Development of an API to request security advisories for CSAF 2.0

Origin of the work

This is my thesis for the Bachelor of Sience (B.Sc.) in Enterprise and IT Security at the University of Applied Sciences Offenburg. I was supervised by the Federal Office for Information Security (BSI) by Dr. Klaus Biß and Thomas Schmidt - on the part of the university by Prof. Dr. Daniel Hammer.

The thesis was written in English.

Abstract

This work addresses the conceptualization, design, and implementation of an Application Programming Interface (API) for the Common Security Advisory Framework (CSAF) 2.0, introducing another method for distributing CSAF documents in addition to two already existing methods. These don’t allow the use of flexible queries as well as filtering, which makes it difficult for operators of software and hardware to use CSAF. An API is intended to simplify this process and thus advance the automation goal of CSAF.

First, it is evaluated whether the current standard allows the implementation of an API. Any conflicts are highlighted and suggestions for standard adaptations are made. Based on these results, the API is designed to meet the previously defined requirements. Subsequently, a proof of concept is successfully developed according to the design and extensively tested with specially prepared test data. Finally, the results and the necessary standard adjustments are summarized and justified.

The conceptual design and the implementation were successfully completed. However, during the implementation of the proof of concept, some routes could not be fully implemented.

Downloads

• Publication by the Offenburg University of Applied Sciences (OPUS)
• Publication on the BSI websitesite

References

• CSAF Homepage
• Common Security Advisory Framework Version 2.0 (Oasis Open Standard)
• Official reference implementation of the CSAF components (Github)
• My implementation of the API (Github)