Development of an API to request security advisories for CSAF 2.0

Entstehung

Dies ist meine Abschlussarbeit für den Bachelor of Sience (B.Sc.) im Fach Unternehmens und IT-Sicherheit an der Hochschule Offenburg. Betreut wurde ich durch das Bundesamt für Sicherheit in der Informationstechnik (BSI) von Dr. Klaus Biß und Thomas Schmidt - seitens der Hochschule von Prof. Dr. Daniel Hammer.

Die Abschlussarbeit wurde in Englischer Sprache verfasst.

Abstract

This work addresses the conceptualization, design, and implementation of an Application Programming Interface (API) for the Common Security Advisory Framework (CSAF) 2.0, introducing another method for distributing CSAF documents in addition to two already existing methods. These don’t allow the use of flexible queries as well as filtering, which makes it difficult for operators of software and hardware to use CSAF. An API is intended to simplify this process and thus advance the automation goal of CSAF.

First, it is evaluated whether the current standard allows the implementation of an API. Any conflicts are highlighted and suggestions for standard adaptations are made. Based on these results, the API is designed to meet the previously defined requirements. Subsequently, a proof of concept is successfully developed according to the design and extensively tested with specially prepared test data. Finally, the results and the necessary standard adjustments are summarized and justified.

The conceptual design and the implementation were successfully completed. However, during the implementation of the proof of concept, some routes could not be fully implemented.

Downloads

• Veröffentlichung durch die Hochschule Offenburg (OPUS)
• Veröffentlichung auf der BSI-Seite

Referenzen

• CSAF Homepage
• Common Security Advisory Framework Version 2.0 (Oasis Open Standard)
• Offizielle Referenzimplementierung der CSAF-Komponenten (Github)
• Meine Implementierung der API (Github)