Determining Exploitability of Vulnerabilities with SBOM and VEX
Black Hat Asia 2025 · Day 2 · Briefings
In an era dominated by open-source software, managing the deluge of associated vulnerabilities has become a paramount challenge for organizations. This talk, presented by Shina and Anushia, security software engineers at Splunk, addresses a critical pain point in modern software development: effectively determining the **exploitability** of reported vulnerabilities. They detail Splunk's journey in implementing a robust, centralized security practice that leverages **Software Bill of Materials (SBOM)** and **Vulnerability Exploitability eXchange (VEX)** to streamline vulnerability management, enhance developer experience, and provide actionable security insights.
AI review
This talk from Splunk engineers offers a deep dive into practical, large-scale vulnerability management, addressing the pervasive issue of alert fatigue from non-exploitable findings. They detail a robust, centralized system leveraging SBOMs for visibility and, critically, a clever, low-friction integration of VEX into existing issue tracking systems. By mandating VEX data collection and building institutional knowledge from remediation patterns, Splunk has significantly improved developer experience, focused remediation efforts on genuine risks, and provided actionable insights for supply…