For application security engineers, CVE management has become a huge burden in recent years. Caught between the accelerating number of CVEs granted each year, vulnerability scanners that are unable to accurately identify applicability, and users who demand zero CVEs in dependencies, security engineers become spreadsheet engineers, devoting large amounts of time to explaining why the latest set of CVEs identified by a vulnerability scanner do not matter.

The aim of my talk is to highlight the potential of VEX documents to render these spreadsheet back-and-forths obsolete. At their core, VEX documents allow for the expression of vulnerability applicability information in a programmatic manner. By highlighting a workflow and related tooling that I have introduced for Cilium (the CNCF-graduated CNI for Kubernetes), I will show how using VEX documents gives security engineers:
- The ability to automatically exclude triaged results from vulnerability scanners (including popular scanners such as Grype and Trivy), reducing customer friction and allowing customer security teams to ‘self-service’ vulnerability applicability.
- The ability to spread the load of CVE triage onto the teams that know the most about the products that may be affected.
- The ability to automatically generate documentation regarding vulnerability applicability.

All of these points will be accompanied by real examples of how Isovalent, the company I work for and the creators of Cilium, use VEX documents in our daily security workflow.

By the end of my talk, I hope that attendees will leave convinced that they should be generating and consuming VEX documentation too, in order to minimise the amount of time we spend in spreadsheets, and maximise the amount of time that we spend hunting and fixing real vulnerabilities.