Benefits of VEX for SBOMs

As Software Bill of Materials (SBOMs), become increasingly necessary and in some cases, required by private companies and governments globally, they are meant to provide transparency and help organizations understand what is in their software. But if SBOMs are so helpful, how come nobody knows what to do with them?

Knowing what you’re working with

Modern applications make use of thousands of third-party components, mostly but not entirely open source software (OSS), and it’s critical to keep track of them. That’s why, in theory, an SBOM is great. Requiring an SBOM seemed like such a good idea that both government agencies and customers started insisting that everyone have them. You get an SBOM, you get an SBOM, everyone gets an SBOM! 

However, once everyone started getting SBOMs, a new problem arose: what do we do with these things, anyway? While an SBOM is important, when you just get a list of all the components that are in your code, it’s incomplete information that isn’t actionable. 

In order to make SBOMs really useful, security pros needed something else—something to contextualize the mass of findings in an SBOM to help them understand what was really concerning and what was just a false alarm. As Frank Costanza once said, there has to be another way.

Streamlining risk management 

Thankfully, there is another way– VEX (Vulnerability Exploitability eXchange). VEX is a framework for communicating the exploitability of known vulnerabilities in the context of where and how they are used.

SBOMs enriched with VEX data make it easier for organizations to prioritize risk management by providing actionable insights into the exploitability of vulnerabilities. This allows your business to allocate resources effectively and focus on addressing the most critical risks.

A VEX producer can designate vulnerabilities as:

• Exploitable – This means a vulnerability can be used by attackers in the current implementation and needs to be remediated ASAP. This is what your immediate focus should be on.

• Not exploitable – While the vulnerability exists in theory, factors like how your application is configured mean malicious actors cannot access it, rendering the vulnerability harmless.

• Fixed – A vulnerability existed, but a mitigation or patch has already been applied.

• Under Investigation – This notation means further analysis is required to determine how exploitable this vulnerability is. Once you’ve dealt with the exploitable vulnerabilities, you’ll want to look into these next. 

With VEX, instead of just having the SBOM data of software dependencies, you also have information about the specific vulnerabilities within the code that you’re using and whether they actually need to be addressed. It saves you the time and dev hours tracking down false positives and prioritizing the biggest risks first, overall providing a lot more value to an SBOM.

Notes about what steps have been taken or need to be taken can also be included in the VEX. 

Additionally, documents in VEX format are machine readable (either CycloneDX or SPDX), allowing integration into asset management tools. This enables greater automation of risk management, once again saving time and ultimately, money.

VEX also includes actionable data about how severe a vulnerability is, whether mitigations exist, and if patches are necessary. The information provided by VEX allows security teams to determine how risky a vendor’s software truly is, which is impossible to know from an SBOM alone. 

Transforming SBOM with VEX

Having a method to consistently describe and share vulnerability data between organizations addresses some of the biggest headaches for security engineers. If the VEX data indicates that a vulnerability is non-exploitable because end users don’t have access to the affected function, it saves you the time of both tracking down that information and mitigating something that doesn’t need to be addressed imminently.

Say you scan your systems and discover 40 vulnerabilities within your software supply chain. Without VEX, you might spend days addressing all of them. However, with VEX data, you see that 10 of the vulnerabilities are non-exploitable, 20 of them are low severity and can be remediated later, while 10 are critical and exploitable. Now you’re able to prioritize the most severe vulnerabilities, schedule later remediations for the lower risk ones, and ignore the non-exploitable ones. Think of the time (and headaches) you’ve saved thanks to VEX.

Adopting SBOMs is an essential step toward modern software security, but without the right context, they remain incomplete. VEX is the key to transforming SBOMs into actionable, insightful tools. By providing crucial exploitability data, VEX allows organizations to allocate resources efficiently, reduce false positives, and focus on addressing real threats—saving time, money, and ensuring faster, more secure software deployments.

At Mend.io, we’re excited to offer SBOM exports enriched with VEX data, empowering our customers to turn their SBOMs into effective risk management tools. Interested in making your SBOMs more actionable? Schedule a demo today.

Build a proactive AppSec program

Read the report