Understanding the Different Standards of SBOM and VEX

Different Standards of SBOM and VEX

Software Bill of Materials (SBOM) is a complete inventory of components used in a software application. It helps manufacturers and suppliers analyze the components’ security and find vulnerabilities that might affect the software. However, not all SBOMs follow the same format, and there’s also a new way of providing annotation on a small scale called Vulnerability Exploitability eXchange (VEX).

On this video clip, “What is VEX?”, Delan and Oscar, Founder and CEO of MergeBase, are discussing the different standards of SBOMs and VEX to help you understand which one is best for your organization.


Dominant SBOM Standards: Cyclone DX and SPDX

The two dominant standards of SBOMs in the market today are Cyclone DX and SPDX. Cyclone DX is supported by OWASP, making it the de facto organization for applications. On the other hand, SPDX has become an ISO standard. The ISO is the leading global standard, making SPDX the preferred choice for companies that have a multi-year process in managing their system’s risk management.

Organizations that use SBOMs beyond collecting them are also analyzing and working with them. Some companies use Cyclone DX tools while others prefer SPDX. Cyclone DX tools provide an immediate solution, while SPDX takes time but is more efficient in the long run. The choice between Cyclone DX and SPDX ultimately depends on your organization’s goals and timeline.

Enhanced Vulnerability Insights

Another way of providing annotation on a small scale is by using VEX. VEX adds information about vulnerable components to one component list, giving you insight into whether a vulnerability affects an application. For example, an encryption library might have different encryption algorithms, and one algorithm might be perfectly fine and not affect the application. Still, there could be a vulnerability with another algorithm in the same library that harms the application. VEX provides insight into which algorithm is affected and needs attention.

For vendors, having VEX is essential because it reduces effort in eliminating vulnerabilities. There are scenarios where eliminating a vulnerability doesn’t make sense if they’re not using that specific part of the software. Of course, buyers remain skeptical and want to do their analysis before purchasing software.

Empowering Software Supply Chain Security with SBOM and VEX

In conclusion, SBOMs are essential in analyzing the components used in an application and checking for vulnerabilities. The choice between Cyclone DX and SPDX ultimately depends on your organization’s goals and timeline. Moreover, VEX is a new way of providing annotation on a small scale, which helps both vendors and buyers identify which algorithms are vulnerable and how to eliminate them. It’s essential to understand the different standards of SBOMs and VEX to make informed decisions about the software used in your organization’s systems.

Ready to take the first step in securing your software?