ML) in Software Vulnerability Management: automations in the Software
Bill of Materials (SBOM) and the Vulnerability-Exploitability eXchange
(VEX)
Abstract
One of the most burning topics in cybersecurity in 2023 will undoubtedly
be the compliance with the Software Bill of Materials. Since
the US president issued the Executive Order 14028 on Improving the
Nation’s Cybersecurity, software developers have prepared and bills are
transmitted to vendors, customers, and users, but they don’t know what
to do with the reports they are getting. In addition, since software
developers have identified the values of the Software Bill of
Materials, they have been using the reports extensively. This article
presents an estimate of 270 million requests per month, just from form
one popular tool to one vulnerability index. This number is expected to
double every year and a half. This simple estimate explains the urgency
for automating the process. We propose solutions based on artificial
intelligence and machine learning, and we base our tools on the existing
FAIR principles (Findable, Accessible, Interoperable, and Reusable).
This methodology is supported with a case study research and Grounded
theory, for categorising data into axis, and for verifying the values of
the tools with experts in the field. We showcase how to create, and
share Vulnerability Exploitability eXchange data, and automate
the Software Bill of Materials compliance process with AI
models and a unified computational framework combining solutions for the
following problems: (1) the data utilisation problem, (2) the automation
and scaling problem, (3) the naming problem, (4) the alignment problem,
(5) the pedigree, and provenance problem, and many other problems that
are on the top of mind for many security engineers at present. The
uptake of these findings will depend on collaborations with government
and industry, and on the availability and the ease of use of automated
tools.