

This talk presents a number of oddities that our team stumbled upon when implementing software for a CSAF Trusted Provider, Checker and Management System. (Results available as Free Software, e.g. and .)

The focus is on sharing some fun facts and implementation struggles.

Bio: Bernhard Reiter is a contractor to the German Federal Office of Germany (BSI). His team from Intevation implemented a number of Free Software CSAF tools, like the csaf_downloader and a CSAF Management System called _ISDuBA_. The company Intevation GmbH is based in Osnabrück and Bernhard co-owns it since 1999. He is also a Free Software activist with the FSFE and on the advisory board of Greenbone AG.

More details on Bernhard's homepage: https://intevation.de/~bernhard/index.en.html

OT Security in Sync: A CSAF Template Powering 40+ Vendors

Speaker: Jochen Becker (CERT@VDE)

Abstract: CSAF was created with the idea of being able to map all possible combinations of vulnerabilities, products, firmwares, softwares and so on. While this offers the writer countless options to represent the scenario of their vulnerability, it can be difficult for the consumer to understand these representations from different sources or to standardize them for their own use. As CERT@VDE, we support 40+ of our cooperation partners in their efforts to improve the security of their products. The consumers of our advisories in particular are therefore used to the fact that our partners' advisories are of the same quality but also have the same format. For this reason, we have created a CSAF template that primarily takes into account the needs of manufacturers in the OT sector, but is also intended to support ourselves and the reader of the CSAF document.

Bio: Jochen is an Information Security Manager at CERT@VDE. He took his first 5 programming steps sometime in the 1990s on a Simatic S5. In addition to various activities in the field of electrical engineering and computer science, this then led to the administration of servers, networks and data centers via the B.Sc. in computer science. With each further step in his career, his focus shifted more and more to the field of security, while the appeal of combining computer science and electrical engineering from the early days has remained with him ever since. After a final stop in IT security at an insurance company, Jochen then made the leap into operational technology and supports CERT@VDE with his expertise in the areas of CVE, CNA, CVSS, CWE and increasingly also CSAF.

While his professional work with vulnerabilities is now more theoretical and procedural, OT and electrical engineering have remained a hobby for Jochen, so that even today the soldering iron should not be too far away from the keyboard.

Scaling CSAF: Building a Trusted Provider Network for 40+ Vendors

Speaker: Christian Link (CERT@VDE)

Abstract: The Common Security Advisory Framework (CSAF) introduces three distinct provider roles - Publisher, Provider, and Trusted-Provider - each with specific requirements for secure distribution of cybersecurity advisories. Infrastructure requirements encompass secure TLS connections, proper certificate management and typically reverse proxy configurations and some sort of containerization.

Our unique implementation stands out by managing over 40 trusted providers, necessitating a scalable and automated infrastructure to handle provider deployment and CSAF document distribution for multiple partner organizations.

This presentation outlines our approach to addressing these infrastructure challenges while maintaining security and scalability. We've built our entire solution stack on open-source technologies, from initial provider onboarding through to advisory publication, ensuring transparency and cost-effectiveness. During our proof-of-concept phase, we encountered several unexpected challenges, particularly around certificate automation at scale and the existing csaf tools.

Bio: Christian is an Information Security Manager with over three decades of hands-on experience in cybersecurity, dating back to the early days of BBS systems and modem communications. His extensive background spans critical infrastructure protection across aviation and large-scale provider networks. Currently serving as Information Security Manager for the past seven years, he brings deep expertise in network security architecture and threat mitigation. Throughout his career, Christian has specialized in securing complex infrastructure systems, combining his historical knowledge of legacy systems with modern security frameworks. When not defending networks, he enjoys making (and sometimes breaking) things as well as getting a bird's eye view through the goggles of his FPV-quadcopter.

VEX-supported Vulnerability Management with SecObserve

Speaker: Stefan Fleckenstein & Lukas Voetmand

Abstract: SecObserve is an open-source vulnerability management system for software development teams and cloud environments. It supports a variety of open-source vulnerability scanners and integrates easily into CI/CD pipelines. It supports CSAF-VEX documents in 2 ways: CSAF-VEX documents can be imported and their content will be applied to vulnerabilities. On the other hand, the results of vulnerability assessments can be exported as CSAF-VEX documents and made available to users or business partners.

In the talk, we will start with a brief overview of SecObserve's functionality for vulnerability management. Afterwards, we will present a practical demonstration of a vulnerability assessment workflow including the creation and usage of a CSAF-VEX document. The format will be very view slides and predominantly a life demonstration.

Bio Stefan: After many years in software development, Stefan Fleckenstein took over responsibility for MaibornWolff's internal IT infrastructure and software development as CIO from 2010 to 2020. Information security became one of the focal points of his work during this time, in which he led MaibornWolff to the ISO 27001 certification. Combining his experiences from software development and information security, Stefan founded the Cybersecurity department at MaibornWolff, which advises and supports customers on all matters relating to security.

Stefan is passionate about vulnerability management and developing open-source software and is creator and maintainer of the Open Source vulnerability management system SecObserve (https://github.com/MaibornWolff/SecObserve). 

Bio Lukas: With over 15 years of experience in software engineering, Lukas has evolved from a freelance developer to a DevOps specialist and is now focused on software supply chain security. He enjoys taking a holistic approach to software, covering everything from architectural decisions to production deployment and application lifecycle management.

At Stackable, he leads initiatives in container image signing, SBOM generation, and enterprise-scale vulnerability management. After evaluating several vulnerability management solutions, he identified SecObserve as the perfect fit for the company and occasionally contributes code back to the project.

Integrating the CSAF Standard into Dependency-Track with Kotlin-CSAF: Early Insights and Developments

Speaker: Christian Banse

Abstract: In the rapidly evolving landscape of software development, managing vulnerabilities efficiently and effectively is crucial to maintaining secure systems. The Common Security Advisory Framework (CSAF) standard offers a structured approach to disseminating vulnerability information, enabling better responses to security threats. This presentation focuses on our ongoing project to integrate the CSAF standard into Dependency-Track, an open-source platform dedicated to managing and tracking software dependencies, with the aid of our newly developed library, Kotlin-CSAF.

Kotlin-CSAF plays a crucial role in this integration effort by handling the retrieval, validation, and loading of CSAF documents. This library is designed to function independently of Dependency-Track, offering flexible solutions for various applications requiring CSAF document management. By leveraging Kotlin-CSAF, we aim to enhance Dependency-Track's capabilities, allowing it to process structured security advisories seamlessly.

Though the project is still in development, we will present our initial findings and demonstrate the progress made so far. The presentation will cover the technical aspects of integrating Kotlin-CSAF with Dependency-Track, addressing the challenges encountered and the solutions implemented. We will showcase how this integration improves the accuracy and timeliness of vulnerability management workflows, providing tangible benefits to organizations.

This initiative is hosted on GitHub, fostering community collaboration and feedback. We invite stakeholders from the CSAF community to engage with our project, contribute enhancements, and help shape the future of secure software supply chains. Join us to explore how Kotlin-CSAF and the CSAF standard, when integrated into Dependency-Track, can redefine vulnerability management, ensuring robust defenses against emerging threats.

Bio: will be provided shortly

Handling lots of Incoming Documents as Team with ISDuBA — a CSAF Management System Web App

Speaker: Bernhard Reiter (Intevation GmbH)

Abstract: Expecting a rising influx of CSAF documents, it makes sense to track them and find out which are of interest to your organisation. Add a team being responsible for a larger number of IT products like a Computer Emergency Response Team, ... next you need a CSAF management system to handle the load.

The German Federal Office of Germany (BSI) has contracted the implementation of such a system geared for internal use as Free Software (sometimes called "Open Source Software"). The resulting web application is named ISDuBA and offers to support several teams working on incoming CSAF documents.

ISDuBA can follow CSAF Providers and aggregators automatically, comes with a workflow model and a role based permission system using an external identity management system like Keycloak. Revisions of CSAF documents can be compared to each other. Users can see comments of colleagues, decide on a Stakeholder-Specific Vulnerability Category, forward a document to a different system and finally archive or delete a group of documents once they are done with them.

A live demo of the main functions will show you what ISDuBA can do.

Bio: Bernhard Reiter is a contractor to the German Federal Office of Germany (BSI). His team from Intevation implemented a number of Free Software CSAF tools, like the csaf_downloader and a CSAF Management System called ISDuBA.

The company Intevation is based in Osnabrück and Bernhard co-owns it since 1999. He is also a Free Software activist with the FSFE and on the advisory board of Greenbone AG.

More details on Bernhard's homepage: https://intevation.de/~bernhard/index.en.html

Demonstrator with CSAF-Matching from the Project ZenSIM4.0

Speaker: Dr. Salva Daneshgadeh Cakmakci

Abstract:The aim of the BMBF project “Central Security Incident Management for SMEs in Industry 4.0” (ZenSIM 4.0, https://zensim-project.de) is to support manufacturers and operators of Industry 4.0 environments from the SME environment in the independent operation of IT security management. A specific platform was developed for this purpose, which enables IT security incident management. This platform enables SMEs to stay informed about vulnerabilities in their assets and proactively prevent potential cyber incidents. The Common Security Advisory Framework (CSAF) was used as a central tool in the project and an initial demonstrator was developed. This will be presented at the CSAF Community Days.

Within the project ZenSIM 4.0 we extended our Security Information and Event Management (SIEM) solution (ScanBox) for Industrial Control Systems (ICS) networks. This system aims to enhance vulnerability detection and response through the automated integration of Common Security Advisory Framework (CSAF) documents. By continuously ingesting and analyzing CSAF data, the system identifies vulnerabilities in ICS assets and provides actionable remediation guidelines for security teams.

The demonstration includes several key components: Asset Discovery, a CSAF Analysis Engine, and a Ticket Generator. The Asset Discovery module maps networked assets, while the CSAF Analysis Engine compares these assets with the latest CSAF advisories. Detected vulnerabilities trigger alerts—referred to as "tickets"—containing detailed information about the affected assets, potential risks, and tailored remediation steps. Each ticket includes a playbook, populated with strategies outlined in the corresponding CSAF document, to guide security teams through efficient response actions.

The presentation will provide an overview of the proposed solution, alongside a short video demonstration of the system in action.

Bio: Dr. Salva Daneshgadeh Cakmakci is a researcher specializing in network security. She earned her Ph.D. in Information Systems form The Middle East Technical University (METU) in Ankara, Turkey, 2019. Then she has held postdoctoral positions at the University of Bremen's Department of Computer Science, focusing on scalable security architectures for business processes in German ports. She is currently affiliated with DECOIT GmbH & Co. KG in Bremen, Germany, contributing to projects on cybersecurity and SIEM. Her research interests include network and information security, data science and artificial intelligence. She has authored several publications on topics such as Distributed Denial-of-Service (DDoS) attack detection and Advanced Persistent Threat (APT) detection.

Experiences in Consuming CSAFs & What is Still Missing

Speaker: Tobias Limmer & Michael Pfurtscheller

Abstract: Siemens not only publishes CSAFs (Common Security Advisory Framework) but also consumes advisories through an automated process. Tobias Limmer will provide insights into his experiences with processing CSAF data and matching it against assets, highlighting potential improvements in the CSAF specification. While Security Advisories are necessary and helpful, vulnerabilities are ultimately resolved through updates/patching of hard and software. Michael Pfurtscheller will discuss the challenges of consuming and publishing updates from different perspectives within the supply chain, covering roles such as:

• Hardware or Software Component Developers
• Product & Device Manufacturers
• Solution and Application Developers
• Product Integrators like Factory Operators, Car Manufacturers, etc.

Bio Tobias Limmer: Tobias Limmer has been in the security field for 20 years, with over a decade of experience focused on the industrial side of IT infrastructures. He began his journey with vulnerability handling at Siemens ProductCERT, where he played a key role in automating security tests. His current research areas include tool-based vulnerability management and risk-based mitigation decisions.

Bio Michael Pfurtscheller: Michael Pfurtscheller is the Product Security Manager at u-blox AG but has mainly worked as a consultant since 1998. Security was always part of the job when working in the fields of SAP programming, management of messaging and collaboration infrastructures, network and computing center infrastructures, e-commerce projects and Pentesting. Currently, he focuses on establishing an ISO 21434-compliant Cybersecurity Management System (CSMS) for u-blox and its GNSS and IoT products, including vulnerability, incident, and update management for its modules and firmware.

How to get CSAF into Contracts

Speaker: Thomas Schmidt (BSI)

Abstract: It is quite difficult to convince the purchase department to have specific technical requirements included in each and every contract. As CISOs might be in the position to mandate such a rule, it seems to be a burden to figure out what exactly is needed from CSAF in the current state of the art. The BSI TR-03191 provides an easy to use document to mandate CSAF to all suppliers.

Bio: Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).