[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: Data on Use of CSAF VEX profile
Hi Duncan, Red Hat has been actively publishing CSAF VEX documents since February, making them readily available to the public. You can find their announcement at this link:
https://www.redhat.com/en/blog/csaf-vex-documents-now-generally-available Cisco has been utilizing CSAF VEX internally since January and will begin publishing their CSAF VEX documents on June 12.
It's worth noting that multiple vendors are publishing CSAF advisories and some are actively working towards supporting the VEX profile as well.
However, it's highly likely that the situation will change after the June 11 timeframe (i.e., EO, SBOMs, among other factors). These changes are expected to influence and encourage more vendors to produce
VEX documents in alignment with the CSAF standard. Do you know of any vendor even producing non-CSAF VEX documents now?
Thank you! Omar From:
csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com> Even if you assume VEX is not widely used - that does not mean it would not be incredibly valuable *if it actually was*. That logic does not hold in any way.
Speaking as a software vendor, being able to provide a VEX (and â importantly - also having that accepted by my customers) instead of manually responding to vulnerability reports,
would save me *a lot* of currently wasted time & money, in addition to making them more secure. The benefits are obvious to me. However that last part is critical for adoption â clients need to understand VEX, and trust/accept it (including having it
be supported in their vuln mgt. tools and risk registers), before this value will be realized. - Assistant - Mauricio DurÃn Cambronero (mauduran@ibm.com) Co-Chair - Open Cybersecurity Alliance, Project Governing Board www.opencybersecurityalliance.org From:
csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of duncan sfractal.com <duncan@sfractal.com> There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between
two camps on the topic of VEX adoption. One person in particular is adamant that VEX isnât used by anyone anywhere.â
ZjQcmQRYFpfptBannerStart
ZjQcmQRYFpfptBannerEnd There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption.
One person in particular is adamant that VEX isnât used by anyone anywhere. I fall in the other camp that VEX does have valid use cases (eg
https://github.com/opencybersecurityalliance/PACE/tree/main/docs/UseCases/Pace_Sbom_Vex_Flags_Prioritization on status_justification use cases) and that VEX is beginning to be used. Data would greatly help quiet our debates. Iâm willing to shut up if the answer to all 3 of the following questions is no (ie not in use publicly or privately, and no plans
to use). Hopefully the other side of debate is willing to do similar if data is provided showing usage. The data desired is:
I also think having this data will help with CSAF adoption (ie orgs hesitating, or debating using one of the VEX alternatives, may decide to use CSAF if they see who else is
using CSAF). Please respond (even if itâs all 3 no) so we have some data to work with.
-- Duncan Sparrell sFractal Consulting iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]