Home
Unchained
Security Blog

Understanding the promise of VEX

Kaylin Trychon, VP of Marketing and Communications

VEXed by all these security acronyms? Unfortunately, we can’t help break them all down today, but what we can do is talk about a new one….

The Vulnerability Exploitability eXchange or VEX is a data exchange and sharing platform designed to help organizations more efficiently assess and manage vulnerabilities in their software. VEX can be viewed as a companion tool to the now-popular and sometimes in use Software Bills of Material (SBOM) tool. However, it can be used independently of an SBOM.

Today’s security professionals are dealing with a myriad of tools that don’t integrate well and as a result are inundated with data that is at times more harmful than helpful. A recent report found that, on average, security professionals claim 40% of the alerts they receive are false positives – meaning they are frequently investigating a vulnerability that turns out to be trivial or worse, non-existent.

Chasing down false or irrelevant information is more than just a waste of time. This can lead to decreased productivity, burnout, insecurity and financial loss for an organization.


One way to avoid this is to have a source of truth for the exploitability of vulnerabilities that can quickly help teams identify what is critical and what is not. This is the promise of VEX.

VEX, championed by the United States National Telecommunications and Information Administration (NTIA) and supported by the Cybersecurity Infrastructure Security Agency (CISA) allows for the collection, analysis, and dissemination of vulnerability and exploit information in a timely and efficient manner. Its goal is to improve the ability of an organization to identify and mitigate critical security threats.

If developed and implemented correctly, VEX will help organizations:

  • Better prioritize vulnerabilities: VEX will give organizations the ability to prioritize vulnerabilities based on their exploitability, making it easier to focus on the most critical issues first.

  • Enhance collaboration: VEX allows organizations to share vulnerability information with other organizations, which can enhance collaboration and improve overall security. This is especially beneficial for under-resourced security teams.

  • Facilitate compliance: VEX can help organizations more efficiently comply with security regulations and standards by providing a comprehensive view of critical vulnerabilities and the actions taken to address them.

By identifying and addressing critical vulnerabilities first, VEX allows an organization to improve its overall security while also improving team productivity and job satisfaction.

So, what does VEX have to do with SBOM?


A meme depicting a handshake between "vex" and "sboms". Text reads, "eliminating vulnerability noise with better data. vex. sboms."

When used in tandem, VEX and SBOM have the potential to dramatically improve the security of an organization's software supply chain.

Together, both tools can be used to create a comprehensive view of any organization's software security landscape. SBOM can be used to understand the specific components that make up a software application and to enable more thorough scanning for known vulnerabilities. The impact of those vulnerabilities can be clarified by VEX, allowing your team to more effectively prioritize and remediate.

A lot of SBOMs today are composed out of incomplete information sources, often, generated by the same security scanners that are producing the noise and false positives security teams are sifting through. With VEX metadata, you can pair the output of your security scanner to help prioritize what critical vulnerabilities actually need to be addressed. Once you’ve identified the critical vulnerabilities that need your immediate attention, you can use the SBOM to quickly identify where these vulnerabilities are in your software and remediate them.

Is it really that simple?

As is the case with most things, execution is not as easy as it sounds. There is a healthy debate around the concept of VEX and if it truly can deliver on its promises, coupled with the reality that SBOMs are still in the early adopter stage.

Despite these hurdles, there are strong signals of support coming from both the public and private sectors. Both SBOM and VEX have working groups within CISA and are now becoming more widely discussed in public forums as tools that can address some of industry’s most pressing software security problems. The path forward relies on the ecosystem's willingness to collaborate and build tooling that takes these concepts from theory and puts them into practice. In the coming weeks, the VEX subgroup will publish a set of minimum requirements for VEX to jumpstart the development of tooling that will help drive adoption.

At Chainguard, we are working to build tooling out in the open that makes it easier to generate SBOMs and VEX statements (stay tuned!). We believe that these are key pillars to securing the software supply chain. If you are interested in learning more about our work or would like to collaborate with us, get in touch today.

More Resources on SBOM & VEX


Share

Ready to Lock Down Your Supply Chain?

Talk to our customer obsessed, community-driven team.

Get Started