Dive Brief:
- Microsoft will disclose vulnerabilities under the Common Security Advisory Framework, a move designed to help customers respond and remediate CVEs in a more efficient manner, the company said this week.
- CSAF is a format that is machine readable, which helps organizations digest the CVEs faster and in larger volumes. Customers will still be able to get CVE updates through the Microsoft security update guide or through an API based on the Common Vulnerability Reporting Framework. The CVRF serves as the standard for disclosing vulnerability information.
- The CSAF rollout represents the third in a series of changes to make vulnerability disclosure more transparent at Microsoft. The company in June announced Cloud Service CVEs and in April said it would publish root cause analysis using the Common Weakness Enumeration standard.
Dive Insight:
The embrace of CSAF marks a further step toward transparency by Microsoft, which announced an overhaul of its security culture a year ago, under a program called the Secure Future Initiative.
Microsoft launched the program in response to a state-linked hack of Microsoft Exchange Online, which resulted in the theft of tens of thousands of emails from the U.S. State Department and the intrusion into other sensitive customer accounts.
The U.S. Cyber Safety Review Board released a withering report in April, calling the 2023 hack entirely preventable and noting the prioritized speed to market over security in how Microsoft developed its products.
The Cybersecurity and Infrastructure Security Agency has advocated adoption of the CSAF format for more than two years, in order to help manage the onslaught of security vulnerabilities that network defenders need to analyze and remediate.
“Software vendors work constantly to understand if their products are impacted by a new vulnerability,” a CISA spokesperson told Cybersecurity Dive via email. “CSAF provides our community a standardized approach for vendors to disclose security vulnerabilities to end users in an accelerated and automated way.“
Source link