CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

CodeSecDays 2024 - Join GitGuardian for a full-day exploration of cutting-edge DevSecOps solutions!

Save my spot!

SBOMs and VEX? What they are and what is the difference (Software bill of material)

Software bill of materials or an SBOM has become a crucial part of security and understanding the composition of our software.

Video Transcript

yeah one of the big pieces that we think about a lot is you know what are the components in that you know software supply chain and that's something that you're tackling as well um I mean that's part of the trust ladder there and you're right security is like well we have to make sure we know what's in it we have to make sure we know what breaks uh all the implications there but the big term we heard over the last year is es bombs um and Es bombs in and of themselves are just grocery lists or laundry lists of of ingredients um but that's leading to and that's what I've always heard leading to the next evolutionary step which is Vex or veex um and that's something I see you all helping with out there so for those of us at home why don't you give us your definition of vex and why people need to care yeah um and I'll double down on what you said first about sbom which is you usually as Enterprise you receive really this kind of opaque installer and you really don't know what's in there unless one unless you ask and two if the vendor is going to tell you what's in there and from a security perspective you're you're wondering and can I scan it does it have vulnerabilities when was it last updated what versions of this you might have legal implications like I can't use certain um crypto algorithms aren't exportable you know thing things like that that it just all comes to you as this big giant um opaque blob if you would and and like you said esom is that it's kind of like the recipe all the contents that's in this blob to let you know you're using this software with this version kind of thing fantastic right and so that's that kind of solves the first problem of now I know what I'm running and then Along Comes you guess it a vulnerability because they happen and they get released you know every day um and from a security perspective we then begin to ask ourselves within my giant Enterprise am I vulnerable to this one cve that was announced today and so you you begin to look at where's all my software okay now you found your software now I need to ask is that piece of software vulnerable to it if you're lucky you have an s bomb and the s bomb could provide you version and software and you can kind of match on it from a human perspective and say safe not safe kind of thing what VX does is it helps you solve that and bring that time down significant ly through machine readable um packages if you would and essentially what Vex and while it works well with sbom it doesn't have to necessarily work with sbom it is a document in machine readable format that says piece of software version and then status and Status usually things like I attest to I am vulnerable or I can't attest to I'm not vulnerable or you know um not reachable could be another status like yeah like I'm running that vulnerable software that's affected but there's no way anybody could reach it or execute it so you should be aware it's there but it's kind of safe in a way um and that really helped bring down that that time to Discovery to the time to action you know in incredibly the other great thing about Vex is that it's not a one-time thing meaning you can deliver your Vex for your your product that says yes maybe I am vulnerable and then once you patch it you can then update it and then there's this history that says was vulnerable now not vulnerable and to fix it you need to upgrade to this version over here so um like I said it's just not a one-time thing it I'm really looking forward to Vex being more widely adopted I think it's going to take a while certainly es bomb's been around for a number of years and it hasn't been hugely adopted and so today we're really on on just really open Vex is one project that's um that's out there today which is probably the most popular use of XEX and there really still isn't a lot of people using it but you know from the replicated perspective if we can help our vendors publish create and publish es bombs as well as Vex then we've really helped them as well deliver what we were just talking about a better sense of trust you know with their Enterprise customers hopefully that helps it's kind of glanced over a lot of what Vex is yeah