A VEXing Question: Am I Affected or Not?

Presented at Blue Team Con 2022, Aug. 27, 2022, 12:50 p.m. (30 minutes)

With recent events like Log4Shell, more attention is being paid to software security and the underlying components used in developing software. SBOMs (Software Bill of Materials) are a great tool in uncovering vulnerabilities in software components, and aid software providers in becoming fully transparent about the components that comprise their software products. As SBOMs become more widespread, many security advisories released by organizations could contain "false positives," when the underlying component contains a vulnerability, but that vulnerability is not exploitable. A key idea at the intersection of security advisories and SBOM is the "Vulnerability Exploitability eXchange" (VEX). A VEX allows software providers to explicitly communicate that they are NOT affected by a vulnerability, and software users (e.g., network defenders, developers, and services providers) to reduce effort and resources spent in investigating non-exploitable vulnerabilities that do not affect a product. VEX provides a machine-readable approach to support automation to help software users understand, am I affected or not?

This talk will give a brief overview of the SBOM concept and review the challenge of understanding when a vulnerability actually affects a product. We’ll discuss the implementation of VEX in current standards, highlight future directions, and conclude with a call for participants to get involved.


  • Allan Friedman - Senior Advisor and Strategist, Cybersecurity and Infrastructure Security Agency (CISA)   as Dr. Allan Friedman
    Allan Friedman is a Senior Advisor and Strategist at the Cybersecurity and Infrastructure Security Agency in the US Government. He coordinates the global cross-sector community efforts around software bill of materials (SBOM), and works to advance its adoption inside the US government. He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics. Prior to joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard’s Computer Science department, the Brookings Institution, and George Washington University’s Engineering School. He is the co-author of the popular text “Cybersecurity and Cyberwar: What Everyone Needs to Know,” has a degree in computer science from Swarthmore College and a PhD in public policy from Harvard University. He is quite friendly for a failed-professor-turned-technocrat.
  • Justin Murphy - Vulnerability Disclosure Analyst, Cybersecurity and Infrastructure Security Agency (CISA)
    Justin Murphy is a Vulnerability Disclosure Analyst with the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. He also assists Dr. Allan Friedman in coordinating the global, multi-stakeholder community-led efforts around software bill of materials (SBOM), and other Technology Assurance related projects at CISA. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).

Similar Presentations: