1、#BHAS BlackHatEventsDetermining Exploitability of Vulnerabilities with SBOM and VEXAnusha PenumachaSrinija Kammari#BHAS BlackHatEventsCisco ConfidentialSoftware Composition AnalysisSoftware Bill Of MaterialsVulnerability Exploitability eXchange#BHAS BlackHatEventsCisco ConfidentialWhat is SBOM?A Sof
2、tware Bill of Materials(SBOM)is a detailed inventory that lists all open source,custom and third party dependencies used by a software product.Why is it important?By maintaining an accurate SBOM,organizations can gain insight into thecomposition of their software,allowing them to identify and remedi
3、ate vulnerabilitieseffectively.To be compliant with U.S Cybersecurity Executive Order 14028 which highlightsthat every enterprise that develops critical software should be providing a purchasera Software Bill of Materials(SBOM)for each product directly or by publishing it on apublic website#BHAS Bla
4、ckHatEventsCisco ConfidentialOur Open-Source Security Posture 2022#BHAS BlackHatEventsCisco ConfidentialOur Open-Source Security Posture 2022Self Service,developer friendlyShift left mechanism enabled developer ownership Difficult to gather org-wide inventoryNo holistic picture for Product Security#
5、BHAS BlackHatEventsCisco ConfidentialHere are some things we did before building telemetryBuilding Centralized scan platformBuilding Asset InventoryScalable centralized system for performing end-to-end operationsSource of Truth for the product(repositories/artifacts)#BHAS BlackHatEventsCisco Confide
6、ntialStep 1:Build an asset inventory+ownership mapping Executive Order for SBOM came in as an opportunity Emphasized the importance of asset inventory management Started mapping repos/artifacts towards products Need to build internal tooling to maintain this but necessary#BHAS BlackHatEventsCisco Co