Loading…
In-person
1-4 April 2025
Learn More and Register to Attend

The Sched app allows you to build your schedule but is not a substitute for your event registration. You must be registered for KubeCon + CloudNativeCon Europe 2025 to participate in the sessions. If you have not registered but would like to join us, please go to the event registration page to purchase a registration.

Please note: This schedule is automatically displayed in British Summer Time (BST) (UTC +1). To see the schedule in your preferred timezone, please select from the drop-down menu to the right, above "Filter by Date." The schedule is subject to change and session seating is available on a first-come, first-served basis. 
← Back to schedule
Weaving a VEX Feed Through the Kubernetes Project - Adolfo García Veytia, Stacklok
Thursday April 3, 2025 17:30 - 18:00 BST
Level 1 | Hall Entrance S10 | Room C
Vulnerability triaging is an expensive process, often plagued with false positives that cause organizations to waste thousands of dollars in engineering time handling and suppressing them to conform with compliance frameworks.

Here to the rescue comes VEX - the Vulnerability Exploitability eXchange - a new metadata format, designed as a companion to SBOMs that communicates the impact of a vulnerability on a piece of software.

False positives come in many forms: From vulnerabilities found in other platforms, non-exploitable code paths, to simple mitigations pre applied to artifacts. Using VEX, software authors can communicate downstream that software is safe to use despite security scanners going brrrr..

In this talk, we dive into VEX, explore the new Kubernetes VEX feed instrumented through collaboration from SIG Release, the Security Response Committee and SIG Security to understand the source of the data, how to use it and do some cool demos with real vulnerability scanners!
Speakers
avatar for Adolfo García Veytia

Adolfo García Veytia

Staff Software Engineer, Stacklok
Adolfo García Veytia (@puerco) is a software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads, actively working on the Release Engineering team to improve the software that drives Kubernetes release process. He is also the creator of the OpenVEX and... Read More →
Thursday April 3, 2025 17:30 - 18:00 BST
Level 1 | Hall Entrance S10 | Room C
  Security

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Share Modal

Share this link via

Or copy link