RE: seeking CSAF help with SBOM "VEX" use case implementation

["Limmer, Tobias" <tobias.limmer@siemens.com>]

Hi Allan,

 

I would be glad to support, and already filled your Doodle poll. SBOM and VEX are important efforts that need to be closely synced with CSAF. Together we will be able to create a bigger momentum to push automation into advisory/vulnerability information exchange!

 

Thanks for approaching and allowing us to participate.

 

 

Best regards,

Tobi

 

From: csaf-comment@lists.oasis-open.org <csaf-comment@lists.oasis-open.org> On Behalf Of Friedman, Allan
Sent: Dienstag, 9. MÃrz 2021 16:28
To: csaf-comment@lists.oasis-open.org
Subject: [csaf-comment] seeking CSAF help with SBOM "VEX" use case implementation

 

Hi CSAF folks,

 

Some of you are familiar with the broader SBOM work that we are trying to coordinate at NTIA. (More info is below)

 

We're trying to implement a key feature, and are actively looking at CSAF, but we need some help from the CSAF community.  We're moving our weekly meeting to not conflict with the CSAF, so that we can win a few CSAF members over to occasionally help us.  

 

Doodle poll for new time!

https://doodle.com/poll/2sy9f78xyku3cmyn

 

Also, if helpful, happy to join and make a quick pitch / answer questions / get yelled at.

 

SBOM: End-users of products that contain software are using SBOM (âSoftware Bill of Materialsâ)¹ data to gain insight into the potential risks from any third-party software components that are incorporated in that product. Specifically, users want to know to what extent they are affected by known vulnerabilities, which includes vulnerabilities in upstream software components.

Limits of SBOM: SBOMs provide insight into the composition of the product and potential vulnerabilities, but they do so at a high level that does not convey the extent to which a known vulnerability can be exploited in the product. This lack of âexploitabilityâ results in many âfalse positivesâ being represented in the SBOM data and potentially obscuring the high risk exploitable vulnerabilities.

 

VEX: The "Vulnerability Exploitability eXchange " (VEX) approach will allow suppliers or other trusted experts to communicate that a vulnerability does not put the users or operators of software at risk.   The SBOM community is looking into using CSAF to implement this VEX data representation and exchange.

 

Thanks - happy to chat more if anyone has questions.

allan

 

 

 

Allan Friedman, PhD

Director, Cybersecurity Initiatives

National Telecommunications & Information Administration

United States Department of Commerce

afriedman@ntia.gov

+1-202-573-1312

 

 

Tobias Limmer
Principal Key Expert
Siemens AG
T RDA CST
Otto-Hahn-Ring 6
81739 Muenchen, Germany
Mobile: +49 172 6703933
mailto:tobias.limmer@siemens.com

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Jim Hagemann Snabe; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Klaus Helmrich, Cedrik Neike, Matthias Rebellius, Ralf P. Thomas, Judith Wiese; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin-Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322