How_to_Write_and_Distribute_Security_Advisories_OpenSSF_Day_Japan_2023.pdf

Transcript

1. How to Write and Distribute Security Advisories Norihiro Nakaoka Future

   Corporation

2. Self Introduction Norihiro Nakaoka / @MaineK00n 2 OSS Vulnerability Scanner:

   Vuls1 Committer Future Corporation, Cyber Security Innovation Group [1] https://github.com/future-architect/vuls

3. Contents 1. Use Security Advisory with Vulnerability Scanner 2. Read

   Security Advisory on Machine 3. Bad Security Advisory for Machine Reading 4. To Provide the Best Security Advisory 3

4. How to Use Security Advisory in Vuls The quality of

   security advisories directly affects the accuracy of vulnerability detection! 4 Today's Topic

5. OVAL: RHSA-2022:9080 5 Name Version, Arch Repository

6. CSAF: RHSA-2022:9080 6 Name, Version, Arch Repository

7. OSV: ALSA-2022:9080 7 Name Version Range

8. NVD: CVE-2022-46872 8 Running on/with CPE, Version Range

9. Product Identification Plain Text or CPE is often used, but

   each has its own problems. • Plain Text: No format, difficult to unify expressions • CPE: Naming Problem ⇒ Shift to PURL, SWID, and GTIN etc… has been proposed1 9 [1] https://owasp.org/assets/files/posts/A%20Proposal%20to%20Operationalize%20Component%20Identification%20for%20Vulnerability%20Management.pdf

10. Bad Security Advisory Contents Advisory not mechanically readable or difficult

    to read • Not using appropriate field in schema 10 • Affected Version cannot be determined ◦ Affected Version: 5.2.0 to 5.2.12, 5.0 and below 5.0 and below: “≦ 5.0.0” or “≦ 5.0.x” ?

11. Don't be Overconfident in NVD NVD has other problems besides

    CPE • affected products is wrong ◦ FG-IR-13-014(CVE-2013-1414) Affected Versions Fortinet:4.3.12 and prior versions, 5.0.2 and prior versions NVD: before 4.3.13 and 5.x before 5.0.2 • take time to add affected products ◦ FG-IR-22-398(CVE-2022-52574) Published Date Fortinet: 2022-12-12 NVD: 2023-01-02 11

12. Bad Way to Provide Security Advisory Hard to even get

    to a mechanically readable advisory • Unable to access advisory • Provided only in HTML or PDF • Not enough information as advisory 12

13. To Provide the Best Security Advisory GitHub Security Advisory1 publication

    system is good. • Easy Access to Advisory • Clear and Simple Schema • Advisory Suggestions and Modifications 13 [1] https://github.com/github/advisory-database

14. Summary • Many security advisories have been published. However, it

    is often not mechanically readable and is not used. • If it is a vulnerability scanner, it has a significant impact on detection targets and detection accuracy. • Don't just read security advisory, use it! 14

15. Thank you for your attention! 15 E-Mail: [email protected] GitHub: @MaineK00n

    𝕏 (Twitter): @MaineK00n