当前位置:首页 > 报告详情

利用SBOM和VEX确定漏洞的可利用性.pdf

上传人: 竿*** 编号:981758 2025-11-29 34页 2.52MB

1、#BHAS BlackHatEventsDetermining Exploitability of Vulnerabilities with SBOM and VEXAnusha PenumachaSrinija Kammari#BHAS BlackHatEventsCisco ConfidentialSoftware Composition AnalysisSoftware Bill Of MaterialsVulnerability Exploitability eXchange#BHAS BlackHatEventsCisco ConfidentialWhat is SBOM?A Sof

2、tware Bill of Materials(SBOM)is a detailed inventory that lists all open source,custom and third party dependencies used by a software product.Why is it important?By maintaining an accurate SBOM,organizations can gain insight into thecomposition of their software,allowing them to identify and remedi

3、ate vulnerabilitieseffectively.To be compliant with U.S Cybersecurity Executive Order 14028 which highlightsthat every enterprise that develops critical software should be providing a purchasera Software Bill of Materials(SBOM)for each product directly or by publishing it on apublic website#BHAS Bla

4、ckHatEventsCisco ConfidentialOur Open-Source Security Posture 2022#BHAS BlackHatEventsCisco ConfidentialOur Open-Source Security Posture 2022Self Service,developer friendlyShift left mechanism enabled developer ownership Difficult to gather org-wide inventoryNo holistic picture for Product Security#

5、BHAS BlackHatEventsCisco ConfidentialHere are some things we did before building telemetryBuilding Centralized scan platformBuilding Asset InventoryScalable centralized system for performing end-to-end operationsSource of Truth for the product(repositories/artifacts)#BHAS BlackHatEventsCisco Confide

6、ntialStep 1:Build an asset inventory+ownership mapping Executive Order for SBOM came in as an opportunity Emphasized the importance of asset inventory management Started mapping repos/artifacts towards products Need to build internal tooling to maintain this but necessary#BHAS BlackHatEventsCisco Co

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要内容概括如下: 1. **SBOM的重要性**:SBOM(软件物料清单)是列出软件产品中所有依赖项的详细清单,对于识别和修复漏洞至关重要,且符合美国网络安全行政命令14028的要求。 2. **构建资产库存**:通过构建资产库存和所有权映射,组织可以更好地管理软件依赖项,但需要考虑可扩展性和维护成本。 3. **集中化系统**:建立集中化系统以简化扫描过程,减少产品团队参与,但可能缺乏定制性和反馈延迟。 4. **漏洞可利用性**:通过公开数据、可达性分析和开发者反馈确定漏洞的可利用性。 5. **Vulnerability Exploitability Exchange (VEX)**:VEX用于跟踪漏洞修复状态,提供漏洞影响状态(如未受影响、受影响、已修复等)。 6. **处理漏洞洪流**:通过VEX和工具反馈,减少无效漏洞的干扰,提高开发者体验。 7. **自动化VEX生成**:利用工具和AI自动生成VEX,提供基于上下文的自动关闭和智能洞察。 8. **开源目标**:未来计划开源VEX和工具,以促进透明度和社区贡献。
"SBOM如何提升软件安全性?" "VEX如何简化漏洞修复过程?" "自动化VEX生成,开发者体验升级!"
客服
商务合作
小程序
服务号
折叠