Thursday, November 17, 2022

VEX without the puns


To say there is confusion about what constitutes VEX is a big understatement. Conservatively, I’d say upwards of 95% of what’s been written about VEX, or discussed in webinars or live presentations, is wrong or misleading; this includes a lot of what I’ve written.

However, I’m not alleging this is due to some vast conspiracy to bamboozle the cybersecurity community. Nobody making these wrong or misleading statements is acting in anything other than good faith. But good faith doesn’t make those statements correct.

There are two primary reasons for this situation:

1.      The VEX working group, which started under the NTIA in 2020 and continued under CISA this year, has only published two documents on VEX. These can both be found at cisa.gov/sbom[i]. While these are both good, neither one attempts to provide a definitive definition or description of VEX.

2.      More importantly, almost all of the false or misleading statements were based on expectations – really, hopes – for events we all thought would occur, but which in fact didn’t. Yet as often happens, the words didn’t change nearly as quickly as events on the ground. This is why statements that were neither wrong nor right when they were made are now wrong. It is also why people whose knowledge of VEX is based on those erroneous statements make more erroneous statements, in classic whisper-down-the-lane fashion.

Because of this situation, VEX documents – which many people believe to be in wide production and use at this time – are neither being produced nor used, to the best of my knowledge. How could this be otherwise, given that no parties interested in producing or using VEXes could possibly understand how to do either?

Since the human race has existed for approximately 200,000 years without VEX documents, the fact that this situation isn’t changing currently might not be considered high tragedy. However, the VEX idea came about because of an important realization: Software bills of materials (SBOMs) will never be widely produced or used until VEXes are also produced and used. No VEXes means (almost) no SBOMs. It’s literally that simple. 

Thus, if we want to have SBOMs, we have to figure out a way to have VEXes. Or at least we have to figure out how to have the information that we’ve been thinking (erroneously, I now believe) needs to be delivered in VEX documents.

How this situation came about and how it might be remediated are the subjects of a web event I’ll be participating in on November 30 at 10AM Eastern Time. It’s sponsored by Scribe Security. I hope you can join in!

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] The NTIA published a one-page document in 2021, which I originally drafted. It is out of date and should be ignored.

No comments:

Post a Comment