ARMO, the creators of and lead maintainers of Kubescape, the CNCF Kubernetes Security Posture Management (KSPM) project, announces the addition of automated VEX generation.
With its innovative feature for generating reliable Vulnerability Exploitability eXchange (VEX) documents, Kubescape becomes the first open-source project to provide this functionality. This advancement marks a significant milestone in vulnerability management, offering security practitioners a powerful tool to prioritize and address software vulnerabilities effectively.
Vulnerability Exploitability eXchange (VEX) is a standard that facilitates the sharing and analysis of information about vulnerabilities and their potential for exploitation. VEX documents have emerged as a critical component in complementing Software Bill of Materials (SBOMs) by informing users about the applicability of vulnerability findings. However, the sourcing of reliable and accurate VEX documents has been a major challenge in the industry. Software vendors, who possess the most in-depth understanding of their products, are ideally positioned to evaluate exploitable vulnerabilities. However, the continuous effort required to maintain up-to-date VEX documents has hindered widespread adoption.
Open-source projects face an even greater challenge due to limited resources and reliance on community contributions. Consistently producing detailed VEX documents as part of these projects is a challenge. As a result, the practical implementation of VEX documents across diverse software ecosystems has remained limited.
Kubescape is leveraging its eBPF-based Kubernetes runtime reachability capability, to automatically generate VEX documents that provide clear and actionable signaling for vulnerability prioritization and management. By using eBPF technology to detect loaded software packages during runtime, Kubescape distinguishes between less significant vulnerabilities and those that pose an actual risk in container environments.
The Kubescape Operator, starting from version 1.16.2, produces VEX documents and stores them as Kubernetes API objects. These VEX documents, follow the OpenVEX standard, categorize vulnerabilities as "affected" or "not affected" based on their reachability. This distinction enables security practitioners to focus their efforts on vulnerabilities that pose a genuine risk, significantly improving the signal to noise ratio of vulnerability scan results.
The integration of Kubescape-generated VEX documents with popular open-source vulnerability scanners like Grype and Trivy enhances vulnerability management capabilities. By providing clearer results, Kubescape empowers users to prioritize and address vulnerabilities that can potentially harm their systems.
"We are excited to be the first open-source project to generate VEX documents," said Ben Hirschberg, CTO and co-founder of ARMO and maintainer of the Kubescape project. "Our mission is to simplify vulnerability management and provide security practitioners with the tools they need to make informed decisions. With Kubescape's VEX generation capability, we are enabling organizations to simplify the results of vulnerability scans and focus on the vulnerabilities that truly matter."
Kubescape's collaboration with the Linux Foundation on the OpenVEX standard further solidifies its position as a trusted and reliable solution for vulnerability management. By leveraging the power of automation, Kubescape is key to changing the way security practitioners address software vulnerabilities, ultimately enhancing the security posture of Kubernetes environments.
For more information about Kubescape and its VEX generation capabilities, please visit kubescape.io and the Kubescape GitHub repository.
