A VEXing Question: Am I Affected or Not?

OVERVIEW

With recent events like Log4Shell, more attention is being paid to software security and the underlying components used in developing software. SBOMs (Software Bill of Materials) are a great tool in uncovering vulnerabilities in software components, and aid software providers in becoming fully transparent about the components that comprise their software products. As SBOMs become more widespread, many security advisories released by organizations could contain “false positives,” when the underlying component contains a vulnerability, but that vulnerability is not exploitable. A key idea at the intersection of security advisories and SBOM is the “Vulnerability Exploitability eXchange” (VEX). A VEX allows software providers to explicitly communicate that they are NOT affected by a vulnerability, and software users (e.g., network defenders, developers, and services providers) to reduce effort and resources spent in investigating non-exploitable vulnerabilities that do not affect a product. VEX provides a machine-readable approach to support automation to help software users understand, am I affected or not?

This talk will give a brief overview of the SBOM concept and review the challenge of understanding when a vulnerability actually affects a product. We’ll discuss the implementation of VEX in current standards, highlight future directions, and conclude with a call for participants to get involved.