Semantic Potential of Existing Security Advisory Standards
New discoveries made on a nearly daily basis and the constantly growing amount of vulnerabilities in software products have led to the distribution of great numbers of vendor dependent vulnerability information over various channels such as mailing lists and RSS (Really Simple Syndication) feeds. However, the format of these messages presents a major problem as it lacks standardized, semantic information, resulting in very time-intensive, expensive, and error-prone processing due to the necessary human involvement. Recent developments in the field of IT security have increased the need for a sound semantic security advisory standard that allows for automatic processing of relevant security advisories in a more precise and timely manner. This would reduce pressure on organizations trying to keep their complex infrastructures secure and up-to-date by complying with standards, such as Basel II and local legislations. This paper conducts an evaluation of existing security advisory standards to identify usable semantic standards, which enable the automated processing of security advisories to ensure faster reaction times and precise response to new threats and vulnerabilities. In this way IT management can concentrate on solutions rather than on filtering messages.