Webinar: Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale

WEBINAR RECORDING

The Common Security Advisory Framework (CSAF) is a standard to communicate Supply Chain and every-day vulnerabilities in an automated fashion. It therefore leverages the potential of SBOM and implements VEX. CSAF allows for the disclosure of security-related vulnerabilities in software, hardware, and specifications in machine-readable format. It supports automation of the production, distribution, and consumption of security advisories—reducing the time between when vulnerabilities are disclosed and when businesses remediate them. That’s why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently listed the widespread adoption of CSAF as one of “three critical steps to advance the vulnerability management ecosystem.”

In this webinar, members of the OASIS Open Technical Committee that developed CSAF will review the standard and explain its potential impact on vulnerability management. They will also demonstrate how CSAF documents work with Software Bills of Materials (SBOMs) and implement the Vulnerability Exploitability eXchange (VEX) to improve global cybersecurity.

Download the slides! RECORDED VIDEO

Speakers

Thomas Schmidt
Subject Matter Expert @German Federal Office for Information Security (BSI)
Thomas Schmidt works in the Industrial Automation and Control Systems section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee and key in bridging this work with the CISA SBOM work. To increase the security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Schmidt completed his master's in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia).

Omar Santos
Chair, CSAF Technical Committee and Product Security Incident Response Team (PSIRT) - Security Research & Operations @Cisco Systems
Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standard bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and lead engineers and incident managers during the investigation and resolution of security vulnerabilities. Omar has been quoted by numerous media outlets, such as TheRegister, Wired, ZDNet, ThreatPost, CyberScoop, TechCrunch, Fortune Magazine, Ars Technica, and more.

Diane Morris
Content Manager for Product Security Incident Response Team @Cisco Systems
Diane Morris is a content manager for Cisco’s Product Security Incident Response Team. Her team’s responsibilities include editing and publishing Cisco’s security advisories. Before joining Cisco, Diane worked for multiple non-profit organizations, writing and editing reports on topics like state budget policy, disability rights, and workers’ rights. Her first career out of college was in broadcast journalism, and she worked as a news producer at television stations in Kansas City, Houston, and Raleigh.

Justin Murphy
Vulnerability Disclosure Analyst @Cybersecurity and Infrastructure Security Agency (CISA)
Justin Murphy is a Vulnerability Disclosure Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. He also assists Dr. Allan Friedman in coordinating the global, multi-stakeholder community-led efforts around software bill of materials (SBOM), and other Technology Assurance related projects at CISA. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).