A Deeper Dive into VEX Documents

 

At the end of last summer, I wrote a blog post explaining the merits of Vulnerability Exploitability eXchange (VEX) documents. Almost 8 months later, I stand by the importance of these documents when it comes to efficient management of vulnerabilities. With our CTO, Eric Byres presenting on this very topic at S4x22, it seems like a good time to come back to VEX documents and dig into what they actually look like.

Read More

Log4j: Panic or Lesson? | How to Protect Deployed Assets

 

Cleaning up the Mess will Take a Methodical Approach

Nearly every week the cybersecurity community buzzes around a newly discovered vulnerability or a breach. December’s alert for the CVE-2021-4428  vulnerability in Apache Foundation’s Log4j software is no different. Also known as the Log4Shell vulnerability, it is present within the log4j-core library commonly used for logging in Java applications. These applications are widely deployed in a huge...

Read More

Sorry Blackberry: You Are Part of the Supply Chain

Today, reporters Betsy Woodruff Swan and Eric Geller at Politico published a story: “BlackBerry resisted announcing major flaw in software powering cars, hospital equipment.”  They outline how BlackBerry willfully hid the fact that their key operating system QNX contained a collection of vulnerabilities (originally discovered and named BadAlloc by Microsoft). It seems other companies affected by BadAlloc announced the issue way back in May. Not so...

Read More

What is VEX and What Does it Have to Do with SBOMs?

Recently, we have been fielding many inquiries here at aDolus regarding “VEX.” If you are not familiar with this mysterious abbreviation, you’ve fortunately landed in the right place. This blog post explains what VEX is and the crucial role VEX plays within the Software Bill of Material (SBOM) space.

Read More