As more attention is paid to security and the underlying components used in developing software, more organizations will be sending out security advisories. As SBOMs become more widespread, many of these advisories will actually be "false positives," when the underlying component vulnerability isn't actually exploitable. Organizations developing and using software will thus face an increasing amount of information to process and prioritize if they want to address the constantly evolving risk...

By: Allan Friedman & Thomas Schmidt

Full Abstract & Presentation Materials:
blackhat.com/us-21/briefings/schedule/#your-software-isnot-vulnerable-csaf-vex-and-the-future-of-advisories-23707

• Your Software IS/NOT Vulnerable: CSAF, VEX, and the Future of Advisories ( Download)
• IATC - Your critical system IS (NOT) vulnerable: CSAF, VEX, SBOM and the future of advisories ( Download)
• BSidesRDU 2022 - SBOM + VEX + CSAF = The Future of Vulnerability Management - Panel ( Download)
• CSAF/VEX: Improved Security Data ( Download)
• VEXed by Vulnerabilities That Don't Affect Your Product Try This! ( Download)
• Panel Discussion: Don’t be Vexed by VEX - VEXperts Panel ( Download)
• CSAF-VEX Demo by CISA: Enhancing Cyber Resilience ( Download)
• CSAF, Not SBOM, Is The Solution ( Download)
• Using NTIA’s VEX To Tame The Vulnerability Tsunami ( Download)
• CVE JSON 5.0 Experiences ( Download)
• VEXing Open Source Security: Vulnerability Data for Everything - Andrew Martin & Andres Vega ( Download)
• VEX Overview - Allan Friedman PhD, Cybersecurity and Infrastructure Security Agency ( Download)
• CSAF - the Magic Potion for Vulnerability Handling in Industrial Environments ( Download)
• CS2AI Symposium: Securing the Software Supply Chain - Forging an Unbreakable Chain April 6 2022 ( Download)
• Using CSAF to Respond to Supply Chain Vulnerabilities at Large Scale ( Download)