Hi folks,
Allan Friedman is in the process of becoming a member. As a follow up to the conversation we had in our last meeting Allan has provided additional information and a call to action below. We can further discuss in the meeting today.
From: Friedman, Allan
Dear CSAF Community,
OVERVIEW: The Software Bill of Materials [1] community has been looking at the CSAF/CVRF spec for a particular need, that is tentatively called VEX (Vulnerability exploitability [exchange]). The high level goal is to facilitate communication
around product/vulnerability relationships, which has a particular importance in a world of SBOMs.
THE ASK: Omar kindly briefed the VEX working group on CSAF/CVRF spec, and we'd like to try to see how we can implement the high level needs for VEX using the existing fields in CSAF/CVRF. This will go much better if someone from the TAC
is able to help us map between VEX needs and the existing data fields for CSAF/CVRF. We meet every Wednesday at 1pm ET--any meetings you can join would be helpful.
BACKGROUND ON VEX: As more suppliers share information about their third party dependencies with downstream users, we anticipate the following issue: a supplier uses a known vulnerable component, but that vulnerability does not put the
user of the downstream product at any real risk. (e.g. the affected code isn't compiled in, inline mitigations exist, etc.) For suppliers with mature product security teams, if they can communicate that downstream to their customers/users, then it will save
everyone time, money, effort, customer support costs, etc. We seek to support the ability to handle this at scale with automation, but want to avoid trying to boil the ocean, and are adopting a crawl-walk-run mentality. If we can do this with an existing
data tool like CSAF/CVRF, so much the better!
[1] - WHAT'S AN SBOM? - A Software Bill of Materials (SBOM) is effectively a nested inventory, a list of ingredients that make up software components. Over the last two years, an international group of experts from across the software
world have worked to define the technical, operational, and business sides of software supply chain transparency to address a range of use cases supporting software production, purchase, and acquisition. More information is available at NTIA.gov/SBOM. If
you'd like to know more, please contact
afriedman@ntia.gov Thanks for your help!
allan
Allan Friedman, PhD
Director, Cybersecurity Initiatives
National Telecommunications & Information Administration
United States Department of Commerce
afriedman@ntia.gov +1-202-573-1312