Re: [csaf] Re: Data on Use of CSAF VEX profile

[Martin PrpiÄ <mprpic@redhat.com>]

Omar,

Thanks for pointing out that blog post. We've since published another one that talks about our intent on publishing per-CVE VEX in addition to the per-advisory VEX files we already publish today. Find out more here:

https://www.redhat.com/en/blog/future-red-hat-security-data

The blog post also outlines how data combined from SBOM and VEX files can be used for more accurate vulnerability assertions across our entire product portfolio instead of only supporting the RPM-based products that are covered by OVAL today.

We have found the OpenVEX format to not be sufficiently expressive in how it specifies products (its focus seems to be more on upstream packages alone) and their relationships to components. CSAF is a much more comprehensive standard albeit with a bit more complexity attached. I'm not aware of any other standardized formats for VEX data.

Cheers,

--

Martin PrpiÄ / Red Hat Product Security

On Wed, May 17, 2023 at 9:56âAM Omar Santos (osantos) <osantos@cisco.com> wrote:

Hi Duncan,

Â

Red Hat has been actively publishing CSAF VEX documents since February, making them readily available to the public. You can find their announcement at this link: https://www.redhat.com/en/blog/csaf-vex-documents-now-generally-available

Â

Cisco has been utilizing CSAF VEX internally since January and will begin publishing their CSAF VEX documents on June 12.

Â

It's worth noting that multiple vendors are publishing CSAF advisories and some are actively working towards supporting the VEX profile as well.

Â

However, it's highly likely that the situation will change after the June 11 timeframe (i.e., EO, SBOMs, among other factors). These changes are expected to influence and encourage more vendors to produce VEX documents in alignment with the CSAF standard.

Â

Do you know of any vendor even producing non-CSAF VEX documents now?

Â

Thank you!

Omar

Â

From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of Jason Keirstead <Jason.Keirstead@ca.ibm.com>
Date: Wednesday, May 17, 2023 at 9:34 AM
To: duncan sfractal.com <duncan@sfractal.com>, csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>
Subject: [csaf] Re: Data on Use of CSAF VEX profile

Even if you assume VEX is not widely used - that does not mean it would not be incredibly valuable *if it actually was*. That logic does not hold in any way.

Â

Speaking as a software vendor, being able to provide a VEX (and â importantly - also having that accepted by my customers) instead of manually responding to vulnerability reports, would save me *a lot* of currently wasted time & money, in addition to making them more secure. The benefits are obvious to me. However that last part is critical for adoption â clients need to understand VEX, and trust/accept it (including having it be supported in their vuln mgt. tools and risk registers), before this value will be realized.

Â

-
Jason Keirstead
Distinguished Engineer, CTO - IBM Security Threat Management | www.ibm.com/security

Â

Assistant -ÂMauricio DurÃn Cambronero (mauduran@ibm.com)

Co-Chair - Open Cybersecurity Alliance, Project Governing Board

www.opencybersecurityalliance.org

Â

Â

From: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org> on behalf of duncan sfractal.com <duncan@sfractal.com>
Date: Wednesday, May 17, 2023 at 10:05 AM
To: csaf@lists.oasis-open.org <csaf@lists.oasis-open.org>
Subject: [EXTERNAL] [csaf] Data on Use of CSAF VEX profile

There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption. One person in particular is adamant that VEX isnât used by anyone anywhere.â

ZjQcmQRYFpfptBannerStart

This Message Is From an External Sender

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

There is frequently a debate on the several of the CISA Software Transparency Workstreams (notably VEX and Onramps/Adoption) between two camps on the topic of VEX adoption. One person in particular is adamant that VEX isnât used by anyone anywhere. I fall in the other camp that VEX does have valid use cases (eg https://github.com/opencybersecurityalliance/PACE/tree/main/docs/UseCases/Pace_Sbom_Vex_Flags_Prioritization on status_justification use cases) and that VEX is beginning to be used.

Â

Data would greatly help quiet our debates. Iâm willing to shut up if the answer to all 3 of the following questions is no (ie not in use publicly or privately, and no plans to use). Hopefully the other side of debate is willing to do similar if data is provided showing usage. The data desired is:

• Does anyone on this list know of any published CSAF using VEX profile?
• Does anyone know of âinternalâ ÂCSAF/Vex use? Ie not a public website but used either inside a company, or between company and supplier/customers but only available within trust group?
• Is anyone not using CSAF/VEX yet but plans to?

Â

I also think having this data will help with CSAF adoption (ie orgs hesitating, or debating using one of the VEX alternatives, may decide to use CSAF if they see who else is using CSAF).

Â

Please respond (even if itâs all 3 no) so we have some data to work with.

Â

--Â

Duncan Sparrell

sFractal Consulting

iPhone, iTypo, iApologize

I welcome VSRE emails. Learn more atÂhttp://vsre.info/

Â

Â