API World + CloudX + Dev Innovation Summit 2024

Cortez Frazier Jr., FOSSA, Principal Product Manager

If you work in vulnerability management or DevSecOps programs, you’re probably familiar with the painful condition known as CVE overload. Each year, tens of thousands of new vulnerabilities are reported, which causes stress and late nights for the teams tasked with remediating them.

And that’s not to mention the herculean tax of distinguishing between potential vulnerabilities and confirmed vulnerabilities. The reality that most vulnerabilities are only potentially exploitable (as determined by the deployed context of each package) also means remediation often results in a lot of wasted time and effort.

A proposed solution is VEX (Vulnerability Exploitability eXchange): a set of formats that communicates vulnerability impact status, whether a vulnerability is exploitable in its deployed context, and mitigation steps. In theory, VEX (when used alongside other prioritization inputs) makes it possible to remediate more efficiently. But as with most security frameworks, efficacy depends on proper implementation.

This talk will cover five steps to leveraging VEX throughout the vulnerability remediation lifecycle, from the time a vulnerability is disclosed to the time you publish and distribute a VEX statement. We’ll cover the tools and workflows teams need to know to effectively use VEX in their organizations.