Connect with us
X
Categories:

Technology

The exploitability advisory: CISA’s VEX provides a novel approach to addressing identified vulnerabilities

Published

on

The exploitability advisory: CISA's VEX provides a novel approach to addressing identified vulnerabilities
Share this post:

A new twist on security advisories promises to optimize the triaging of vulnerabilities by highlighting whether flaws are not just present within software but practically exploitable, too.

Developed by the US government, the vulnerability exploitability exchange (VEX) enables “both suppliers and users to focus on vulnerabilities that pose the most immediate risk” and avoid wasting time on bugs with no impact, according to use cases (PDF) published by the US Cybersecurity & Infrastructure Security Agency (CISA) in April 2022.

As CISA vulnerability analyst Justin Murphy puts it: if a software bill of materials (SBOM) “turns on flashing lights on the dashboard, VEX helps you figure out which ones you have to turn off”.

Speaking at the recent Linux Security Summit in Dublin, Ireland, Murphy said this “negative security advisory” supplements the provision of a product’s ‘ingredients’ by SBOMs, which President Biden has decreed should be a precondition for the government purchase of software.

Vulnerable_code_not_in_execute_path

VEX advisories, which emerged from a National Telecommunications and Information Administration (NTIA) project, advise whether a product is ‘affected’, ‘not affected’, ‘fixed’, or ‘under investigation’ in relation to a particular bug.

As detailed (PDF) by CISA, the ‘not affected’ designation could be accompanied by ‘status justifications’ such as:

  • Component_not_present
  • Vulnerable_code_not_present
  • Vulnerable_code_cannot_be_controlled_by_adversary
  • Vulnerable_code_not_in_execute_path
  • Inline_mitigations_already_exist

Murphy suggested a specific scenario in which “you have a third-party dependency and it says the code is vulnerable, but since the compiler rips it out you’re not actually affected”. Alternatively, he continued, a product might use a vulnerable library but not its vulnerable functions, or contain protections around input validation.

In providing information about exploitability, suggested Murphy, VEX advisories usefully augment SBOMs and the Known Exploited Vulnerability Catalog, which CISA launched in the fall of 2021.

Machine readability

The proliferation of CVEs and therefore security advisories has made tackling known vulnerabilities a “data management problem”, said Murphy.

And the problem is complicated by the fact advisories come in various formats, hampering not just machine readability but also “human readability in some cases”.

Asking the maintainer about flaws – “will you even get a response?” – or conducting your own, time-consuming investigation are hardly superior alternatives, argued Murphy.

This context helps explain CISA’s focus on interoperability and the fact VEX advisories can be implemented in the machine-readable OASIS CSAF standard.

Name confusion

Aspirations to link SBOM and VEX data are complicated by the lack of a universally agreed upon system of common identifiers for software components, conceded Murphy.

As such, security teams are at risk of erroneously misunderstanding their stack’s exposure when, for example, separate SBOMs inadvertently use differing identifiers for the same component or the same identifier for different components.

A comprehensive component identification system probably needs to address this problem “through aliases or equivalency relationships”, suggested Murphy, perhaps using a combination of common platform enumeration (CPE), package URLs (purls), SWID tags, SWHIDS, and GitBOM.


Get More Stories Like This On: Facebook: @AllNaijaEntertainment, Twitter: @AllNaijaEntertainment
Chief Oyerigha Echo Toikumoh - The Earlier The Better
Music1 month ago

[Music] Chief Oyerigha Echo Toikumoh – The Earlier The Better

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola's place at Manchester City
Sports1 month ago

Enzo Maresca and Mikel Arteta stated they will not take Pep Guardiola’s place at Manchester City

Alan Shearer reckons Liverpool star is ‘not going to get better’
Sports1 month ago

Alan Shearer reckons Liverpool star is ‘not going to get better’

NECO examiners threaten nationwide protest over unpaid entitlements
News1 month ago

NECO examiners threaten nationwide protest over unpaid entitlements

Jonathan congratulates Trump on historic election win
News1 month ago

Jonathan congratulates Trump on historic election win

Peter Obi can become president in 2027 — Yunusa Tanko
News1 month ago

Peter Obi can become president in 2027 — Yunusa Tanko

Dua Lipa forced to cancel show after ‘unforeseen safety issues’
Entertainment1 month ago

Dua Lipa forced to cancel show after ‘unforeseen safety issues’

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024
Entertainment1 month ago

Uzoamaka Onuoha wins Best Female Performance in a feature at AFRIFF 2024

'Phoenix Fury' bags Best Film award at the 13th edition of AFRIFF
Entertainment1 month ago

‘Phoenix Fury’ bags Best Film award at the 13th edition of AFRIFF

Vivo begins teasing new Dimensity 9400 flagships internationally
Technology2 months ago

Vivo begins teasing new Dimensity 9400 flagships internationally

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life
Technology2 months ago

Google Pixel 11 and Pixel 11 Pro may trade performance gains for longer battery life

Manchester United players warned ‘only one is safe’ under Ruben Amorim
Sports2 months ago

Manchester United players warned ‘only one is safe’ under Ruben Amorim

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight
Sports2 months ago

Austin DeAnda given impromptu makeover after he is forced to have haircut in the middle of fight

IG orders punishment for errant cops
News2 months ago

IG orders punishment for errant cops

Be ready to recover stolen mandate — Ighodalo tells PDP
News2 months ago

Be ready to recover stolen mandate — Ighodalo tells PDP

No part of Ogun will be ceded under my watch — Dapo Abiodun
News2 months ago

No part of Ogun will be ceded under my watch — Dapo Abiodun

Ruger calls out auto tune and hype culture in music
Entertainment2 months ago

Ruger calls out auto tune and hype culture in music

I hate to play same role repeatedly — Actress Bimbo Akintola
Entertainment2 months ago

I hate to play same role repeatedly — Actress Bimbo Akintola

Fans split on Davido, Wizkid, and Burna Boy's Grammy nominations.
Entertainment2 months ago

Fans split on Davido, Wizkid, and Burna Boy’s Grammy nominations

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung's rival iPhone 17 Air
Technology2 months ago

Samsung Galaxy S25 Slim: Leaker reveals launch details for Samsung’s rival iPhone 17 Air

Realme names first smartphone to get Android 15 beta worldwide
Technology2 months ago

Realme names first smartphone to get Android 15 beta worldwide

England interim manager tipped for surprise Premier League job
Sports2 months ago

England interim manager tipped for surprise Premier League job

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam
Sports2 months ago

Hakim Ziyech mocks Israeli supporters attacked in Amsterdam

Court jails seven for internet fraud in Kaduna
News2 months ago

Court jails seven for internet fraud in Kaduna

Edo APC criticizes Obaseki’s last-minute appointments
News2 months ago

Edo APC criticizes Obaseki’s last-minute appointments

Edo PDP announces caretaker committee
News2 months ago

Edo PDP announces caretaker committee

Tems makes history after securing 3 nominations for the 67th Grammys
Entertainment2 months ago

Tems makes history after securing 3 nominations for the 67th Grammys

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history
Entertainment2 months ago

Beyoncé surpasses Jay-Z to become the most nominated artist in Grammy history

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment2 months ago

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations

Davido, Wizkid, Tems, Asake make 2025 Grammy nominations
Entertainment2 months ago

2025 GRAMMY: Academy unveils category changes ahead of nomination event

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Final Episode 13)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 12)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 11)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 10)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 09)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 08)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 07)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 06)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 05)

The Pastor Daughter Story by Miriam Edem _ ANE Story
ANE Stories2 months ago

[STORY] THE PASTOR’S DAUGHTER (Episode 04)

ANE Billboard Hots



Join "ANE sabi" clique

Don't miss a thing, get ogbonge ANE latest updates to fuel your conversation daily.