ICS 2022

Software Bill of Materials (SBOMs) are now recognized as a key component in software supply chain risk management. Executive Order 14028 has mandated them for doing business with the federal government, and critical industries are increasingly adopting this position as well. Unfortunately, SBOMs can result in a significant number of false positive vulnerability reports, creating too much work for too few security experts.

Not every vulnerability merits panic. Just because a vulnerability is reported for a software component doesn't mean the vulnerability is actually exploitable.
 
Cybersecurity and Infrastructure Security Agency (CISA) and the German Cybersecurity and Infrastructure Security Agency (BSI), have developed VEX (Vulnerability Exploitability eXchange) to address this issue. VEX documents allow vendors to preemptively assess the exploitability of vulnerabilities and issue a standardized, machine-readable document that states whether or not their products are “affected” by one or more known component vulnerabilities. 
VEX helps vendors communicate efficiently with their customers and prevents organizations wasting valuable time fruitlessly searching for and patching vulnerabilities in components that are perfectly safe.

This talk will present the results of a supplier of mission-critical ICS equipment using VEX documents to swiftly address customer concerns regarding the high-profile Log4j vulnerability. It will also cover the structure and the standardized formats available for VEX documents. VEX is still early days and there is still work to be done regarding the processing of VEX documents. But the industry needs to understand and be ready for VEX if they are to get vulnerability management under control.

The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

Learning Objectives:
The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.