Upgrade to Pro — share decks privately, control downloads, hide ads and more …

How_to_Write_and_Distribute_Security_Advisories...

MaineK00n
December 04, 2023

 How_to_Write_and_Distribute_Security_Advisories_OpenSSF_Day_Japan_2023.pdf

MaineK00n

December 04, 2023
Tweet

More Decks by MaineK00n

Other Decks in Research

Transcript

  1. Self Introduction Norihiro Nakaoka / @MaineK00n 2 OSS Vulnerability Scanner:

    Vuls1 Committer Future Corporation, Cyber Security Innovation Group [1] https://github.com/future-architect/vuls
  2. Contents 1. Use Security Advisory with Vulnerability Scanner 2. Read

    Security Advisory on Machine 3. Bad Security Advisory for Machine Reading 4. To Provide the Best Security Advisory 3
  3. How to Use Security Advisory in Vuls The quality of

    security advisories directly affects the accuracy of vulnerability detection! 4 Today's Topic
  4. Product Identification Plain Text or CPE is often used, but

    each has its own problems. • Plain Text: No format, difficult to unify expressions • CPE: Naming Problem ⇒ Shift to PURL, SWID, and GTIN etc… has been proposed1 9 [1] https://owasp.org/assets/files/posts/A%20Proposal%20to%20Operationalize%20Component%20Identification%20for%20Vulnerability%20Management.pdf
  5. Bad Security Advisory Contents Advisory not mechanically readable or difficult

    to read • Not using appropriate field in schema 10 • Affected Version cannot be determined ◦ Affected Version: 5.2.0 to 5.2.12, 5.0 and below 5.0 and below: “≦ 5.0.0” or “≦ 5.0.x” ?
  6. Don't be Overconfident in NVD NVD has other problems besides

    CPE • affected products is wrong ◦ FG-IR-13-014(CVE-2013-1414) Affected Versions Fortinet:4.3.12 and prior versions, 5.0.2 and prior versions NVD: before 4.3.13 and 5.x before 5.0.2 • take time to add affected products ◦ FG-IR-22-398(CVE-2022-52574) Published Date Fortinet: 2022-12-12 NVD: 2023-01-02 11
  7. Bad Way to Provide Security Advisory Hard to even get

    to a mechanically readable advisory • Unable to access advisory • Provided only in HTML or PDF • Not enough information as advisory 12
  8. To Provide the Best Security Advisory GitHub Security Advisory1 publication

    system is good. • Easy Access to Advisory • Clear and Simple Schema • Advisory Suggestions and Modifications 13 [1] https://github.com/github/advisory-database
  9. Summary • Many security advisories have been published. However, it

    is often not mechanically readable and is not used. • If it is a vulnerability scanner, it has a significant impact on detection targets and detection accuracy. • Don't just read security advisory, use it! 14