Faster detection and rectification of security vulnerabilities in software with CSAF

The Common Security Advisory Framework (CSAF) is a machine-readable format for security notices and plays a crucial role in implementing the security requirements of the Cyber Resilience Act (CRA): Security vulnerabilities can be detected and rectified faster by automatically creating and sharing security information. Fraunhofer AISEC has now published the software library »kotlin-csaf«, which implements the CSAF standard in the Kotlin programming language.

16. October 2024

What is »kotlin-csaf«?

»kotlin-csaf« is an initial version of a software library that allows developers to process security information in the standardized CSAF format. This makes it easier to manage and validate security alerts and recommendations, which ultimately helps to make software more secure. The CSAF standard plays a critical role in cybersecurity by providing automated information to find and eliminate security vulnerabilities.

Integration with Dependency-Track: automated security checks, faster responses and more efficient compliance

The next step for Fraunhofer AISEC is to integrate »kotlin-csaf« into the Dependency-Track tool. Dependency-Track is a tool that reviews programs and their dependencies for security vulnerabilities. With the future integration of »kotlin-csaf« into Dependency-Track, companies will be able to

carry out automated security checks by processing security alerts and recommendations in a standardized format,
ensure faster responses to security incidents, as security information can be automatically created and consumed,
achieve more efficient compliance, as the Dependency-Track tool will then be more capable of meeting the requirements of the Cyber Resilience Act and the NIS 2 Directive.

Get involved: your feedback matters

»kotlin-csaf« is still in the early stages of development. Fraunhofer AISEC is continuously working to improve and expand the library. Therefore, we are looking for partners who are interested in working with us. Your input and feedback are crucial to making »kotlin-csaf« an even better cybersecurity tool.

»kotlin-csaf« library on GitHub: https://github.com/csaf-sbom/kotlin-csaf

Author

Christian Banse

Christian Banse holds a Master of Science in Business Information Systems with a focus on IT security from the University of Regensburg. He has been an employee at Fraunhofer AISEC since 2011. He was responsible for setting up a new type of network and cloud security laboratory, which he is now managing. This laboratory investigates research questions related to networks and IP-based communication. A particular focus is on research into methods for the automated and continuous certification of the IT security of cloud and container applications. Since mid-2018, Christian Banse has also been head of the Service and Application Security department.

Leave a ReplyCancel Reply

Fortifying Cryptography with Impeccable Circuits: Impeccable Keccak Explained

Ivan Gavrilan 13. January 2025

Cybersecurity threats are evolving, and cryptographic implementations face growing risks from fault injection attacks. Fraunhofer AISEC’s research introduces Impeccable Keccak, a new approach to secure SPHINCS+, a post-quantum cryptography digital signature scheme that has been standardized by NIST in 2024. By leveraging impeccable circuits and ensuring active security, this represents a new approach to fault-resilient cryptography.

Quantum and Classical AI Security: How to Build Robust Models Against Adversarial Attacks

Maximilian Wendlinger 13. December 2024

The rise of quantum machine learning (QML) brings exciting advancements such as higher levels of efficiency or the potential to solve problems intractable for classical computers. Yet how secure are quantum-based AI systems against adversarial attacks compared to classical AI? A study conducted by Fraunhofer AISEC explores this question by analyzing and comparing the robustness of quantum and classical machine learning models under attack. Our findings about adversarial vulnerabilities and robustness in machine learning models form the basis for practical methods to defend against these attacks, which are introduced in this article.

Fraunhofer AISEC commissioned by the German Federal Office for Information Security (BSI): New study on the synthesis of cryptographic hardware implementations

Felix Oberhansl 7. November 2024

The study by Fraunhofer AISEC on the security of cryptographic hardware implementations focuses on physical attacks on hardware, such as side-channel attacks and fault attacks, as well as measures to defend against them. These protective mechanisms can potentially be compromised by optimizations in the chip design process. The study shows that protective measures should be integrated into complex design processes and taken into account in hardware design synthesis in order to be resilient to hardware attacks. The findings will help hardware designers to develop robust and secure chips.