[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Data on Use of CSAF VEX profile
Even if you assume VEX is not widely used - that does not mean it would not be incredibly valuable *if it actually was*. That logic does not hold in any way.
Speaking as a software vendor, being able to provide a VEX (and â importantly - also having that accepted by my customers) instead of manually responding to vulnerability reports, would save me *a lot* of currently wasted time &
money, in addition to making them more secure. The benefits are obvious to me. However that last part is critical for adoption â clients need to understand VEX, and trust/accept it (including having it be supported in their vuln mgt. tools and risk registers),
before this value will be realized. - Assistant - Mauricio DurÃn Cambronero (mauduran@ibm.com) Co-Chair - Open Cybersecurity Alliance, Project Governing Board www.opencybersecurityalliance.org From:
csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of duncan sfractal.com <duncan@sfractal.com> There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX
adoption. One person in particular is adamant that VEX isnât used by anyone anywhere.â
ZjQcmQRYFpfptBannerStart
ZjQcmQRYFpfptBannerEnd There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption. One person in particular is adamant that VEX isnât used by anyone
anywhere. I fall in the other camp that VEX does have valid use cases (eg https://github.com/opencybersecurityalliance/PACE/tree/main/docs/UseCases/Pace_Sbom_Vex_Flags_Prioritization on status_justification use cases) and that VEX is beginning to be used. Data would greatly help quiet our debates. Iâm willing to shut up if the answer to all 3 of the following questions is no (ie not in use publicly or privately, and no plans to use). Hopefully the other side of debate is willing to do similar
if data is provided showing usage. The data desired is:
I also think having this data will help with CSAF adoption (ie orgs hesitating, or debating using one of the VEX alternatives, may decide to use CSAF if they see who else is using CSAF). Please respond (even if itâs all 3 no) so we have some data to work with.
-- Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]