CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments

Описание: CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments
Speakers: Tobias Limmer (Siemens, DE), Thomas Pröll (Siemens ProductCERT, DE)

Being involved in the field of security since 20 years ago, Tobi has been focusing on the industrial side of IT infrastructures for over 10 years now. Starting with vulnerability handling in Siemens ProductCERT, he was very involved into the automation of security tests. Now one of his research areas is tool-based vulnerability management & risk-based mitigation decisions. And he likes French comics.

Tom is working for Siemens in product security since 15 years. After five years of penetration testing he changed sides and is leading the incident handling and vulnerability response team for Siemens ProductCERT.

----

Vulnerability management for operators of segmented networks such as industrial environments and software suppliers still largely relies on manual processes. This results in high efforts and has tremendous impact on mitigative actions such as patching.Siemens has ramped up its vulnerability handling efforts in the last decade which resulted in publishing over 250 CVEs in 150 advisories in 2021. This amount of information can hardly be handled in the manual way for even moderately complex environments.By supporting the Common Security Advisory Format (CSAF), standardized by OASIS end of 2021, Siemens helps automatable vulnerability management in industrial environments, our Gallic villages.This talk will give an overview of the new CSAF 2.0 release and our experience implementing it. We need a community to support this effort and to improve the situation of vulnerability management, both on the side of publishing vendors and consuming operators. Especially tools are needed that support and automate this process. We will sketch a possible way forward for the whole community, also including SBOMs and VEX in the discussion.