Transforming Vulnerability Management –

How CSAF, VEX, SBOMs and SSVC Work Together

OVERVIEW

There is no such thing as a “vulnerability-free” product. As we get more insights into our supply chains, we can easily be overwhelmed by the number of potential vulnerabilities. All of our manual processes are failing. Instead of burning people out with boring tasks, we need to change the way we handle vulnerability management. The presentation will show the interconnection and relationship of different standards, like the Common Security Advisory Framework (CSAF), the Vulnerability Exploitability eXchange (VEX), the Known Exploited Vulnerability (KEV) catalog, Stakeholder Specific Vulnerability Categorization (SSVC) and Software Bill of Materials (SBOM). It will cover what needs to change to keep up with the vulnerabilities and threats discovered today. Taking the November 2022 blog post Transforming the Vulnerability Management Landscape by Eric Goldstein, CISA’s Executive Assistant Director for Cybersecurity, as a starting point, the presentation will shed light on how the US government believes the situation can be improved. It will also cover the actions necessary to support the ecosystem to transform its vulnerability management. That includes the support of tools, use of procurement regulation, education and much more.