News
Vendors

NetRise boosts supply chain transparency and security with Vulnerability Exploitability eXchange (VEX)

May 07, 2024
NetRise now part of DHS Continuous Diagnostics and Mitigation approved products list

NetRise announced support for creating Vulnerability Exploitability eXchange (VEX) documents to help organizations track and convey risk associated with the software they are manufacturing or consuming. The XIoT security firm now offers VEX, enhanced asset extraction and analysis, and new search capabilities to provide results with greater accuracy.

VEX documents are commonly found alongside Software Bill of Materials (SBOMs) and allow software, firmware, and device developers to convey if an asset is or is not affected by a particular vulnerability. The developer can also provide recommendations and workarounds in a standardized, machine-readable format. Asset owners and operators then consume VEX information to help influence vulnerability and risk management processes.

“Our latest updates address the critical challenges organizations face when mitigating risks in firmware and software components to secure their connected devices,” said Thomas Pace, CEO of NetRise. “We are a customer-first organization, which means that we continuously anticipate and respond to our customers’ needs. One of our customers’ most requested features has been access to vulnerability remediations and VEX statuses.” 

Pace added that he is “excited that we are now able to provide this and look forward to seeing how they use it and how VEX continues to evolve. With our new offerings, we are empowering organizations with advanced vulnerability insights, simplified workflows, and a more complete, secure SBOM.”

Users of the NetRise Platform now have a single solution that allows them to identify software components in their software and XIoT assets, automatically discover the vulnerabilities that affect them, triage the vulnerabilities, and generate SBOM and VEX documents that exceed the minimum requirements defined by the National Telecommunications and Information Administration (NTIA).

Understanding the SBOM and VEX specifications that meet the minimum standards is daunting and time-consuming for many organizations. By using the NetRise Platform, organizations can be confident they are generating documents that adhere to the specifications without needing to be intimately familiar with them, which is especially important for organizations with limited development or security resources as well as those who are or may become required to comply with Executive Order 14028.

Key new features and capabilities include:

  • VEX: Organizations can apply VEX statuses to vulnerabilities in a report, track if an asset is affected by a vulnerability identified in a software component, and communicate vulnerabilities to external stakeholders.
  • Enhanced Asset Extraction and Analysis: The platform now includes a newly improved extraction engine that is file agnostic and significantly improves how ‘file systems’ are handled in various formats.
  • New Search Experience: NetRise’s enhanced artifact search experience provides results at greater accuracy, speed, and filtering capabilities. Artifact search allows organizations to quickly identify where any data point (CVE, component, hardcoded authentication credential, file hash, etc.) exists in their assets.
  • Comprehensive Vulnerability Prioritization: The NetRise platform now incorporates a new prioritization tool that simplifies identifying critical-risk vulnerabilities by combining Exploit Prediction Scoring System (EPSS) and Common Vulnerability Scoring System (CVSS) scores. The prioritization feature effectively guides organizations to focus on the highest-risk vulnerabilities first, reducing response times and improving remediation efficacy.
Industrial Cyber News Desk
Industrial Cyber News Desk

Related

CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
CISA debuts encrypted DNS implementation guidance for federal agencies aligned with zero trust strategy
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Vulnerabilities in GE Healthcare Vivid ultrasound system could allow malicious insiders to install ransomware, access patient data
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Relyens, Cynerio partner to introduce advanced healthcare cybersecurity solution to European market
Cybellum joins forces with M-ISAC to help Japanese MDMs improve cybersecurity
Cybellum’s Product Security Platform 3.0: Risk Edition enables threat modeling, risk and compliance management at scale 
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
ABS Consulting, Hexagon partner to empower industries with improved asset management solutions
OPSWAT
OPSWAT Academy debuts authorized training program to empower global cybersecurity capabilities
Exalens
Exalens, Approach Cyber partner to boost cybersecurity across industrial, IIoT environments
Australian-NCSC-coordinates-response-to-major-health-information-ransomware-breach
Australian NCSC coordinates response to major health information ransomware breach
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
Senator Vance issues warning on China-backed Volt Typhoon threat to US critical infrastructure
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3
NIST releases finalized security guidelines for controlled unclassified information in SP 800-171r3, SP 800-171Ar3