Navigation und Service

BSI - Bundesamt für Sicherheit in der Informationstechnik (Link zur Startseite)

Common Security Advisory Framework (CSAF)

The CSAFversum or the language of security information - Exclusive workshops and Ask-the-Expert sessions around the topic of Common Security Advisory Framework (CSAF)

Workshops: 09.-12. December 2024; Community Days: 12.-13. December 2024; Location: ISH - Information Security Hub, Südallee 1, 85356 München-Flughafen

Vulnerabilities in hardware and software are omnipresent. After all, all software and hardware is flawed beyond a certain level of complexity, and such flaws can potentially lead to security-relevant vulnerabilities that are exploited accordingly. Such security-relevant vulnerabilities are like open wounds. They need to be taken care of. To do this, it must be known where the "wound" is located, what kind of "wound" it is and how it can be healed or at least initially treated as quickly as possible.

The digital solution for all these issues is CSAF (https://csaf.io): The Common Security Advisory Framework (CSAF) is a standardised and open-source framework for the communication and automated distribution of machine-processable vulnerability and mitigation information, so-called security advisories or security information. CSAF significantly reduces the manual effort required to search for security information and to determine whether products are affected or not. It allows manufacturers, users, operators and the administration to automatically retrieve information on individual vulnerabilities and to determine whether they are affected. Being not affected can also be communicated in a scalable manner (Vulnerability Exploitability eXchange (VEX) as a profile in CSAF). In the course of an increasingly networked and complex world, the number of security-relevant vulnerabilities will grow significantly and modern vulnerability management using CSAF documents will become indispensable.

The BSI and CISA promote and demand CSAF and are organising a total of three free workshops on the topic of CSAF (Common Security Advisory Framework) as part of the ACS (Alliance for Cyber Security), from 09.12.24 to 12.12.24. All workshops will be recorded and afterwards edited for teaching purposes and made publicly available. No personal data of participants will be processed or disclosed in the publicly available videos.

The workshops will be held in English and in presence. All workshops are limited to 80 participants. Secure your place quickly (first come, first served) and register by 24.11.24 at csaf@bsi.bund.de.

Prerequisites for participation in the workshop:

The workshops are aimed at the target group: manufacturers, CERTs, research institutions, security researchers

  • Joy of learning new things
  • Interest in Security Advisories
  • Very good knowledge of English, as the entire workshop will be held in English
  • Mandatory basic knowledge of Command Line commands (for the majority of the tools used in the workshops)
  • Knowledge of the CSAF standard (for the 2nd workshop)
  • Programming knowledge in Python (for the 3rd workshop)

Which workshop should I attend?

You want to use CSAF in your organisation in the future but have little or no experience with the standard? Do you want to know what CSAF is, how to create valid CSAF advisories and what the standard can do for you, your organisation and your clients? You want to learn how to write CSAF-Advisories? Then the 1st workshop is just right for you. The knowledge you have gained will be put into practice in various exercises. Feel free to bring your questions and ask us.

Are you already using CSAF in your organisation and have gained experience? Or do you already have prior knowledge from the 1st workshop? You know CSAF and have already come across one or more special cases and just don't know what to do? Then the 2nd workshop is just right for you. Here, specific questions about the standard and the format will be answered. We are happy to take your input and feedback regarding your previous experiences with the CSAF standard and answer them in the workshop. Here, too, the knowledge gained is applied practically in various exercises.

Would you like to know more about the distribution and automated retrieval of CSAF advertisements? Have you heard of CSAF publishers, CSAF providers or CSAF aggregators? Do you want to make CSAF files available yourself, but don't know how? Then you are welcome to register for workshop 3. This workshop also includes practical exercises to consolidate the knowledge you have gained. In addition, the distribution mechanism for CSAF documents, with the different roles, will be implemented by all participants in the workshop.

You are welcome to register for more than one workshop.

Workshops

(each workshop is 2 days, 8 hrs in total)
  1. Workshop: CSAF writing boot camp (for beginners)
    09.12.24 from 13:30-18:00 and 10.12.24 from 08:00-12:30
    limited to 80 participants

  2. Workshop: The CSAF Writers Guild - Advancing Your Experience
    10.12.24 from 13:30-18:00 and 11.12.24 from 08:00-12:30
    limited to 80 participants

  3. Workshop: CSAF distribution – from scratch to publication
    11.12.24 from 13:30-18:00 and 12.12.24 from 08:00-12:30
    limited to 80 participants


The Community Days will take place on 12.12. and 13.12.24 in English. Virtual participation is possible at the Community days - there is no restriction on registration. On-site attendance is limited to 100 people. Registration is possible until 24.11.24 at csaf@bsi.bund.de.

The Call for Presentation is open - further details can be found here: https://communitydays.csaf.io.

Community Days

  1. Session
    12.12.24 from 13:30-18:00
  2. Session
    13.12.24 from 08:00-15:00