Blogartikel_kotlin-csaf_Christian_Banse

Faster detection and rectification of security vulnerabilities in software with CSAF

The Common Security Advisory Framework (CSAF) is a machine-readable format for security notices and plays a crucial role in implementing the security requirements of the Cyber Resilience Act (CRA): Security vulnerabilities can be detected and rectified faster by automatically creating and sharing security information. Fraunhofer AISEC has now published the software library »kotlin-csaf«, which implements the CSAF standard in the Kotlin programming language.

What is »kotlin-csaf«?

 

»kotlin-csaf« is an initial version of a software library that allows developers to process security information in the standardized CSAF format. This makes it easier to manage and validate security alerts and recommendations, which ultimately helps to make software more secure. The CSAF standard plays a critical role in cybersecurity by providing automated information to find and eliminate security vulnerabilities.

 

Integration with Dependency-Track: automated security checks, faster responses and more efficient compliance

The next step for Fraunhofer AISEC is to integrate »kotlin-csaf« into the Dependency-Track tool. Dependency-Track is a tool that reviews programs and their dependencies for security vulnerabilities. With the future integration of »kotlin-csaf« into Dependency-Track, companies will be able to

  • carry out automated security checks by processing security alerts and recommendations in a standardized format,

  • ensure faster responses to security incidents, as security information can be automatically created and consumed,

  • achieve more efficient compliance, as the Dependency-Track tool will then be more capable of meeting the requirements of the Cyber Resilience Act and the NIS 2 Directive.

Get involved: your feedback matters

»kotlin-csaf« is still in the early stages of development. Fraunhofer AISEC is continuously working to improve and expand the library. Therefore, we are looking for partners who are interested in working with us. Your input and feedback are crucial to making »kotlin-csaf« an even better cybersecurity tool.

»kotlin-csaf« library on GitHub: https://github.com/csaf-sbom/kotlin-csaf 

Author
Banse_Christian_Fraunhofer_AISEC
Christian Banse

Christian Banse holds a Master of Science in Business Information Systems with a focus on IT security from the University of Regensburg. He has been an employee at Fraunhofer AISEC since 2011. He was responsible for setting up a new type of network and cloud security laboratory, which he is now managing. This laboratory investigates research questions related to networks and IP-based communication. A particular focus is on research into methods for the automated and continuous certification of the IT security of cloud and container applications. Since mid-2018, Christian Banse has also been head of the Service and Application Security department.

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.
Twitter Linkedin Youtube Xing

Leave a Reply

Your email address will not be published. Required fields are marked *

Other Articles

Multi-Party Computation in the Head – an Introduction

Thomas Bellebaum 30. April 2025

In 2016, the National Institute of Standards and Technology (NIST) announced a standardization process for quantum-secure cryptographic primitives. The goal was to find secure key encapsulation mechanisms (KEM) and signature schemes. One unique approach was the PICNIC signature scheme, a scheme utilizing the MPC-in-the-Head (MPCitH) paradigm. This made PICNIC an interesting approach, since its security relies on well researched block ciphers and hash functions. PICNIC was announced as an alternative candidate by NIST. A lot of follow-up schemes based on PICNIC, like BBQ, Banquet, and FEAST, were proposed using different block ciphers and variations on the original construction paradigm. In 2022, NIST announced a second call specifically for signature schemes. MPC-in-the-Head-based signature schemes became their own category, with multiple submissions in this call. This articel explains the core idea and functionality of early MPCitH based signature schemes and how we at Fraunhofer AISEC make use of the concepts.

Read More »

How to build suitable datasets for successful detection of audio deepfakes

Nicolas Müller 31. March 2025

Deepfakes are a significant threat to democracy as well as private individuals and companies. They make it possible to spread disinformation, to steal intellectual property and to commit fraud, to name but a few. While robust AI detection systems offer a possible solution, their effectiveness depends largely on the quality of the underlying data, simply put: »Garbage in, garbage out.« But how do you create a dataset that is well suited to identifying the ever-evolving deepfakes and enables robust detection? And what constitutes high-quality training data?

Read More »

Parsing X.509 Certificates: How Secure Are TLS Libraries?

Stefan Tatschner 26. February 2025

Digital certificates like X.509 are essential for secure internet communication by enabling authentication and data integrity. However, differences in how they are parsed by various TLS libraries can introduce security risks. A recent study by Fraunhofer AISEC analyzed six widely used X.509 parsers with real-world certificates. The findings reveal inconsistencies that could impact security-critical applications. In this article, we summarize the key results and explain why companies need to scrutinize their cryptographic libraries.

Read More »

Fortifying Cryptography with Impeccable Circuits: Impeccable Keccak Explained

Ivan Gavrilan 13. January 2025

Cybersecurity threats are evolving, and cryptographic implementations face growing risks from fault injection attacks. Fraunhofer AISEC’s research introduces Impeccable Keccak, a new approach to secure SPHINCS+, a post-quantum cryptography digital signature scheme that has been standardized by NIST in 2024. By leveraging impeccable circuits and ensuring active security, this represents a new approach to fault-resilient cryptography.

Read More »