At the AI Security Next 2025 summit held on the 23rd at Songdo Convensia in Incheon, Professor Lee Hee-jo of Korea University gave a talk
titled “Supply Chain Security in the AI Era with SBOMVEX.” [Source: Yang Seung-gab, TECHWORLD]
“The age has come where everything is connected through artificial intelligence (AI) and automation, and a single vulnerability can bring down the entire system. In AI security-where data, software, and hardware are interconnected key is not blocking, but visibility.”
Professor Heejo Lee of Korea University made these remarks on the 23rd at the AI Security Next 2025 summit held at Songdo Convensia in Incheon. In his presentation titled “Supply Chain Security with SBOM and VEX in the AI Era,” he explained how the concept of security has evolved from “information protection” to “computer security,” then “software security,” and now to “supply chain security.”
He pointed out that, unlike hardware, software is invisible and difficult to manage. According to research cited by Professor Lee, analysis of the top 20,000 open-source projects showed that roughly 97% of code in new software versions consists of reused existing code. As a result, old vulnerabilities left unpatched for long periods pose a major exploitation risk.
Professor Lee likened the SBOM (Software Bill of Materials) to a ledger that records the origin of all parts. “Just as a single cracked brick can cause an entire castle wall to collapse, not knowing which code and open-source components are being used can endanger the entire supply chain,” he said. SBOMs make it possible to transparently document all open-source and component information within a system, allowing organizations to quickly identify the scope of impact when a vulnerability arises.
He went on to explain that VEX (Vulnerability Exploitability eXchange) organizes information about whether known vulnerabilities listed in an SBOM actually affect product security, using a standardized format that enhances visibility within the supply chain.
Referring to the SolarWinds incident, he warned, “It’s dangerous not to know whether there’s a flawed module within your system,” emphasizing that SBOM-based frameworks and institutional measures have been introduced as alternatives to such risks.
According to his presentation, IoTcube 2.0 incorporates more than 20 analysis tools, including white-box and black-box testing, to automatically identify subcomponents and dependency relationships from uploaded software files. HaetBOM (an SBOM and VEX visualization tool) graphically represents component configurations, vulnerabilities, and dependencies, and is currently undergoing private-sector pilot testing in partnership with the Korea Information Security Industry Association (KISIA).
“With these systems,” he said, “we can automatically specify a software’s composition, version, and security issues, and when a critical vulnerability is discovered, immediately identify where that component is used for quick response.
Even if a full version update isn’t possible, it enables you to pinpoint exactly which part of the code needs fixing.”
He added, “By 2027, all software used in public institutions may be required to adopt SBOM management. Once implemented, this will enable more trustworthy and secure system operations, particularly in government and public sectors.”
[Translation from original article (Korean)]
https://www.epnc.co.kr/news/articleView.html?idxno=323864