VEXatious vulnerabilities: CVE management for the overwhelmed security engineer
For application security engineers, managing CVEs has become an overwhelming task due to the rising number of CVEs, inaccurate vulnerability scanners, and user demands for zero CVEs in dependencies. My talk aims to demonstrate how VEX documents can eliminate the time-consuming spreadsheet back-and-forths by programmatically expressing vulnerability applicability information. By showcasing a workflow and tools introduced for Cilium, I will illustrate how VEX documents enable automatic exclusion of non-applicable CVEs from scanners, distribute triage workload to knowledgeable teams, and generate documentation on vulnerability applicability. Real examples from Isovalent's use of VEX documents in our security workflow will support these points. I hope attendees will leave convinced of the benefits of generating and using VEX documentation to focus more on addressing real vulnerabilities.