[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [csaf] Re: Data on Use of CSAF VEX profile
Hi Duncan,
Â
Red Hat has been actively publishing CSAF VEX documents since February, making them readily available to the public. You can find their announcement at this link: https://www.redhat.com/en/blog/csaf-vex-documents-now-generally-available
Â
Cisco has been utilizing CSAF VEX internally since January and will begin publishing their CSAF VEX documents on June 12.
Â
It's worth noting that multiple vendors are publishing CSAF advisories and some are actively working towards supporting the VEX profile as well.
Â
However, it's highly likely that the situation will change after the June 11 timeframe (i.e., EO, SBOMs, among other factors). These changes are expected to influence and encourage more vendors to produce VEX documents in alignment with the CSAF standard.
Â
Do you know of any vendor even producing non-CSAF VEX documents now?
Â
Thank you!
Omar
Â
From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, May 17, 2023 at 9:34 AM
To: duncan sfractal.com <duncan@sfractal.com>, csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>
Subject: [csaf] Re: Data on Use of CSAF VEX profileEven if you assume VEX is not widely used - that does not mean it would not be incredibly valuable *if it actually was*. That logic does not hold in any way.
Â
Speaking as a software vendor, being able to provide a VEX (and â importantly - also having that accepted by my customers) instead of manually responding to vulnerability reports, would save me *a lot* of currently wasted time & money, in addition to making them more secure. The benefits are obvious to me. However that last part is critical for adoption â clients need to understand VEX, and trust/accept it (including having it be supported in their vuln mgt. tools and risk registers), before this value will be realized.
Â
-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management | www.ibm.com/securityÂ
Assistant -ÂMauricio DurÃn Cambronero (mauduran@ibm.com)
Co-Chair - Open Cybersecurity Alliance, Project Governing Board
Â
Â
From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of duncan sfractal.com <duncan@sfractal.com>
Date: Wednesday, May 17, 2023 at 10:05 AM
To: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>
Subject: [EXTERNAL] [csaf] Data on Use of CSAF VEX profileThere is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption. One person in particular is adamant that VEX isnât used by anyone anywhere.â
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption. One person in particular is adamant that VEX isnât used by anyone anywhere. I fall in the other camp that VEX does have valid use cases (eg https://github.com/opencybersecurityalliance/PACE/tree/main/docs/UseCases/Pace_Sbom_Vex_Flags_Prioritization on status_justification use cases) and that VEX is beginning to be used.
Â
Data would greatly help quiet our debates. Iâm willing to shut up if the answer to all 3 of the following questions is no (ie not in use publicly or privately, and no plans to use). Hopefully the other side of debate is willing to do similar if data is provided showing usage. The data desired is:
- Does anyone on this list know of any published CSAF using VEX profile?
- Does anyone know of âinternalâ ÂCSAF/Vex use? Ie not a public website but used either inside a company, or between company and supplier/customers but only available within trust group?
- Is anyone not using CSAF/VEX yet but plans to?
Â
I also think having this data will help with CSAF adoption (ie orgs hesitating, or debating using one of the VEX alternatives, may decide to use CSAF if they see who else is using CSAF).
Â
Please respond (even if itâs all 3 no) so we have some data to work with.
Â
--Â
Duncan Sparrell
sFractal Consulting
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more atÂhttp://vsre.info/
Â
Â
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]