The Power of ‘And’

Marc Frankel
August 2, 2023

Announcing our support for OpenVEX and CSAF VEX standards

As software supply chain transparency proliferates, so too do the standards and specifications for the documents that underpin it.  Even regular followers of the software bill of materials (SBOM) and Vulnerability Exploitability eXchange (VEX) conversation can find themselves adrift in a sea of standards, acronyms, and formats. This is a well-intentioned but at times frustrating consequence of multiple groups of smart people approaching hard problems in different ways simultaneously.  So the world faces a patchwork of Format A OR Format B, and we end up in a VHS vs. Betamax scenario.

The Binary State of Security

We unfortunately see that cybersecurity practitioners have given up the ship when it comes to what to expect from their tools’ compatibility.  After one recent demo to a government group with a particularly important mission - where we spent an hour digging into important advanced features such as enterprise overwatch and EPSS 3.0 - an analyst piped up at the very end and asked, “So do you support CycloneDX or SPDX?”  

I was stunned by how he framed the question, with the assumption that Manifest would only work with one OR another.  It demonstrated to me just how conditioned users have become to tools that aren’t compatible with some of their data.  We believe that’s particularly unfortunate.

At Manifest, we believe that the answer has to be “AND.”  Practitioners can’t send Betamax to counterparts who can only accept VHS.  Which is why we’re proud to report that our platform supports CycloneDX AND SPDX, JSON AND XML, and - as of today - generating OpenVEX AND CSAF VEX documents.  And when the next open source group or the next major standard emerges, we’ll be ready to support that too.

Creating VEX documents in various formats has never been easier.

What is CSAF?

CSAF, the Common Advisory Security Framework, is an open standard developed by OASIS, aimed at creating a common, machine-readable way to communication information about vulnerabilities. Manifest recently announced our initial support for the OpenVEX format of VEX, and we knew that, given the widespread support for CSAF, we would build in support for both formats - with more to come.

Manifest: We will always “AND”
As this past week’s Microsoft Volt Typhoon disclosures laid bare, the need to understand what’s in our software has never been more urgent.  We can’t rely on non-technical users to learn the difference between a CycloneDX SBOM with an OpenVEX statement and an SPDX SBOM with a CSAF statement.  We don’t have the luxury of only working with Format A OR Format B.  It has to be AND.  And it has to be now.

“Just generating an SBOM isn’t useful unless you’re doing something with it. And this is doing something with it.”
Executive Director of Engineering,
Leading Fintech Company
Secure your software supply chain today.
Get a demo