How to Reduce CVE Noise with VEX - Vulnerability-Exploitability eXchange

Explore the concept of VEX (Vulnerability-Exploitability eXchange) and its potential to revolutionize CVE management in this informative conference talk. Learn how VEX can significantly reduce CVE noise and improve vulnerability assessment processes for both small development teams and large-scale vulnerability management programs. Discover the integration of VEX with SBOMs (Software Bill of Materials) and its role in enhancing Zero Trust infrastructure. Gain insights into using VEX as a consumer to better determine vulnerability risks and mitigation strategies, as well as its application for vendors in effectively communicating actionable information to customers. Delve into topics such as software build materials, modeling gaps, mapping, policies, workflows, and the challenges associated with SBOMs. Examine the role of open-source in VEX implementation and understand the structure of VEX documents. Conclude with a discussion on duplicate CVEs and the broader implications of VEX in the cybersecurity landscape.

Intro
Risk
Value
Cost
Log for Shell
Main Message
Software Build Materials
Modeling Gap
Mapping
Not everything is affected
Policies
VEX
Workflow
Gaps
Questions
Sbomb
Sbomb Problems
Open Source
VEX Documents
Is there a repository
CycloneDX
What VEX is trying to do
Duplicate CVs
Conclusion