More than a year ago, the NTIA Software Component Transparency Initiative came to the realization that there was a need for another new type of document, somewhat related to software bills of materials (SBOMs) but serving a different purpose. The initial name for the document was VEX, an acronym for Vulnerability Exploitability eXchange; this name has stuck. I’ve written two posts about this document, the more readable (and recent) of which is this one.
I’ll let you read the previous post, but my purpose now is to describe why I’ve come to believe that VEXes might end up having as big an impact on software supply chain security as SBOMs, perhaps even more. The NTIA workgroup that’s been working on VEX has so far finished just one document – a one-pager – that describes VEX. It will be published this week (and will be available here). More documents will follow later, and I’m sure I’ll have more blog posts.
You may be wondering what the h___ the workgroup has been doing for a year, if all they’ve been able to accomplish is developing a one-page document. 90% of our work (I’ve been part of that workgroup) has been developing the format for VEX, and working with the OASIS Common Security Advisory Framework (CSAF) project to incorporate VEX as a “profile” within CSAF 2.0. CSAF 2.0 in an “official draft” status, meaning it’s completed the first of two or three steps required for it to be approved as an international standard. It will replace the existing CVRF format, which was developed by the same group. The German government is very involved with this project and intends to approve it as the official standard for vulnerability reporting in Germany (probably other European governments will do that as well).
That work is now done, so that a VEX will simply be a special case of a CSAF document. The purpose of “piggybacking” off an existing standard was to avoid (whenever possible) creating new formats. The NTIA initiative hasn’t created its own SBOM format, either. Instead, they have identified three existing SBOM formats – SPDX, CycloneDX and SWID – as equally worthy of consideration for a software supplier starting to produce their own SBOMs. In fact, last week SPDX was approved as an ISO standard; yet the three formats are different enough – and equally robust – that a supplier should consider all three before they choose one (and a supplier can certainly produce SBOMs in multiple formats. There’s no need to stick to one).
Now that the format is settled, the VEX workgroup is starting to turn its attention to use cases and “rules of the road” for VEX. It turns out that, as I’ve delved further into these issues, I’ve come to realize that VEX isn’t just an adjunct document for SBOMs; it could come to be a key element of software supply chain security in its own right, as important as SBOMs themselves. Why do I say this? I’m glad you asked. Here’s some of what I’ve come to realize recently, although there’s much more that can be said.
Since the average software product has over 100 components (some have thousands), and since 90% of the average product consists of components, this means that vulnerabilities are far more likely to be identified in components of a software product than they are in the product itself. However, when you search for a product in the NVD, you will just see vulnerabilities that have been reported for the product itself, not vulnerabilities that are found in components of the product - since the NVD doesn't have an SBOM to tell it what those components are.
That’s the bad news. The good news is that, for various reasons, the majority – and perhaps the great majority - of these component vulnerabilities aren’t actually exploitable in the product itself. That is a good thing, but it does make it likely that a lot of time will be wasted by suppliers and software users, responding to false positive reports of component vulnerabilities.
The solution to this problem is for suppliers to issue notices to their customers that essentially say “Even though CVE Y is found in component X, and component X is included in our product, CVE Y isn’t in fact exploitable in our product.” This might be because the supplier has already patched that vulnerability, but it could also be for various technical reasons. However, these notices need to be machine-readable, just as SBOMs need to be. That way, they can be fed into automated tools for vulnerability and configuration management, rather than have a burdensome manual process in between the VEX (or the SBOM) and the tool.
Every security person is used to receiving notices from software suppliers about vulnerabilities that are found in their products (or “exploitable in their products”); I call these positive software vulnerability notifications. However, the VEX can be thought of as a negative vulnerability notification, since it says that a vulnerability isn’t found in the supplier’s product.
Did VEX invent the idea of negative notifications? Not at all. Suppliers have been notifying users of non-exploitable vulnerabilities for years. The biggest example of this is patch notices: They say that if the user applies a patch to the software they’re running (or they download the current patched version), one or more vulnerabilities that were previously exploitable in the product will no longer be exploitable.
However, it is very likely that the number of VEXes will be overwhelming, far more than the number of patch notices currently put out. For example, since the average software product has 135 components, let’s say that each of these has a 1% chance of developing a vulnerability during any year; let’s also assume that the supplier’s own code in the product (which is actually called the “principal component” by the NTIA initiative) has a 1% chance of developing a vulnerability.
Since only the latter vulnerabilities are likely to appear in the NVD, this means that the NVD could be assumed to list only 1/136 of the total vulnerabilities that are found in the product – if you don’t take into account the fact that the majority of these vulnerabilities are unexploitable. If 90% of component vulnerabilities are unexploitable, this means that, once suppliers are regularly providing SBOMS (which means users will start looking up component vulnerabilities in the NVD), they will want to issue at least 120 VEXes every year, for every vulnerability identified for their product in the NVD. In fact, the number of VEXes per year is likely to be much larger than this, since my guess is more than one vulnerability is identified every year for the average software product.
However, a software product could easily have thousands of components (and some do, including products used every day by corporate and government users), at which point these numbers become huge. If a product has 5,000 components, this means there will be 5,000 component vulnerabilities identified every year, per my assumption. Since 90% of these won’t be exploitable and will need a VEX to state that fact, this means that the supplier of this product will have to issue at least 4,500 VEXes every year for the product.
This is of course a big number, but this explains why VEXes have to be machine readable. A user can receive SBOMs in a human-readable format (usually CSV or XLS files), but trying to keep track of VEXes will probably overwhelm – in a few years, not immediately – any manual effort to do that. However, it will be quite possible to track all VEXes, and to match them to a database of product components, through automated means.
And my feeling is that, once the tooling (or third party services) is developed to process VEXes, other types of negative software vulnerability notifications – especially patch notifications – will also move to the VEX format. Moreover, since VEXes can easily provide notification that a vulnerability is exploitable in a particular product, it seems to me that, in the not-too-distant future, those positive notifications will also move to VEX (right now, they’re mostly not machine-readable, and they’re provided in proprietary formats particular to each supplier. Note that suppliers will still be free to issue those advisories, even when they start providing positive VEX notices of exploitable vulnerabilities, since a lot of users will still want to have an advisory that they can read).
In other words, VEX is coming. And it might turn out to be an oncoming train. You should start thinking about how your organization might jump aboard.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the National Technology and Information Administration’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at firstname.lastname@example.org.