CVEs are one of the most valuable tools for determining risk, but they have significant usability issues. Just because you are "vulnerable" to a CVE does not mean you are "affected" by the vulnerability. Small development teams can usually mitigate the risk by having a team member analyze the impact. However, this noise can overwhelm you if you're running a large-scale vulnerability management program with diverse vendors. The lack of context in a CVE directly impacts your capability to rank vulnerabilities and respond to them efficiently. Enter VEX, the Vulnerability-Exploitability eXchange. In this talk, we will cover what VEX is. We will cover how it integrates with SBOMs, and how it can become a critical capability of your Zero Trust infrastructure. If you're a consumer, you can use it to help determine the risk of a vulnerability and how to mitigate the vulnerability with computer-assisted tooling. If you're a vendor, you can use it to communicate actionable information to customers effectively.
Click here to view captioning/translation in the MeetingPlay platform!
