Loading…
This event has ended. Visit the official site or create your own event on Sched.
Welcome to the interactive agenda for SecurityWeek’s ICS 2022 ICS Cyber Security Conference. Sessions are being finalized and the final program will include 4 FULL DAYS of content. (View the full conference website here) (You can Register for the IN-PERSON Conference and trainings here and register for virtual/online only access here)
Back To Schedule
Wednesday, October 26 • 2:00pm - 2:30pm
Using VEX to Prioritize Vulnerabilities That Matter

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Software Bill of Materials (SBOMs) are now recognized as a key component in software supply chain risk management. Executive Order 14028 has mandated them for doing business with the federal government, and critical industries are increasingly adopting this position as well. Unfortunately, SBOMs can result in a significant number of false positive vulnerability reports, creating too much work for too few security experts.

Not every vulnerability merits panic. Just because a vulnerability is reported for a software component doesn't mean the vulnerability is actually exploitable.
 
Cybersecurity and Infrastructure Security Agency (CISA) and the German Cybersecurity and Infrastructure Security Agency (BSI), have developed VEX (Vulnerability Exploitability eXchange) to address this issue. VEX documents allow vendors to preemptively assess the exploitability of vulnerabilities and issue a standardized, machine-readable document that states whether or not their products are “affected” by one or more known component vulnerabilities. 
VEX helps vendors communicate efficiently with their customers and prevents organizations wasting valuable time fruitlessly searching for and patching vulnerabilities in components that are perfectly safe.

This talk will present the results of a supplier of mission-critical ICS equipment using VEX documents to swiftly address customer concerns regarding the high-profile Log4j vulnerability. It will also cover the structure and the standardized formats available for VEX documents. VEX is still early days and there is still work to be done regarding the processing of VEX documents. But the industry needs to understand and be ready for VEX if they are to get vulnerability management under control.

The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

Learning Objectives:

The discussion of the results of this project will be valuable to both end-users and vendors considering implementing VEX to improve and streamline their security processes.

Speakers
avatar for Eric Byres

Eric Byres

Chief Technology Officer, aDolus Technology
Eric Byres, the Chief Technology Officer at aDolus Technology Inc., is widely recognized as one of the world’s leading experts in the field of Operational Technology (OT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed OT-specific... Read More →


Wednesday October 26, 2022 2:00pm - 2:30pm EDT
Windsor DE