[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: seeking CSAF help with SBOM "VEX" use case implementation
Hi Allan, I would be glad to support, and already filled your Doodle poll. SBOM and VEX are important efforts that need to be closely synced with CSAF. Together we will be able to create a bigger
momentum to push automation into advisory/vulnerability information exchange! Thanks for approaching and allowing us to participate. Best regards, Tobi From: csaf-comment@lists.oasis-open.org <csaf-comment@lists.oasis-open.org>
On Behalf Of Friedman, Allan Hi CSAF folks, Some of you are familiar with the broader SBOM work that we are trying to coordinate at NTIA. (More info is below) We're trying to implement a key feature, and are actively looking at CSAF, but we need some help from the CSAF community. We're moving our weekly meeting to not conflict with the CSAF, so that
we can win a few CSAF members over to occasionally help us. Doodle poll for new time! Also, if helpful, happy to join and make a quick pitch / answer questions / get yelled at. SBOM: End-users of products that contain software are using SBOM (âSoftware Bill of Materialsâ)1 data
to gain insight into the potential risks from any third-party software components that are incorporated in that product. Specifically, users want
to know to what extent they are affected by known vulnerabilities, which includes vulnerabilities in upstream software components. Limits of SBOM: SBOMs provide insight into the composition of the product and potential vulnerabilities, but they do so at a high level that does not convey the extent to which
a known vulnerability can be exploited in the product. This lack of âexploitabilityâ results in many âfalse positivesâ being represented in the SBOM data and potentially obscuring the high risk exploitable vulnerabilities. VEX: The "Vulnerability Exploitability eXchange " (VEX) approach will allow suppliers or other trusted experts to communicate that a vulnerability does not put the users or
operators of software at risk. The SBOM community is looking into using CSAF to implement this VEX data representation and exchange. Thanks - happy to chat more if anyone has questions. allan Allan Friedman, PhD
Director, Cybersecurity Initiatives National Telecommunications & Information Administration United States Department of Commerce +1-202-573-1312 Tobias Limmer |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]