The Cybersecurity and Infrastructure Agency (CISA) has outlined critical steps for the prioritization of software vulnerability remediation by Federal agencies and the private sector. However, the success of these steps relies on software vendors providing the necessary information for this process.
CISA explained that when a new vulnerability is identified, software vendors jump into action to understand the impacts on products, identify remediations, and communicate with end users.
“But as we know, the clock is ticking [and] adversaries are often turning vulnerabilities to exploits within hours of initial public reports,” CISA stated in a blog post published on Nov. 10.
To meet this timeframe, the private sector community needs a standardized approach to disclose security vulnerabilities to end users in an accelerated and automated way. Therefore, CISA suggests publishing machine-readable security advisories based on the Common Security Advisory Framework (CSAF) – which provides a standardized format for ingesting vulnerability advisory information and simplifies triage and remediation processes for asset owners.
“By publishing security advisories using CSAF, vendors will dramatically reduce the time required for enterprises to understand [the] organizational impact and drive timely remediation,” CISA added.
CISA also emphasized that organizations must use vulnerability management frameworks, such as Stakeholder-Specific Vulnerability Categorization (SSVC), which utilize exploitation status and other vulnerability data to help prioritize remediation efforts.
The cybersecurity agency used the SSVC methodology in coming up with its catalog of hundreds of known exploitable vulnerabilities, which agencies are also required to reference when applying a framework for addressing known weaknesses in their enterprises. However, not all software vulnerabilities are readily known or logged as common vulnerabilities and exposure on public databases.
Organizations now have the option to use CISA’s customized SSVC decision tree guide to prioritize a known vulnerability based on an assessment of five decision points: exploitation status, technical impact, automatability, mission prevalence, and public well-being impact.
In addition, CISA suggests the widespread adoption of Vulnerability Exploitability eXchange (VEX) to communicate whether a product is affected by a vulnerability and enable prioritized vulnerability response.
According to CISA, VEX will make “it easier for organizations to understand whether a given product is impacted by a vulnerability.”
“To help reduce effort spent by users investigating vulnerabilities, vendors can issue a VEX advisory that states whether a product is or is not affected by a specific vulnerability in a machine-readable, automated way,” CISA said. “The ultimate goal of VEX is to support greater automation across the vulnerability ecosystem, including disclosure, vulnerability tracking, and remediation.”
CISA also explained that VEX data can also support more effective use of software bill of materials (SBOM) data.
“While SBOM gives an organization information on where they are potentially at risk, a VEX document helps an organization find out where they are affected by known vulnerabilities, and if actions need to be taken to remediate based on exploitation status,” CISA explained.