Weaving a VEX Feed Through the Kubernetes Project - Adolfo García Veytia, Stacklok
Abstract
Vulnerability triaging is an expensive process, often plagued with false positives that cause organizations to waste thousands of dollars in engineering time handling and suppressing them to conform with compliance frameworks. Here to the rescue comes VEX - the Vulnerability Exploitability eXchange - a new metadata format, designed as a companion to SBOMs that communicates the impact of a vulnerability on a piece of software. False positives come in many forms: From vulnerabilities found in other platforms, non-exploitable code paths, to simple mitigations pre applied to artifacts. Using VEX, software authors can communicate downstream that software is safe to use despite security scanners going brrrr.. In this talk, we dive into VEX, explore the new Kubernetes VEX feed instrumented through collaboration from SIG Release, the Security Response Committee and SIG Security to understand the source of the data, how to use it and do some cool demos with real vulnerability scanners!