 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Software Bills of Materials tell you what code is in a program. Chainguard’s OpenVEX will tell you what’s wrong and what’s not quite right, but OK in your code.
Chainguard is already a security programming leader, and now it’s taking another step forward by adding support for Vulnerability Exploitability eXchange (VEX) to . This draft implementation is called OpenVEX.
VEX, you ask? It’s a new Cybersecurity and Infrastructure Security Agency (CISA) working specification. It’s meant to be a machine-readable security advisory. As such, it’s integrated into existing security management tools and broader vulnerability tracking platforms. VEX data is integrated with SBOM data. You can do this by representing VEX data inside an existing SBOM, or within a dedicated VEX SBOM.
Within VEX records, you’ll find the following elements:
VEX gets its vulnerability data from the Common Security Advisory Framework. This is an OASIS reference that describes the creation, update, and interoperable exchange of security advisories as structured data on products, vulnerabilities, and the status of impact and remediation. This information is shared in JSON.
Chainguard has taken the next logical step and has released an OpenVEX specification and reference toolchain. The company didn’t do it all on its own. It developed it with the support of several industry leaders, including Anchore, HPE, Google, TestifySec, VMware, and The Linux Foundation.
VEX has also been championed by the United States National Telecommunications and Information Administration and supported by the CISA. The goal of VEX is to improve the ability of organizations to identify and mitigate critical security threats.
OpenVEX is complementary to SBOM tools, allowing suppliers to communicate precise metadata about the vulnerability status of products directly to consumers and end-users. It was developed in collaboration with CISA’s VEX Working Group and is the first format to meet the VEX minimum requirements. Chainguard has also put OpenVEX into production in its Wolfi Linux (un)distribution and Chainguard Images product.
The OpenVEX specification enables developers to communicate precise, actionable metadata to improve the signal-to-noise ratio for consumers of their software. OpenVEX makes it easy for software producers to describe their artifacts’ exploitability accurately.
And, just as importantly, OpenVEX makes it easier for software consumers to filter out false positives from vulnerability scanners. This means security professionals spend more time investigating worthwhile security concerns and less time weeding through erroneous findings. OpenVEX encodes false positives and enables consumers to prioritize vulnerability reports much more effectively.
That’s important because, according to Phil Venables, Google Cloud’s chief information security officer, our increased knowledge of problems can lead to an “uncanny valley” of minor security problems. Lacking context, these minor problems can appear much larger than they are, leading folks to assume their code’s security has gotten worse.
The movement to provide SBOMs will dramatically increase transparency throughout the software supply chain. Forward-thinking organizations have realized that while transparency is great, noise in the vulnerability ecosystem will hamper SBOMs’ adoption and usefulness.
OpenVEX allows developers to generate VEX data for Wolfi packages using the distro’s companion tool, wolfictl. Users can also filter out noise, like false positives, from scanner results with VEX data using vexctl’s filtering feature.
You can start today with OpenVEX using the following steps:
The end result is that OpenVEX has simplified the remediation process for software vulnerability management. This is still a work in progress. We’ll need to work together to build formats and tooling that can be easily integrated into existing development practices.
OpenVEX is being released and maintained out in the open to encourage collaboration and simplify the remediation process for all stakeholders. Eventually, the combination of SBOM and VEX will lead to building programs faster and more securely than ever.
As Ariadne Conill, Chainguard’s principal software engineer, put it, “managing vulnerability sprawl in software distributions is a significant challenge, as each vulnerability has to be researched by security teams to determine whether they are applicable to the versions present in the software distribution.
“The launch of OpenVEX allows all stakeholders, from the upstream developer to distributions and end users, to collaborate together on vulnerability remediation anywhere software is consumed, simplifying the remediation process for everybody.”
