THE article discusses the shortcomings of current vulnerability remediation approaches like Software Bill of Materials (SBOMs), Vulnerability Exploitability eXchange (VEX) statements, and CVSS scores in addressing supply chain attacks, particularly within the context of AI software.
Devashri Datta, a security architect, proposes a new triage process using Safety Relevance Interpretation Layer (SRIL) and AI Vulnerability Exploitability eXchange (AIVEX) to incorporate contextual factors essential for assessing vulnerabilities, especially in safety-critical systems involving AI. SRIL enriches vulnerability data with critical safety-related dimensions, while AIVEX allows for machine-readable context to enhance decision-making.
The article underlines the urgency for better context-aware risk assessments as AI systems become increasingly autonomous, posing new security challenges.