Vulnerability Management
Actionable insight into component vulnerabilities
Save valuable time
Don't waste time searching the internet for vulnerability information: let the FACT platform do the searching for you.
FACT automatically checks each file and all of its subcomponents against both vulnerability databases and advisories published on vendor websites. When a potential match is found, FACT adds the vulnerability to the parent file as a suggested association.
Each vulnerability associated with a file can negatively impact its trust score.
Let AI do the heavy lifting
FACT uses Artificial Intelligence (AI), specifically Machine Learning (ML) and Natural Language Processing (NLP), to perform the extraordinarily difficult task of linking vulnerabilities to products.
- The National Vulnerability Database (NVD) is far from complete and rarely maps component vulnerabilities back to the products containing those components.
- Thanks to mergers and acquisitions (and even simple spelling errors), the vendor name on a product often doesn't match the vendor name in the NVD disclosure details or the Common Platform Enumeration (CPE) listing.
- Even the most experienced security analysts cannot efficiently match vulnerabilities with their installed products (or the other way around). With AI, FACT creates these vulnerability associations quickly and comprehensively.
Just searching for the vendor name on your device doesn’t work. You need to know the vendor’s merger and acquisition history as well as any rebranding or renaming the product line underwent.
Prioritize and annotate vulnerabilities
Vendors have the ability to review and manage the vulnerabilities, approving, rejecting, and mitigating them as appropriate. This added level of intelligence saves asset owners from false-positive alerts and streamlines communication between parties.
What is a VEX Document?
Vulnerability Exploitability eXchange or VEX plays a crucial role within the Software Bill of Materials (SBOM) and vulnerability management space.
A VEX document is what the US National Telecommunications and Information Administration (NTIA) describes as a "companion artifact" to an SBOM. VEX allows vendors to clarify when components bearing vulnerabilities can’t be exploited in their product. FACT produces VEX documents to help streamline vulnerability management between vendors and their customers.
Identify exploitable vs. non-exploitable vulnerabilities
VEX helps vendors communicate to customers which vulnerabilities to prioritize and which ones can be safely ignored. Not all vulnerabilities are actually exploitable in any given product. In many cases, a vulnerability may exist in a dependent component, but for the specific product, it either has been mitigated by the vendor development team or is inaccessible to attackers. VEX enables vendors to share that information and help their customers optimize their patching strategy.
Focus on vulnerabilities that matter
There can be thousands of components in complex ICS products and each component can have multiple vulnerabilities listed in the National Vulnerability Database (NVD), all resulting in too many vulnerabilities to reasonably address. VEX reduces the number of vulnerabilities that asset owners need to patch, helping them focus on the ones that actually pose a risk.
Reduce the effort and cost of managing vulnerabilities
Software vendors generate VEX documents to discover vulnerabilities within the third-party dependencies of their products and preemptively assess the exploitability of these vulnerabilities. Once shared with their customers, VEX eliminates all the manual back and forth communication – emails, PDF documents, and phone calls – between product support and concerned customers.
Automate VEX for scalability
VEX documents are machine readable, allowing complex trees of component relationships to be automatically processed and ingested into patch management solutions at a large scale.
