VEXed by all these security acronyms? Unfortunately, we can’t help break them all down today, but what we can do is talk about a new one….
The Vulnerability Exploitability eXchange or VEX is a data exchange and sharing platform designed to help organizations more efficiently assess and manage vulnerabilities in their software. VEX can be viewed as a companion tool to the now-popular and sometimes in use Software Bills of Material (SBOM) tool. However, it can be used independently of an SBOM.
Today’s security professionals are dealing with a myriad of tools that don’t integrate well and as a result are inundated with data that is at times more harmful than helpful. A recent report found that, on average, security professionals claim 40% of the alerts they receive are false positives – meaning they are frequently investigating a vulnerability that turns out to be trivial or worse, non-existent.
Chasing down false or irrelevant information is more than just a waste of time. This can lead to decreased productivity, burnout, insecurity and financial loss for an organization.
One way to avoid this is to have a source of truth for the exploitability of vulnerabilities that can quickly help teams identify what is critical and what is not. This is the promise of VEX.
VEX, championed by the United States National Telecommunications and Information Administration (NTIA) and supported by the Cybersecurity Infrastructure Security Agency (CISA) allows for the collection, analysis, and dissemination of vulnerability and exploit information in a timely and efficient manner. Its goal is to improve the ability of an organization to identify and mitigate critical security threats.
If developed and implemented correctly, VEX will help organizations:
By identifying and addressing critical vulnerabilities first, VEX allows an organization to improve its overall security while also improving team productivity and job satisfaction.
So, what does VEX have to do with SBOM?
.png)
When used in tandem, VEX and SBOM have the potential to dramatically improve the security of an organization's software supply chain.
Together, both tools can be used to create a comprehensive view of any organization's software security landscape. SBOM can be used to understand the specific components that make up a software application and to enable more thorough scanning for known vulnerabilities. The impact of those vulnerabilities can be clarified by VEX, allowing your team to more effectively prioritize and remediate.
A lot of SBOMs today are composed out of incomplete information sources, often, generated by the same security scanners that are producing the noise and false positives security teams are sifting through. With VEX metadata, you can pair the output of your security scanner to help prioritize what critical vulnerabilities actually need to be addressed. Once you’ve identified the critical vulnerabilities that need your immediate attention, you can use the SBOM to quickly identify where these vulnerabilities are in your software and remediate them.
Is it really that simple?
As is the case with most things, execution is not as easy as it sounds. There is a healthy debate around the concept of VEX and if it truly can deliver on its promises, coupled with the reality that SBOMs are still in the early adopter stage.
Despite these hurdles, there are strong signals of support coming from both the public and private sectors. Both SBOM and VEX have working groups within CISA and are now becoming more widely discussed in public forums as tools that can address some of industry’s most pressing software security problems. The path forward relies on the ecosystem's willingness to collaborate and build tooling that takes these concepts from theory and puts them into practice. In the coming weeks, the VEX subgroup will publish a set of minimum requirements for VEX to jumpstart the development of tooling that will help drive adoption.
At Chainguard, we are working to build tooling out in the open that makes it easier to generate SBOMs and VEX statements (stay tuned!). We believe that these are key pillars to securing the software supply chain. If you are interested in learning more about our work or would like to collaborate with us, get in touch today.
More Resources on SBOM & VEX
