NetRise Vex documents reduce IoT software risks

  • May 14, 2024
  • Steve Rogerson

NetRise, a company providing granular visibility into the world’s extended IoT (XIoT) security problem, is creating vulnerability exploitability exchange (Vex) documents to help organisations track and convey risk associated with the software they are manufacturing or consuming.

The Texas-based company’s offering encompasses modern firmware and software component security challenges of IT, OT, IoT and other connected cyber-physical systems.

Vex documents are commonly found alongside software bills of material (SBoMs) and let software, firmware and device developers convey if an asset is or is not affected by a particular vulnerability. The developer can also provide recommendations and workarounds in a standard, machine-readable format. Asset owners and operators then consume Vex information to help influence vulnerability and risk management processes.

Users of the NetRise platform now have a single option that lets them identify software components in their software and XIoT assets, automatically discover the vulnerabilities that affect them, triage the vulnerabilities, and generate SBoM and Vex documents that exceed the minimum requirements defined by the National Telecommunications & Information Administration (www.ntia.gov).

Understanding the SBoM and Vex specifications that meet the minimum standards is daunting and time-consuming for many organisations. By using the NetRise platform, organisations can be confident they are generating documents that adhere to the specifications without needing to be intimately familiar with them, which is especially important for those with limited development or security resources as well as those who are or may become required to comply with Executive Order 14028 (www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity).

Organisations can apply Vex statuses to vulnerabilities in a report, track if an asset is affected by a vulnerability identified in a software component, and communicate vulnerabilities to external stakeholders.

The platform includes an improved extraction engine that is file agnostic and improves how file systems are handled in various formats.

NetRise’s enhanced artefact search experience provides results at greater accuracy, speed and filtering capabilities. Artefact search allows organisations to identify quickly where any data point (CVE, component, hardcoded authentication credential, file hash and so on) exists in their assets.

The platform incorporates a prioritisation tool that simplifies identifying critical-risk vulnerabilities by combining the exploit prediction scoring system (EPSS) and common vulnerability scoring system (CVSS) scores. The prioritisation feature effectively guides organisations to focus on the highest-risk vulnerabilities first, reducing response times and improving remediation efficacy.

“Our latest updates address the critical challenges organisations face when mitigating risks in firmware and software components to secure their connected devices,” said Thomas Pace, CEO of NetRise. “We are a customer-first organisation, which means we continuously anticipate and respond to our customers’ needs. One of our customers’ most requested features has been access to vulnerability remediations and Vex statuses. I’m excited that we are now able to provide this, and look forward to seeing how they use it and how Vex continues to evolve. With our new offerings, we are empowering organisations with advanced vulnerability insights, simplified workflows, and a more complete, secure SBoM.”

Based in Austin, Texas, NetRise (www.netrise.io) was built by defensive cyber experts bred across the private sector, intelligence community and the US federal government to solve the firmware security problem. The company is partnering with companies across manufacturing, automotive, medical devices, industrial control systems, satellites and more.