To say there is confusion about what
constitutes VEX
is a big understatement. Conservatively, I’d say upwards of 95% of what’s been
written about VEX, or discussed in webinars or live presentations, is wrong or
misleading; this includes a lot of what I’ve written.
However, I’m not alleging this is
due to some vast conspiracy to bamboozle the cybersecurity community. Nobody
making these wrong or misleading statements is acting in anything other than
good faith. But good faith doesn’t make those statements correct.
There are two primary reasons for
this situation:
1.
The VEX working group,
which started under the NTIA
in 2020 and continued under CISA this year, has only published two documents on
VEX. These can both be found at cisa.gov/sbom[i]. While these are both
good, neither one attempts to provide a definitive definition or description of
VEX.
2.
More importantly, almost
all of the false or misleading statements were based on expectations – really,
hopes – for events we all thought would occur, but which in fact didn’t. Yet as often
happens, the words didn’t change nearly as quickly as events on the ground.
This is why statements that were neither wrong nor right when they were made
are now wrong. It is also why people whose knowledge of VEX is based on those
erroneous statements make more erroneous statements, in classic
whisper-down-the-lane fashion.
Because of this situation, VEX
documents – which many people believe to be in wide production and use at this
time – are neither being produced nor used, to the best of my knowledge. How
could this be otherwise, given that no parties interested in producing or using
VEXes could possibly understand how to do either?
Since the human race has existed for approximately 200,000 years without VEX documents, the fact that this situation isn’t changing currently might not be considered high tragedy. However, the VEX idea came about because of an important realization: Software bills of materials (SBOMs) will never be widely produced or used until VEXes are also produced and used. No VEXes means (almost) no SBOMs. It’s literally that simple.
Thus, if we want to have SBOMs, we have to figure out a way to have
VEXes. Or at least we have to figure out how to have the information
that we’ve been thinking (erroneously, I now believe) needs to be delivered in
VEX documents.
How this situation came about and
how it might be remediated are the subjects of a web
event I’ll be participating in on November 30 at 10AM Eastern Time. It’s
sponsored by Scribe Security. I hope
you can join in!
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
[i] The
NTIA published a one-page document in 2021, which I originally drafted. It is
out of date and should be ignored.
No comments:
Post a Comment