Agenda is subject to change. The time zone reflected in the agenda is Eastern Standard Time. All sessions and social activities will take place at the McKimmon Conference and Training Center.
Virtual Attendance: All presentations will be TLP:CLEAR and streamed for those interested in virutal participation. Virtual registration is available within the registration form. Streaming will be delivered over Zoom.
Registration will be located in the main lobby of the McKimmon Conference and Training Center. Please have a copy of your ID or registration confirmation readily available to assist with badge collection. Registration will open at 07:30 all three days.
Track 1
Track 2
Track 3
Track 1
Track 2
Track 3
Track 1
Track 2
Track 3
| Track 1 | Track 2 | Track 3 | |
|---|---|---|---|
| 08:30 – 09:00 | US Peter Allor (Red Hat, US) TLP:CLEAR | ||
| 09:00 – 10:00 | US Andrew Pasternak (USG, US) TLP:CLEAR | ||
| 10:00 – 10:30 | KR Tae Seung Lee (Korea Internet & Security Agency, KR) TLP:CLEAR | ||
| 11:00 – 12:00 | AU The Trials and Tribulations of Bulk Converting CVEs to OSV Andrew Pollock (Google Open Source Security Team, AU) TLP:CLEAR | IL Why Can't We All Just Get Along? Bridging the Gap in Vulnerability Prioritization Standards Yotam Perkal (Rezilion, IL) TLP:CLEAR | US Revising the CVE CNA Operational Rules: AMA Art Manion (ANALYGENCE Labs, US) TLP:CLEAR |
| 13:00 – 14:00 | US Crossing the Streams - How Downstream Can Understand Upstream Vulns Christopher Robinson (Intel, US); Madison Oliver (GitHub, US) TLP:CLEAR | US Cassie Crossley (Schneider Electric, US) TLP:CLEAR | US Nick Leali (Cisco and CVSS SIG Chair, US) TLP:CLEAR 13:00 – 14:30 |
| 14:00 – 15:00 | US A Roadmap for Your OSS Security Lifecyle Journey to Protect Customers Lisa Bradley, Sarah Evans (Dell, US) TLP:CLEAR | PL Understanding Red Hat's SBOM - The Future of Software Transparency Przemyslaw Roguski (Red Hat, PL) TLP:CLEAR | |
| 14:30 – 15:00 | US Jon Moroney (GitHub, US) TLP:CLEAR | ||
| 15:30 – 16:30 | US Seeing the Vulnerable Forest Through the Exploited Trees Jay Jacobs (Cyentia, US) TLP:CLEAR | US CVE Is The Worst Vulnerability Framework (Except For All The Others) Benjamin Edwards, Sander Vinberg (Bitsight, US) TLP:CLEAR | US Panel Discussion: Enabling Accurate, Decentralized Root Cause Mapping at Scale Alec Summers, Chris Levendis (The MITRE Corporation, US); Deana O'Meara (NVIDIA, US); Erin Alexander (CISA, US) TLP:CLEAR |
| 16:30 – 17:00 | US Day 1: Wrap Up & Lessons Learned Peter Allor (Red Hat, US); Josh Dembling (Intel, US) TLP:CLEAR | ||
| 17:00 – 19:00 | Networking After Party Sponsored by Nucleus TLP:CLEAR | ||
| Track 1 | Track 2 | Track 3 | |
|---|---|---|---|
| 08:30 – 09:00 | US Peter Allor (Red Hat, US) TLP:CLEAR | ||
| 09:00 – 10:00 | BE Vulnerability Coordination in the EU Johannes Clos (ENISA, BE) TLP:CLEAR | ||
| 10:00 – 10:30 | JP Pushing Coordinated Vulnerability Disclosure forward in Asia Pacific Tomo Ito (JPCERT/CC, JP) TLP:CLEAR | ||
| 10:30 – 11:00 | Break | ||
| 11:00 – 12:00 | IT ES Nestlé Unified Vulnerability Management Approach Angelo Punuriero (Nestlé, IT); Jenifer Jimenez, Martin Karel (Nestlé, ES) TLP:CLEAR | MX Democratizing Exploitability Data with OpenVEX Adolfo Garcia Veytia (Stacklok, MX) TLP:CLEAR | US Adventures in Vulnerability Coordination Daniel Larson, Iain Deason (CISA, US) TLP:CLEAR |
| 12:00 – 13:00 | |||
| 13:00 – 14:00 | DE Andreas Weichslgartner, Joyabrata Ghosh, Vineeth Bharadwaj (CARIAD SE, DE) TLP:CLEAR | MX US Panel Discussion: Don’t be Vexed by VEX - VEXperts Panel (presentation features a virtual speaker) Adolfo Garcia Veytia (Stacklok, MX); Art Manion (ANALYGENCE Labs, US); Christopher Robinson (Intel, US); Justin Murphy (CISA, US) TLP:CLEAR | US EPSS: Challenges and Opportunities Going Forward + EPSS AMA Jay Jacobs (Cyentia, US); Sasha Romanosky (RAND Corporation, US) TLP:CLEAR 13:00 – 14:30 |
| 14:00 – 15:00 | US Dakota Cary (Atlantic Council, SentinelOne, US) TLP:CLEAR | US CSAF/VEX: Improved Security Data Martin Prpic (Red Hat, US) TLP:CLEAR | |
| 14:30 – 15:00 | FR US Marta Rybczynska (Eclipse Foundation, FR); Michael Winser (Eclipse Foundation, US) TLP:CLEAR | ||
| 15:00 – 15:30 | Break | ||
| 15:30 – 16:30 | US The CWE Program: Current State and Road Ahead Alec Summers (The MITRE Corporation, US) TLP:CLEAR | US VeXing Vulnerabilities: NVIDIA's Dynamic Approach to OSS Security Jessica Butler, Amy Rose (NVIDIA, US) TLP:AMBER | US Panel Discussion: This One Time at CVD Camp Art Manion (ANALYGENCE Labs, US); Deana O'Meara (NVIDIA, US); Madison Oliver (GitHub, US); Christopher Robinson (Intel, US) TLP:CLEAR |
| 16:30 – 17:00 | US Day 2: Wrap Up & Lessons Learned Peter Allor (Red Hat, US); Josh Dembling (Intel, US) TLP:CLEAR | ||
| 17:00 – 19:00 | Networking After Party Sponsored by OpenSSF TLP:CLEAR | ||
| Track 1 | Track 2 | Track 3 | |
|---|---|---|---|
| 09:00 – 10:00 | US What It Takes to Lead America’s Vulnerability Management Team Bob Lord, Lindsey Cerkovnik, Sandy Radesky (CISA, US); Chris Hughes (Aquia, US); Patrick Garrity (VulnCheck, US) TLP:CLEAR | ||
| 10:00 – 10:30 | IN CNA Challenges From a National CERT Perspective Mohd. Akram Khan, Seema Khanum (CERT.IN, IN) TLP:CLEAR | ||
| 11:00 – 12:00 | IL From SBOM to VEX - Discovering What's in the Box and How Badly it Can Hurt You Ben Hirschberg (ARMO, IL) TLP:CLEAR | DE Michael Schueler (Cisco, DE) TLP:CLEAR | NVD Symposium TLP:CLEAR |
| 13:00 – 14:00 | US CISA’s Known Exploited Vulnerabilities (KEV) Catalog Tod Beardsley (CISA, US); Elizabeth Cardona (CISA) TLP:CLEAR | US Panel Discussion - The Risks of Requiring Premature Vulnerability Disclosures Kathleen Noble (Intel, US); Tanvi Chopra (Venable, US); Rob Spiger (Microsofy, US); Michael Woolslayer (HackerOne, US) TLP:CLEAR | US CNA Feedback Session to the CVE Program Mz Megazone (F5, Inc., US) TLP:CLEAR |
| 14:00 – 15:00 | US Information Sharing to Mitigate Emerging Vulnerabilities Joshua Justice, Tyler Curry (Health-ISAC, US) TLP:CLEAR | US Julia DeWeese, Mike Wiles (Intel, US) TLP:CLEAR | US AU Christopher Robinson (Intel, US); Andrew Pollock (Google Open Source Security Team, AU); Madison Oliver (GitHub, US); Tanya Brewer (NIST, US) TLP:CLEAR |
| 15:30 – 16:30 | US Reducing Ratio of Reserved But Public CVEs Shelby Cunningham (GitHub, US) TLP:CLEAR | US Firmware Supply Chain Security BoF Jerry Bryant (Intel, US) TLP:CLEAR | TLP:CLEAR |
| 16:30 – 17:00 | US Peter Allor (Red Hat, US); Josh Dembling (Intel, US) TLP:CLEAR | ||
Tae Seung LeeTae Seung LeeTae Seung Lee (Korea Internet & Security Agency, KR)
Recently, the cybersecurity paradigm is moving toward a proactive response focusing on vulnerability, and as a result, the vulnerability treatment is locating as a survival factor to manufacturer or provider of ICT products or services. To keep pace with this shift, in this paper, we suggest how we should improve cybersecurity legislation for enhancing vulnerability treatment. In the first step, we analyze the recent global cybersecurity policies and laws published by the US and the EU as well as OECD to identify newly introduced cybersecurity requirements for enhancing vulnerability treatment. In the second step, we find the requirements for legal improvement by comparing the previously identified requirements with currently enforcing cybersecurity laws. In this paper we apply the second step to the law, titled "Act on Promotion of Information and Communications Network Utilization and Information Protection", which is one of cybersecurity laws in Korea. As a result, we find five requirements for legal improvement : vulnerability reporting and notification, vulnerability remediation, as well as safe harbor, vulnerability disclosure policy, and coordinator designation for implementing coordinated vulnerability disclosure(CVD). Finally, in the third step, we suggest a preliminary draft of legal improvement proposal based on the analysis and application of domestic and foreign cybersecurity legislative cases regarding legal improvement requirements found in the previous step.
Dr. Tae-seung Lee is a chief researcher currently working for KrCERT/CC of KISA and he has a Ph.D. in computer engineering from SungKyunKwan University(SKKU). He worked as a project leader or researcher at Samsung Electronics for 6 years and he has worked as a team director or researcher in the areas of Common Criteria(CC), personal information protection, KrCERT/CC, etc for 22 years in KISA. His current interests are global cybersecurity policies and laws, cybersecurity incident and vulnerability response, zero trust architecture, and software supply chain security.
March 25, 2024 10:00-10:30
Lisa BradleyLisa BradleySarah EvansSarah EvansLisa Bradley (Dell, US), Sarah Evans (Dell, US)
As businesses increasingly rely on Open Source Software (OSS) to drive innovation and efficiency, ensuring robust security practices by companies building software and products with software becomes paramount to safeguarding customers. This talk explores the essential components of a mature OSS security practice and provides a comprehensive guide on how businesses can enhance customer protection through effective OSS management. The journey begins with understanding the significance of a mature OSS security practice, followed by a detailed examination of the necessary steps to fortify customer protection. Initiating this journey requires executive support, and we will outline strategies we used in Dell to garner the necessary backing. The importance of Software Bill of Materials (SBOM) in enhancing security inventories, dependencies, incident response and end of life is discussed, shedding light on its role throughout the OSS lifecycle. A focal point of the discussion is the Open Source Security Foundation (OpenSSF) and its offerings to improve security practices in the OSS supply chain. The talk emphasizes that companies of all sizes can benefit from OpenSSF and provides insights into its versatile applications. For those already immersed in the complexities of OSS consumption, we will offer guidance on course correction, highlighting how to rectify bad practices. In essence, the talk serves as a comprehensive roadmap for businesses to navigate their OSS security journey, ensuring they source the right OSS, stay vigilant to security concerns, and remain up-to-date with the latest secure versions, all in the pursuit of best protecting their customers.
Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader, currently serving as the Senior Director of Product & Application Security at Dell Technologies. With an impressive track record spanning over two decades in enterprise-class engineering and leadership, and as a major contributor to the FIRST PSIRT Services Framework she has earned her reputation as a trailblazer in the field of security and vulnerability management. In her current role she oversees Dell's Product Security Incident Response Team (PSIRT), Bug Bounty Program, SBOM initiative, Dependency Management, and Security Champion and Training Programs. With over a decade of PSIRT leadership including running programs at NVIDIA and IBM, she is a sought-after speaker at top tech events like FIRST, BSides, BSIMM, DerbyCon, DEF CON, and ISACA.
Outside of her professional life, Lisa enjoys quality time with her three children and participates in cybersecurity podcasts like the Security Unhappy Hour. Dr. Lisa Bradley's unwavering dedication to cybersecurity and her extensive industry experience make her a leading figure in the ever-evolving landscape of technology and cyber defense, fostering trust and innovation.
Sarah Evans is a security innovation researcher at Dell Technologies, on the Product and Operations Global CTO Research & Development team. She leverages diverse experiences in cybersecurity, IT, defense, business, education and fine arts to research innovation to improve security by design in emerging technologies. A primary research effort at Dell has been in Zero Trust security, and how/where innovation is needed to help accelerate organization’s adoption of Zero Trust tenets. Improving the secure use of open source software in software supply chains is an important component of Zero Trust security. Prior to Dell, Sarah has had roles at Wells Fargo, the US Air Force, a regional midwest construction company, and as computer information systems faculty at Missouri State University. Sarah also contributes to OpenSSF to help secure the open source software supply chain through efforts as: a Governing Board observer, Governance Committee member, Technical Advisory Council (TAC) member, the Security Tooling SIG co-chair and the Metrics API co-chair. Sarah is based in Denver, Colorado.
March 25, 2024 14:00-15:00
Daniel Larson (CISA, US), Iain Deason (CISA, US)
Have you ever wondered what it is like to step into the shoes of a vulnerability coordinator for CISA? In this immersive talk, participants will be able to help guide the decisions of coordinating a pre-disclosure vulnerability prior to public disclosure! The purpose of this talk is to train an audience a that might not fully grasp all of the essential steps involved in the transformation when exploit code turns into CVE identifiers and offer tools to those that might be more familiar with the process.
March 26, 2024 11:00-12:00
Michael SchuelerMichael SchuelerMichael Schueler (Cisco, DE)
It is well-known that the team behind the US National Vulnerability Database (NVD) reviews vendor security advisories to confirm or - if deemed necessary - re-score product security vulnerabilities.
Based on feedback the Cisco PSIRT received via the NVD CVMAP Program, we compared the NVD scores to our PSIRT calculated scores for 80 security vulnerabilities Cisco disclosed between May and November 2023. We identified a set of reasons why NVD's and our PSIRT's scores could differ.
This talk will discuss the differences we found, the causes of those discrepancies, and the actions Cisco is taking to ensure NVD's and our PSIRT's scores are better aligned - so our common customers will benefit from the most consistent and accurate scores upon which to base their security risk and vulnerability management decisions.
Michael Schueler is a senior Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). With over 16 years of industry experience, he currently focuses on vulnerability management and disclosure and Cisco products forensic. Prior to this he was working as a Customer Support Engineer at the Cisco EMEA TAC solving highly complex customer issues in technologies ranging from firewalls, VPN, and IDS/IPS over load-balancing and WAN optimization to data center switching. Michael holds a M.Sc. level degree in computer science (Dipl.-Inform.) from RWTH Aachen University, Germany. He is also CCIE Security #23835, CISSP #685496, and GCIH.
March 27, 2024 11:00-12:00
VulnCon-Black-and-Blue-or-White-and-Gold.pdf
MD5: 086dbc3c138548f0c59efd840d2d24fe
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.13 Mb
Jon MoroneyJon MoroneyJon Moroney (GitHub, US)
Great effort is often expended managing vulnerability disclosure, from ensuring disclosure is done responsibly to coordinating with software maintainers. Less effort has been spent ensuring that advisories make it to the parties actually using the vulnerable software. At GitHub, we maintain a database with the primary goal of enabling automated vulnerability alerting and remediation tools like Dependabot. We structure our database such that all advisories clearly apply to software that developers use, and we make it easy to get advisories delivered with high precision. The maintenance of the GitHub advisory database reduces noise in developer workflows and enables better experiences that result in more secure software. Come join to hear about tradeoffs, design goals, key insights, and about how GitHub thinks about the pipeline from advisory publication to alert consumption.
Jon Moroney (darakian) is a security analyst at GitHub working in the Security Lab. He is primarily concerned with designing and maintaining the advisory database with the goal that GitHub users have the best experience possible with security alerts.
March 25, 2024 14:30-15:00
VulnCon-Building-a-Better-Database-How-GitHub-Structures-Moroney.pdf
MD5: 2773ad069fb6af8b5adcc7501142d667
Format: application/pdf
Last Update: June 7th, 2024
Size: 33.7 Mb
Artificial Intelligence is rapidly changing in software codebases, product features, and other business processes. This includes high risk applications such as human resources, finance, government, insurance and healthcare. Especially in these areas, reliable quantification of AI risk needs to be measured, understood, and made actionable for mitigation and recourse. In this talk, we survey how AI risks are currently measured in the AI vulnerability landscape. We review some recent developments to catalog and categorize this risk, and share opportunities to index across public information on AI vulnerabilities. We compare these beginning efforts to more established reporting, disclosure and remediation practices of traditional cybersecurity. Finally, this talk ends with open opportunities for the security community to support public efforts of AI vulnerability disclosures and risk assessments.
March 27, 2024 15:30-16:30
Dakota CaryDakota CaryDakota Cary (Atlantic Council, SentinelOne, US)
In this wide-ranging talk, Dakota will detail the PRC's comprehensive vulnerability collection systems, its rules and regulations, connections to the security services, and its potential for abuse. This paper covers China's system before the 2021 Regulations on the Management of Software Vulnerabilities, detailing the requirements for the intelligence services own vulnerability database; then the paper covers the new post-2021 regulation system. The authors cover new databases, known participants, new vulnerability tagging schema, and connections between the new systems and the security services. Attendees will leave with a thorough understanding of China's government-run vulnerability databases, regulations, and systems.
Dakota Cary is a nonresident fellow at the Atlantic Council’s Global China Hub and a strategic advisory consultant at SentinelOne. His research focuses on China’s efforts to develop its hacking capabilities. He has been featured and quoted on his expertise in a variety of outlets, including the Economist, MIT Technology Review, Associated Press, Financial Times, and Wired. Cary has also testified before the US-China Economic and Security Review Commission.
March 26, 2024 14:00-15:00
Tod BeardsleyTod BeardsleyElizabeth CardonaElizabeth CardonaTod Beardsley (CISA, US), Elizabeth Cardona (CISA)
Join Tod Beardsley and Elizabeth Cardona, two experts on CISA’s Known Vulnerabilities and Exposures catalogue, or KEV, as they discuss the ins and outs of what KEV is, and perhaps equally illuminating, what it isn’t. Liz and Tod are both hands-on vulnerability analysts who are directly responsible for the KEV, so you won’t get any obfuscated double-speak platitudes here; this talk will most definitely delve into the technical details of what makes KEV tick. Perhaps most importantly, attendees will learn how they can help defend America’s cyber infrastructure by contributing to the KEV.
Elizabeth Cardona is a vulnerability analyst in the Cybersecurity and Infrastructure Security Agency. Working within the Cybersecurity Division's Vulnerability Management Office, she specializes in vulnerability analysis. Elizabeth has helped implement the Stakeholder Specific Vulnerability Categorization (SSVC) and the Known Exploited Vulnerability Catalog (KEV) in CISA. As a former dentist and healthcare provider, Elizabeth has a unique perspective on cybersecurity connecting the human aspect and technology.
Tod Beardsley is employed at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government. He's also a founder and CNA point of contact for AHA!. He spends most of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member has authored several research papers, and hosted the Security Nation podcast. He is also a Travis County Election Judge in Texas, and is an internationally-tolerated horror fiction expert.
March 27, 2024 13:00-14:00
Mohd. Akram KhanMohd. Akram KhanSeema KhanumSeema KhanumMohd. Akram Khan (CERT.IN, IN), Seema Khanum (CERT.IN, IN)
Indian Computer Emergency Response Team (CERT-In) is the national agency for responding to cyber security incidents in India. CERT-In is also an authorized CVE Numbering Authority (CNA) to assign CVE IDs to vulnerabilities under the CVE program. CERT-In carries out responsible vulnerability disclosure and coordination activity for vulnerabilities reported in accordance to the CERT-In’s Responsible Vulnerability Disclosure and Coordination policy. This presentation will provide insights on the challenges faced by CERT-In, operating as both a CVE Numbering Authority (CNA) and as a National Computer Emergency Response Team (CERT).
The presentation will throw light on the challenges in taking responsible decisions as a National CERT and also as a CNA by taking all potential adverse impacts into account. The dual role requires constant coordination with vulnerability reporters, urging patience and allowing sufficient time for affected entities to patch vulnerabilities. The advantages of a national CERT being a CNA can help in expedited dissemination of vulnerabilities to all the stakeholders. This presentation explores the intricate coordination required between National CERTs, researchers, and OEMs to effectively manage and disclose vulnerabilities in a coordinated manner.
The risk of premature public disclosure by researchers, particularly when OEMs or vendors are unresponsive or exhibit delayed responses, poses a significant concern. Additionally, the reluctance of OEMs/vendors to confirm vulnerabilities, often influenced by National CERT's national stature, further complicates matters. The presentation will also touch upon the criticisms, strategic implications that a national CERT can face due to some decisions.
Mohd Akram Khan has over 16 years of experience at the national Computer Emergency Response Team of India (CERT-In). He currently oversees Responsible Vulnerability Coordination and CVE Numbering Authority activities at CERT-In. His area of expertise spans incident response, threat and breach investigation, insider threat management, cybersecurity situational awareness, security operations centre and responsible vulnerability coordination. He commits himself to support and provide diligent and competent cyber security services to the entire constituency of CERT-In.
Seema Khanum is a valued member of the Coordinated Vulnerability Disclosure (CVD) team at CERT-In and an active participant in CNA/CVE activities. Her extensive background includes expertise in cybersecurity incident response, network security, and vulnerability exploitation. Seema’s primary focus lies in vulnerability coordination, and she is keen on devising effective mechanisms for coordinating OEMs and researchers in vulnerability disclosure and management. Additionally, she has delivered numerous technical lectures on various cybersecurity topics at awareness programs to organised to promote cyber awareness among women.
March 27, 2024 10:00-10:30
VulnCon-CNA-Challenges-from-a-National-CERT-Perspective-Khanum.pdf
MD5: 6abe22e4daac1d1c2d41823286a99d25
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.36 Mb
Mz MegazoneMz MegazoneMz Megazone (F5, Inc., US)
MegaZone (yes, that's his name, call him MZ) has been with F5, Inc. since 2010, and the F5 SIRT (Security Incident Response Team) since 2016, where he is currently a Principal Security Engineer. Prior to F5 he did time at Xylogics, Livingston Enterprises, Lucent, GTE Internetworking (BBN), Sling Media, and a few others, after graduating from WPI in 1994. Outside of work he collects whisk(e)y, enjoys travel with his wife (often Disney-related), and volunteers to help a local non-profit in their small Massachusetts town with their tech issues.
MegaZone has been involved with the CVE program since F5 joined as a CNA in 2016 and has taken an increasingly active role over time, eventually running out of working groups to join. He is currently representing the CNA community in the AWG, CNACWG, OCWG, SPWG, TWG, QWG, and VECWG, including being a co-chair of the last two. He is honored to further represent the CNA community before the CVE Board in his new role as CNA Liaison.
March 27, 2024 13:00-14:00
Peter AllorPeter AllorPeter Allor (Red Hat, US), Josh Dembling (Intel, US)
Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat’s secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.
Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.
Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.
Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.
March 27, 2024 16:30-17:00
CLOSING-REMARKS-SLIDES-Updated.pdf
MD5: 1841fb7b3d97c0af14d6ef858ed32ce0
Format: application/pdf
Last Update: June 7th, 2024
Size: 907.64 Kb
Christopher RobinsonChristopher RobinsonMadison OliverMadison OliverChristopher Robinson (Intel, US), Madison Oliver (GitHub, US)
Downstream consumers of open source software can face many challenges when it comes to addressing security vulnerabilities. Upstream open source projects are in constant motion, and they do not operate like a commercial vendor. The incentives and motivations of upstream developers are not always in alignment with the much larger potential pool of downstream consumers. Many times consumers may not even know of the free and open source code and libraries that got baked into a commercial tool they paid for. Oftentimes the only time a consumer discovers they are affected by some vulnerable open source software is during some high-profile media event, which can complicate managing their risk and remediating any known issues.
In this talk we will talk about how upstream OSS developers and maintainers work, are informed about bugs, and how they address those issues. Downstream consumers can benefit from a better understanding of how the upstream communities that create the software they use to operate, where they communicate, and ultimately how downstream can stay informed to react when the next vulnerability is publicly disclosed.
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Madison Oliver is a vulnerability transparency advocate and Senior Security Manager at GitHub, leading the Advisory Database Curation team. She is passionate about vulnerability reporting, response, and disclosure, and her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CMU).
March 25, 2024 13:00-14:00
Martin PrpicMartin PrpicMartin Prpic (Red Hat, US)
Security data is a central source of truth for Red Hat customer / consumers as a definitive product guide regarding published, known vulnerabilities and exploits. The availability of accurate information in security data can help provide the correct risk assessment process in customers' vulnerability management programs, which further helps with vulnerability patching prioritization.
In this talk we will focus on both technical and non-technical aspects of vulnerability management based on the new Red Hat Product Security data, and correlation to the Red Hat official SBOMs for Red Hat’s products. We will also discuss how CSAF and VEX data is used within SDL (Security Development Lifecycle) practices. During this session we also show implications of using incorrect security data and consequences visible in the security scanning results.
Key topics to be covered in this session include:
This talk is designed for PSIRT members and all security professionals who work on the vulnerability management processes.
Martin Prpic is a Principal Security Engineer at Red Hat. He is an active participant in the CVE Project's Automation Working Group, the CSAF Technical Committee, and the OpenEoX Technical Committee. Martin's main focus is on designing systems that enable automated vulnerability response, support publishing of accurate security data, and improve the security posture of software supply chains.
March 26, 2024 14:00-15:00
MD5: 1bcf7126d06ce472c851331ae34069a7
Format: application/pdf
Last Update: June 7th, 2024
Size: 687.13 Kb
Benjamin EdwardsBenjamin EdwardsSander VinbergSander VinbergBenjamin Edwards (Bitsight, US), Sander Vinberg (Bitsight, US)
The comparatively organized and accessible nature of CVE data makes it a tempting target for data analysis. In particular, recent work has leveraged CVE data to predict the total volume of future CVEs (Vuln4Cast), their likelihood of exploitation (EPSS), or to identify overarching trends in the evolution of attacker and defender dynamics. Unfortunately, these studies often approach CVE as if it were a consistent, objective data collection process, which is demonstrably not the case. Any attempt to use CVEs for data analysis requires knowledge of their inconsistencies and correspondingly appropriate methods.
In this talk we’ll explore 25 years of vulnerability disclosures via the CVE process and related frameworks. We’ll show that technical and procedural changes to the CVE, CWE, OWASP, and CVSS frameworks have altered the trajectory of vulnerability reporting and data. In particular we’ll highlight four ways vulnerability data can be inconsistent and lead to false conclusions: announced changes to frameworks, unannounced, unlogged changes, abuse of processes/frameworks (both unintentionally and maliciously), and differing incentives for assessing and reporting CVEs. For each of these we’ll give real world examples of their occurrence and how they manifest in the data.
We’ll then demonstrate modeling techniques that can approximate both the timing and the magnitude of technical and procedural changes that impact data, using two regression techniques, segmented regression and generalized additive models. For example, using these methods, we find significant shifts in popularity of CWEs and content of vulnerability descriptions over time. We will conclude with both tactical and strategic observations about analyzing vulnerabilities.
Dr. Benjamin Edwards is a principal research scientist working at Bitsight. An expert in ML and statistics, Ben synthesized security data into actionable insights. He has led research on a wide variety of security topics including vulnerability management, application security, human risk, Next-gen SIEM, nation state cybersecurity policy, and the security of ML models. He is an active member of the security community, contributing to open standards efforts including both EPSS and CVSSv4. His work has been published in leading industry and academic venues.
Sander Vinberg is a Security Research Manager at Bitsight. He was formerly a threat researcher at F5, where he led several of F5 Labs' threat intelligence projects, including F5 Labs' participation as data partners in the Exploit Prediction Scoring System (EPSS). He lives in rural Washington State.
March 25, 2024 15:30-16:30
Nick LealiNick LealiNick Leali (Cisco and CVSS SIG Chair, US)
CVSS SIG Past, Present & Future:
With the recent release of the CVSS v4.0 standard, there continues to be a lot of activity in the FIRST CVSS SIG. This presentation gives an overview of the recent CVSS SIG past, our present ongoing work, and future considerations for CVSS. Attendees are encouraged to come with questions and feedback about their own organizations' use of CVSS, and how the standard and the accompanying documentation can be improved for use by everyone in the vulnerability management community.
CVSS v4.0 Beyond the Numbers:
CVSS numeric scores are simple and lack context helpful to guide vulnerability management. Sometimes we should care twice as much about a 5 than a 10!
This presentation features a discussion of new aspects of the CVSS v4.0 standard that give context to the resulting score, including: supplemental metrics, new to CVSS version 4.0, that provide additional details to describe a vulnerability without changes to the numeric score; the reconfigured vulnerable and subsequent system vulnerability impact metrics help to give increased granular impact ratings; and other new and changed metrics that give greater detail to each assessment. Examples of how score providers and consumers can use these new metrics will be included along the way.
Nick Leali works as an Incident Manager with Cisco PSIRT and serves on the FIRST CVSS SIG, most recently working on the CVSS v4 Examples document.
March 25, 2024 13:00-14:30
VulnCon-CVSS-Beyond-the-Numbers-Leali.pdf
MD5: 03c781723dc87a1c5ad0d1301f68239e
Format: application/pdf
Last Update: June 7th, 2024
Size: 532.44 Kb
VulnCon-CVSS-SIG-Past-Present-Future-Leali.pdf
MD5: 441bff9132001d92e100c562350ed25b
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.08 Mb
Peter AllorPeter AllorPeter Allor (Red Hat, US)
Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat’s secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.
Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.
Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.
Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.
March 26, 2024 08:30-09:00
Peter AllorPeter AllorPeter Allor (Red Hat, US), Josh Dembling (Intel, US)
Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat’s secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.
Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.
Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.
Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.
March 25, 2024 16:30-17:00
Peter AllorPeter AllorPeter Allor (Red Hat, US), Josh Dembling (Intel, US)
Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat’s secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.
Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.
Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.
Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.
March 26, 2024 16:30-17:00
Adolfo Garcia VeytiaAdolfo Garcia VeytiaAdolfo Garcia Veytia (Stacklok, MX)
For a long time, security scanners and databases have joined forces to have the last word in alerting software users of vulnerabilities. By pairing components and vulnerability disclosures tracked in advisories and databases, scanners produce results that tend to err on the "safe side", producing noisy results, including false positives derived from that simple matching.
Scanners need to gain the familiarity that maintainers have on their projects. When a new vulnerability gets discovered in a component, maintainers are the best positioned to know its real impact on a software project. They can issue the best mitigation guidance and keep things quiet if their users are safe from it.
Using VEX (Vulnerability Exploitability Exchange), publishing data about the impact of a vulnerability on a specific software piece can be upstreamed to maintainers. The OpenVEX project (part of the OpenSSF’s Vulnerability Disclosure’s WG), has been working on tooling for software projects and building adoption in major security scanners to enable an end-to-end VEX flow.
During this talk, we will understand how VEX documents and statements form a VEX history, techniques to pair SBOM with VEX, how software projects can kick off their VEX feed, and how its data can be used in security scanners to suppress false positives and enrich results.
Adolfo García Veytia (@puerco) is a staff software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads. He specializes in improvements to the software that drives the automation behind the Kubernetes release process. He is also the creator of the OpenVEX and protobom projects currently incubating in the OpenSSF sandbox. Adolfo is passionate about writing software with friends, helping new contributors, and amplifying the Latinx presence in the Cloud Native community.
March 26, 2024 11:00-12:00
Marta RybczynskaMarta RybczynskaMichael WinserMichael WinserMarta Rybczynska (Eclipse Foundation, FR), Michael Winser (Eclipse Foundation, US)
The Eclipse Foundation has over 20 working groups and more than 400 projects. Until recently, each project had its own, often ad hoc, approach to vulnerability management. This was painful for everyone involved in the process. Security researchers had to manually figure out where to report vulnerabilities; reports were stored in many different ways, and every project had its own approach. Learn how the Eclipse Foundation Security Team is creating a set of common practices and solutions to make every aspect of the process secure and effective at scale.
Marta Rybczynska has a network security background and 20 years of experience in Open Source. She has been working with embedded operating systems like Linux and various real-time ones, system libraries, and frameworks up to user interfaces. In the recent years she has worked in Open Source security, setting up best practices and processes. She is currently helping Eclipse Foundation as a Technical Program Manager for the Security Team, where she is managing the vulnerability reporting process.
Michael Winser is a 40 year veteran in the software industry, with over 25 of those years at Google and Microsoft. Michael has extensive experience in software supply chain security, software development practices, and developer ecosystems. He works with the Eclipse Foundation Security Team as a Security Strategy Ambassador. He is also the co-founder of, and strategist for, the Alpha-Omega project. He also advises various corporations and open source organizations on software supply chain security.
March 26, 2024 14:30-15:00
Julia DeWeeseJulia DeWeeseMike WilesMike WilesJulia DeWeese (Intel, US), Mike Wiles (Intel, US)
Uncover the intricacies of Intel Corp's cybersecurity evolution by exploring how they adopted and seamlessly integrated the Common Security Advisory Framework (CSAF) into their tooling processes. Gain insights into the iterative steps taken, the challenges overcome, and a glimpse into the future as Intel continues to innovate, setting the stage for enhanced security practices in the ever-evolving digital landscape.
Julia DeWeese is a Security Researcher/PSIRT Engineer at Intel Corporation, specializing in software vulnerabilities and data tooling. Julia is passionate about vulnerability disclosure and transparency within the industry to protect end users. Prior to Intel, she was in the threat intelligence space with a focus in malware and ransomware analysis. She has done extensive security research within the public and private sector.
Mike Wiles is a member of Intel's PSIRT organization, specializing in tooling and process support to ensure effective and efficient incident response and security measures.
March 27, 2024 14:00-15:00
Jay JacobsJay JacobsSasha RomanoskySasha RomanoskyJay Jacobs (Cyentia, US), Sasha Romanosky (RAND Corporation, US)
The Exploit Prediction Scoring System (EPSS) is a growing standard that estimates the probability that any known vulnerability will be exploited in the next 30 days. The SIG has quickly expanded to over 400 members in just a few short years. And with this accelerated adoption, there have emerged both challenges and opportunities.
In this talk, we will discuss the challenges that come with maintaining an evolving SIG, along with growing scrutiny, and user expectations. We will also discuss the many opportunities that lie ahead in regard to the model and data, novel uses of these data, and opportunities to help explain attacker behavior. We will also provide a quick view into some of our current exploitation findings and trends.
Jay Jacobs is the Chief Data Scientist at Cyentia Institute, the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST.
Sasha Romanosky, PhD, researches topics on the economics of security and privacy, cyber crime, cyber insurance, and national security. He is a Senior Policy Researcher at the RAND Corporation, a faculty member of the Pardee RAND Graduate School, and an affiliated faculty in the Program on Economics & Privacy at the Antonin Scalia Law School, George Mason University. Sasha was a security professional for over 10 years in the financial and e-commerce industries, and is one of the original authors of the Common Vulnerability Scoring System (CVSS), and co-creator of the Exploit Probability Scoring System (EPSS), an emerging standard for estimating the probability of a vulnerability being exploited in the wild. Sasha is a former Cyber Policy Advisor in the Office of the Secretary of Defense for Policy (OSDP) at the Pentagon, where he oversaw the Defense Department's Vulnerability Equities Process (VEP), the Vulnerability Disclosure Program (VDP), and other cyber policy matters. Sasha is also an appointed member of DHS's Data Privacy and Integrity Committee (DPIAC), where we advise the Secretary of Homeland Security and DHS's Chief Privacy Officer on policy, operational, and technology issues.
March 26, 2024 13:00-14:30
Andreas WeichslgartnerAndreas WeichslgartnerJoyabrata GhoshJoyabrata GhoshVineeth BharadwajVineeth BharadwajAndreas Weichslgartner (CARIAD SE, DE), Joyabrata Ghosh (CARIAD SE, DE), Vineeth Bharadwaj (CARIAD SE, DE)
As the automotive industry undergoes a paradigm shift towards software-defined vehicles, the imperative for robust software security becomes obvious. This talk explores the nuanced landscape of identifying, managing, and preventing vulnerabilities from the perspective of an OEM software company.
Starting with an exploration of the escalating role of software in modern vehicles, the talk illuminates the complex software ecosystems that underpin contemporary automobiles. A thorough analysis follows, unraveling the primary sources of vulnerabilities and their potential ramifications on vehicle safety and security.
Central to the discussion is the challenge of handling vulnerabilities within the complex supply chains inherent to the automotive industry. The talk elucidates the difficulties in navigating this multifaceted network of suppliers, emphasizing the necessity for collaborative approaches and effective risk management strategies.
We detail best practices for developing automotive software along the software development life cycle along with various regulation requirements. Especially we highlight the significance of SBOMs in fostering transparency and traceability across the supply chain. The talk delves into how SBOMs can fortify cybersecurity measures by providing a comprehensive understanding of the software components integrated into automotive systems.
Looking forward, the presentation anticipates future challenges and outlines viable solutions confronting the automotive industry, including crypto agility and the incorporation of cryptographic bills of materials (CBOMs).
Mr. Andreas Weichslgartner is currently working as a Senior Technical Security Engineer at CARIAD SE in the product security department.
Joining the Volkswagen Group in 2017, he since then has been developing an embedded intrusion detection system, evaluating security testing technologies, managing vulnerabilities, enabling crypto agility, and working with machine learning in the area of security.
Before, he had been a researcher at the Department of Computer Science, Friedrich-Alexander University Erlangen-Nürnberg (FAU), Germany, from 2010 to 2017. He received his diploma degree (Dipl.-Ing.) in Information and Communication Technology and his Ph.D. (Dr.-Ing.) in Computer Science from the FAU, Germany, in 2010 and 2017, respectively.
Mr. Joyabrata Ghosh is presently working as a Connectivity products security owner at CARIAD SE. Before that, he was responsible for security and legal technical manager for the Elektrobit Automotive Linux platform for the series production of several automotive OEMs. He started his automotive journey with Direct HMI development for BMW ID7 platform. Over a decade ago, his development journey began in embedded and telecom security domains across many OEMs. He supports EO-14028 CISA SBOM working groups and contributed publications: Types of SBOM, Minimum Requirements for VEX. He contributes to nvd@nist.gov and cpe_dictionary@nist.gov for open-source triage. He was co-presenter of Cybersecurity Expectations in Automotive World, 2021, in ELISA Linux safety workgroup. Likewise, he is open-source enthusiast. He has Master’s Degree from the Illinois Institute of Technology in Computer Science, a BS in Computer Science from RCCIIT.
Mr. Vineeth Bharadwaj Prasanna is currently working as a Senior Technical Security Engineer at CARIAD SE in the product security department.
Vineeth joined the Volkswagen Group in 2018, as a security engineer for Audi AG. Since 2020, he has been a member of the offensive security team and has also been working on building up the vulnerability management system, end-to-end security engineering for China GB-T homologation project for the new PPE/PPC platform for the new Audi and Porsche cars at CARIAD SE.
Vineeth received his Master’s degree in Simulation Science from RWTH Aachen University in 2019 with special focus on optimization, and artificial intelligence.
March 26, 2024 13:00-14:00
VulnCon-Finding-Managing-Preventing-Vulnerabilities-Ghosh-Weichslagartner-Bharadwaj.pdf
MD5: 0e60f8191e306e00aeed4d86fdd15096
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.2 Mb
Jerry BryantJerry BryantJerry Bryant (Intel, US)
Today’s attackers are moving towards persistence by targeting lower levels of software such as firmware to gain an invisible permanence into enterprises. Newer malware like BlackLotus have demonstrated targeting firmware for such purposes. Vulnerabilities that involve multiple vendors and a full ecosystem such as UEFI are also likely to rise. In 2023, the Cybersecurity & Infrastructure Security Agency (CISA) issued a specific call to action to bolster UEFI cybersecurity. They call out the need for vendors to improve cybersecurity, mature security teams, and operationalize security by design.
In this Birds of a Feather discussion, let’s look at this growing threat against UEFI and other firmware and the challenges in coordinating updates across the industry as well as some of the efficiency problems in getting updates to end customers. Are we positioned to tackle these problems as an industry before potential government regulations force us to? Do we need a more proactive approach to addressing issues in the supply chain? Updates can take over a year to make their way through the supply chain to the end customer. Let’s discuss the problems and what we, as an industry, can do to improve.
Jerry Bryant is the Director of Security Communications for the Intel Product Assurance and Security team (IPAS). Before joining Intel in 2019, he worked in the Microsoft Security Response Center where he was involved in almost every major security/product vulnerability incident since 2001. Jerry is a co-author of the PSIRT Services Framework and of the PSIRT Maturity Profiles companion document. He is also the producer of the PSIRT Services Framework video training hosted by FIRST.
March 27, 2024 15:30-16:30
Ben HirschbergBen HirschbergBen Hirschberg (ARMO, IL)
Vulnerability Exploitability eXchange (VEX) documents have emerged as a manifest of vulnerabilities of a software product, aligned with the concept of Software Bill of Materials (SBOM), serving as a standardized way for software producers to communicate info about the exploitability of known vulnerabilities within products. The adoption and support of VEX documents represent a major shift in cloud native security, designed to help determine which vulnerabilities require immediate attention & remediation. Yet the widespread adoption of VEX faces a fundamental obstacle--the sourcing of reliable & accurate VEX docs.
Enter the CNCF & OSS projects, that have made significant progress in the generation of reliable VEX documents, by using eBPF technology, which then automatically categorizes vulnerabilities by priority and enables the loading to other popular OSS projects like Trivy or Grype, that support OpenVEX. Come to this session to learn how to get started with VEX immediately.
Ben Hirschberg is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is CTO and co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced information security academically in both undergrad and graduate courses. In his previous capacities, he has been a security researcher and architect, pen-tester and lead developer at Cisco, NDS and Siemens.
March 27, 2024 11:00-12:00
VulnCon-SBOM-to-VEX-Discovering-What-s-in-the-Box-and-How-Badly-it-Can-Hurt-You-Hirschberg.pdf
MD5: d8e606b556c02745360ae1b8ab7ebb71
Format: application/pdf
Last Update: June 7th, 2024
Size: 3.86 Mb
Joshua Justice (Health-ISAC, US), Tyler Curry (Health-ISAC, US)
Join us for an engaging discussion related to analysis on how our team delivered over 1,000 emerging vulnerability exposure alerts during 2023 and how communities can improve their overall security posture by sharing information.
Sharing information on emerging vulnerabilities and mitigations to prevent a threat actor from gaining access to your environment protects critical infrastructure and benefits other organizations seeking to deliver care.
The importance of sharing insight and best practices for mitigating vulnerabilities exploited by threat actors will be illustrated with various recent technology vulnerabilities including the actively exploited Ivanti Connect Secure and Policy Secure Gateway bugs as well as the actively exploited Cisco IOS XE bug.
These insights are aggregated, shared and presented quarterly for awareness.
March 27, 2024 14:00-15:00
Angelo PunurieroAngelo PunurieroJenifer JimenezJenifer JimenezMartin KarelMartin KarelAngelo Punuriero (Nestlé, IT), Jenifer Jimenez (Nestlé, ES), Martin Karel (Nestlé, ES)
Nestlé and similar organizations encounter numerous challenges in Vulnerability Management. These include managing large and diverse environments, accommodating various technologies with distinct requirements, navigating complex ownership structures, coordinating multiple security teams and tools, and adapting to constant change. To address these challenges, my team and I have made it our mission to create a comprehensive platform that integrates the most practical approaches for each specific environment. By doing so, we aim to increase automation, enhance situational awareness, and unlock a multitude of use cases and reporting capabilities.
In addition to consolidating results from different traditional vulnerability scanning tools and penetration tests, we recognize the importance of analyzing vulnerabilities that are disclosed by vendors but may not be detected by scanners.
We have implemented a crucial activity that involves automatically categorizing non-critical vulnerabilities and communicating them to the respective patching teams, aligning with their specific patching schedules. For critical vulnerabilities, we have established a more aggressive remediation process. This process is closely integrated with the scanner findings, which helps to address challenges related to ownership, tracking, and SLA calculations. By linking these components together, we are able to streamline vulnerability management and ensure efficient resolution of identified issues and overall visibility.
Angelo Punturiero is an Italian native who has recently moved to the enchanting city of Barcelona. He proudly serves as a Vulnerability Management Senior Specialist in the Nestle’ CSOC Vulnerability Management team. With a deep passion for cybersecurity and the art of fine cuisine, he has improved he's skills through years of experience at renowned IT consulting firms. This professional journey has led him to Nestle’, where he coordinates the process that determines the Corporate Rating of the daily published CVEs, ensuring that the appropriate stakeholders are promptly informed of any imminent risks. Additionally, he actively engages in matters related to Cloud Security and contributes to projects involving Generative AI in the realm of cybersecurity.
Jenifer Jiménez, native of Spain, is currently working as a Senior Vulnerability Management Specialist at Nestlé Global Services in Barcelona. She is vulnerability management orchestration platform lead architect. Prior to her current role, she was part of the team providing security services to global Hewlett-Packard customers, as well as managing the development of security platforms for the CSIRT at CaixaBank. With a deep passion for her work and a commitment to staying at the forefront of industry trends, she strive to make a positive impact in the field of cybersecurity. Her dedication to securing critical systems and her love for salsa dancing and family bring a unique blend of expertise and personal fulfillment to her life.
Martin Karel, a native of Slovakia, is currently leading the Nestlé global vulnerability management and offensive security team based in Spain. He has been a part of the Global CSOC since its establishment in 2016 and has played a crucial role in various key projects, including incident response, security monitoring, and the centralization and automation of vulnerability management processes. Prior to his current role, Martin led similar projects at HP Enterprise and SEAT, a car manufacturer within the VW group. In his leisure time, he is passionate about ballroom dancing and values spending quality time with his two daughters.
March 26, 2024 11:00-12:00
VulnCon-Nestle-Presentation.pdf
MD5: 35bf68da57f8daf7ad0bef7f262936c0
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.69 Mb
Sponsored Nucleus, join us over in the vendor hall for an evening of networking with our Platinum Sponsors and your peers! Heavy appetizers and beverages will be served. Alcholic beverages will be available (open bar) for the first hour of the evening due to University protocol. Food and non-alchoholic beverages will be available the full two-hours.
March 25, 2024 17:00-19:00
Sponsored OpenSFF, join us over in the vendor hall for an evening of networking with our Platinum Sponsors and your peers! Heavy appetizers and beverages will be served. Alcholic beverages will be available (open bar) for the first hour of the evening due to University protocol. Food and non-alchoholic beverages will be available the full two-hours.
March 26, 2024 17:00-19:00
Adolfo Garcia VeytiaAdolfo Garcia VeytiaArt ManionArt ManionChristopher RobinsonChristopher RobinsonJustin MurphyJustin MurphyAdolfo Garcia Veytia (Stacklok, MX), Art Manion (ANALYGENCE Labs, US), Christopher Robinson (Intel, US), Justin Murphy (CISA, US)
Vulnerability EXchange (VEX) is a newer way for maintainers and suppliers to provide affectedness data about the software and hardware that they create and support. It connects with other industry standards like CVE/vulnerability identifiers and when paired with Software Bill of Materials (SBoM) can help consumers quickly understand how the components within their enterprises are affected by vulnerabilities. Join this panel of VEX experts as they talk about current approaches to VEX and the assorted implementations that exist and how downstreams need to think about how they plan to ingest this data from their suppliers/sources and then provide actionable information to their consumers.
Topics to be discussed include:
Adolfo García Veytia (@puerco) is a staff software engineer with Stacklok. He is one of the Kubernetes SIG Release Technical Leads. He specializes in improvements to the software that drives the automation behind the Kubernetes release process. He is also the creator of the OpenVEX and protobom projects currently incubating in the OpenSSF sandbox. Adolfo is passionate about writing software with friends, helping new contributors, and amplifying the Latinx presence in the Cloud Native community.
Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Justin Murphy works as a Vulnerability Analyst as part of the Coordinated Vulnerability Disclosure (CVD) team at the Cybersecurity and Infrastructure Security Agency (CISA). He helps to coordinate the remediation, mitigation, and public disclosure of newly identified cybersecurity vulnerabilities in products and services with affected vendor(s), ranging from industrial control systems (ICS), operational technology (OT), medical devices, Internet of Things (IoT), and traditional information technology (IT) vulnerabilities. Justin is involved with many other vulnerability management related efforts, including CISA's SBOM and VEX work, the OASIS Common Security Advisory Framework (CSAF) TC, and he also serves as a co-chair for the OASIS OpenEoX TC. Justin is a former high school mathematics teacher turned cybersecurity professional and has a M.Sc. in Computer Science from Tennessee Technological University, and a B.Sc. degree in Statistics from the University of Tennessee (Knoxville).
March 26, 2024 13:00-14:00
Alec SummersAlec SummersDeana O'MearaDeana O'MearaErin AlexanderErin AlexanderAlec Summers (The MITRE Corporation, US), Chris Levendis (The MITRE Corporation, US), Deana O'Meara (NVIDIA, US), Erin Alexander (CISA, US)
Root cause maping is the identification of the underlying cause of a vulnerability. This is best done by correlating CVE records with CWE entries. Root cause mapping is not done accurately at scale by the vulnerability management ecosystem.
Root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers. Additionally, it enables trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection) as well as a valuable feedback lip into an SDLC or architecture design planning.
The Root Cause Mapping Working Group (RCM WG) was established by CVE® and CWETM community stakeholders with the purpose of determining how to improve and scale accurate root cause mapping. Specifically, the working group is exploring the feasibility of an effective decentralized root cause mapping ecosystem to enable trend analysis and risk management.
The proposal is for a moderated panel discussion with members of the RCM WG to cover the value, challenge, and potential for accurate and decentralized root cause mapping at scale.
Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse experience leading cybersecurity teams in software assurance, vulnerability management, attack surface analysis, and supply chain risk management. He is the day-to-day manager of the Common Weakness Enumeration (CWE) project team, overseeing content development, research, and engagement with its stakeholder community.
Deana O’Meara is a passionate product security professional with ten years of experience in vulnerability management, response, disclosure, and threat intelligence. She began her career at Carnegie Mellon’s Software Engineering Institute (SEI), working across the U.S. Department of Defense, Department of Homeland Security, and Law Enforcement on the nation’s toughest cybersecurity challenges. After leaving the SEI, Deana led the Product Security Incident Response Team (PSIRT) at Rockwell Automation, focusing on Industrial Control System (ICS) vulnerabilities and intersections with traditional IT systems. Deana led Rockwell’s involvement in the first-ever "Pwn2Own" for ICS competition hosted at the S4 conference. Most recently, Deana joined NVIDIA from the Intel Corporation, where she managed Intel PSIRT’s vulnerability communications and infrastructure team. She led several high-profile product security initiatives for Intel, including security automation, developing and implementing data visualization, bootstrapping a team to engage in emerging standards and regulations, and the infamous "Log4Shell" response.
Erin Alexander serves as the Section Chief for Ecosystem Advancement, a section under Vulnerability Management at the Cybersecurity and Infrastructure Security Agency (CISA). In this role, she is responsible for a leading a team that combines products, services, data, and analysis to drive progress in and transformation of the global vulnerability ecosystem. Prior to joining CISA in 2015, Ms. Alexander worked for the Department of Homeland Security’s Fusion Centers sharing threat-related intelligence between State, Local, Tribal and Territorial (SLTT), federal and private sector partners for the purpose of prevention and response within the homeland security enterprise.
March 25, 2024 15:30-16:30
Christopher RobinsonChristopher RobinsonAndrew PollockAndrew PollockMadison OliverMadison OliverTanya BrewerTanya BrewerChristopher Robinson (Intel, US), Andrew Pollock (Google Open Source Security Team, AU), Madison Oliver (GitHub, US), Tanya Brewer (NIST, US)
Napkin-drawings aside, This panel seeks to talk through this classic "What If?" scenario by assembling a diverse team of industry and government professionals to talk about the current state of vulnerability identifiers, vulnerability databases, and how consumers interact with them. These building blocks establish the foundation for communicating and addressing vulnerabilities as they are discovered, reported, and disclosed, but the journey has not always been without challenges. Join us as we learn about the road that got us here, talk about the opportunities we continue to collaborate on, and hear about some potential future actions that could improve the ecosystem for all participants and officially start "Happy Hour"!
We discuss these and other topics in our time together:
Andrew Pollock is a Senior Software Engineer on Google’s Open Source Security Team, working on OSV.dev. He recently worked on converting CVEs in the National Vulnerability Database relating to Open Source software vulnerabilities into the OSV schema. As a result, he discovered a hitherto unknown passion for data quality in CVE records."
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Madison Oliver is a vulnerability transparency advocate and Senior Security Manager at GitHub, leading the Advisory Database Curation team. She is passionate about vulnerability reporting, response, and disclosure, and her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CMU).
Tanya Brewer is a Cybersecurity Program Manager at the National Institutes of Standards and Technology. She manages the National Vulnerability Database (NVD) Program, so folks around the world can know more about publicly disclosed vulnerabilities. She has worked on technical standards and program management in the areas of cybersecurity and privacy for smart grids, electric vehicles, identity management, biometrics, and industrial control systems; cybersecurity education, and workforce training. She has done so with experts from NIST, ITU-T, OECD, SAE, privacy watchdogs, power companies and co-ops, the Department of State, and the U.S. Senate. She blends her background in public policy and cybersecurity to scale complex, multi-stakeholder programs while keeping them approachable to people of all backgrounds. When not managing her team and thousands of vulnerabilities, she is crafting beautiful miniatures or using a stick to turn string into soft and warm beauty.
March 27, 2024 14:00-15:00
Kathleen NobleKathleen NobleTanvi ChopraTanvi ChopraRob SpigerRob SpigerMichael WoolslayerMichael WoolslayerKathleen Noble (Intel, US), Tanvi Chopra (Venable, US), Rob Spiger (Microsofy, US), Michael Woolslayer (HackerOne, US)
Should your organization be required to disclose vulnerabilities before you’ve had a chance to fix them? Governments have begun embracing the concept of vulnerability disclosure, but are co-opting the process and creating new risks to security.
This panel will discuss a concerning regulatory trend of requiring organizations to disclose unmitigated vulnerability to government agencies. This trend includes major cybersecurity regulations that affect many parts of the security ecosystem, such as the EU Cyber Resilience Act, FISMA modernization legislation, France’s Military Programming law, and China’s Regulation on the Management of Network Product Security Vulnerabilities. This discussion will outline the security implications of requiring the disclosure of unmitigated vulnerabilities to government agencies, including the risk of alerting adversaries, vulnerabilities potentially being used for state intelligence or offensive purposes, creating a dangerous precedent for other countries to follow suit, and deterring good faith security research. Finally, the panel will then recommend safeguards for companies and policymakers to adopt and ensure cybersecurity best practices
Katie Noble serves as a CVE Program Board, Bug Bounty Community of Interest Board, and Hacking Policy Council member. She is a passionate defensive cybersecurity community activist, she is regularly involved is community driven projects and is most happy when she is able to effect positive progress in cyber defense. In her day job Katie Noble serves as a Director of PSIRT, Bug Bounty, and the Security Working Artifacts Team at a fortune 50 Technology Company. Prior to joining private sector, Katie spent over 15 years in the US Government. Most recently as the Section Chief of Vulnerability Management and Coordination at the Department of Homeland Security, Cyber and Infrastructure Security Agency (CISA). Her team is credited with the coordination and public disclosure of 20,000+ cybersecurity vulnerabilities within a two-year period. During her government tenure, in roles spanning Intelligence Analyst for the National Intelligence Community to Senior Policy Advisor for White House led National Security Council Cyber programs, Katie’s work directly impacted decision making for government agencies in the United States, United Kingdom, Canada, and Australia.
Michael Woolslayer is Policy Counsel at HackerOne, where he supports public policy efforts and legal matters. Michael previously was one of HackerOne's first customer success managers, which included managing the Hack the Pentagon bug bounty pilot program. Michael’s additional prior experience includes practicing technology, security, and privacy law at Perkins Coie LLP and various roles with defense technology start-ups.
Rob Spiger works on cybersecurity policy at Microsoft, specializing in cyber resilience, security by design, and regulatory harmonization. He is an industry security expert with a background in trusted computing technology and standards development. He collaborates with global technologists from industry, government and academic institutions who are devoted to advancing security policy, technology, research, and innovation. He joined Microsoft in 2003 and prior to 2012 he was responsible for technical program management of Windows security features as a part of the security and identity team. He holds degrees in computer science with honors and electrical engineering from the University of Washington.
Tanvi Chopra is a Senior Cybersecurity Analyst at Venable LLP, specializing in providing clients with guidance on cybersecurity and data protection policies, laws, regulations, and compliance matters across various jurisdictions, including the EU, UK, and the U.S. With a keen focus on policy development, Tanvi actively engages in addressing critical cybersecurity issues including in the areas of vulnerability disclosure, incident reporting, data and product security, Open RAN, workforce, and much more.
Leveraging her comprehensive understanding of cybersecurity trends and challenges, Tanvi delivers newsletters, white papers, op-eds, letters, and research reports to cybersecurity trade associations, private companies, and governments. Her efforts aim to foster collaboration within the cybersecurity ecosystem and elevate global awareness of cybersecurity issues.
Prior to joining Venable, Tanvi served as an intern at an international law firm, where she worked on matters related to national security and cybersecurity policy.
March 27, 2024 13:00-14:00
Art ManionArt ManionDeana O'MearaDeana O'MearaMadison OliverMadison OliverChristopher RobinsonChristopher RobinsonArt Manion (ANALYGENCE Labs, US), Deana O'Meara (NVIDIA, US), Madison Oliver (GitHub, US), Christopher Robinson (Intel, US)
Coordinated Vulnerability Disclosure (CVD) is the standard with how commercial vendors, coordinators, and actors like Information Sharing and Analysis Centers (ISAC) communicate and prepare end-consumers as new vulnerabilities are discovered, reported, and fixed. Depending on the scope of the vulnerability’s impact and the maturity and experience of the parties participating in the coordination, consumers' actual experiences may greatly differ. Join this expert panel as they share their experiences on what has been successful in managing industry-impacting vulnerabilities, and hear about a few experiences that were.... less successful. The panel will explore the following CVD topics:
Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Deana O’Meara is a passionate product security professional with ten years of experience in vulnerability management, response, disclosure, and threat intelligence. She began her career at Carnegie Mellon’s Software Engineering Institute (SEI), working across the U.S. Department of Defense, Department of Homeland Security, and Law Enforcement on the nation’s toughest cybersecurity challenges. After leaving the SEI, Deana led the Product Security Incident Response Team (PSIRT) at Rockwell Automation, focusing on Industrial Control System (ICS) vulnerabilities and intersections with traditional IT systems. Deana led Rockwell’s involvement in the first-ever "Pwn2Own" for ICS competition hosted at the S4 conference.
Most recently, Deana joined NVIDIA from the Intel Corporation, where she managed Intel PSIRT’s vulnerability communications and infrastructure team. She led several high-profile product security initiatives for Intel, including security automation, developing and implementing data visualization, bootstrapping a team to engage in emerging standards and regulations, and the infamous "Log4Shell" response.
Madison Oliver is a vulnerability transparency advocate and Senior Security Manager at GitHub, leading the Advisory Database Curation team. She is passionate about vulnerability reporting, response, and disclosure, and her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CMU).
March 26, 2024 15:30-16:30
Tomo ItoTomo ItoTomo Ito (JPCERT/CC, JP)
CVD is a global good practice. In today's CVD ecosystem, many different stakeholders exist, but they are largely from the United states or EU. "Asia-Pacific CVD" has not been cultivated. Many software product/component suppliers exist in the region, and the size of the enterprises vary from large to small. In the region, CVD readiness - such as Vulnerability Disclosure Policy preparation or being a CNA - is lacking overall. Also, cooperative structure by the CVD Coordinator organizations has not been built. Realizing such issues and to start tackling them, CVD Working group in the Asia-Pacific's CSIRT community APCERT, was created by the region's several CERT/CVD Coordinator organizations. Referencing precedents such as ENISA setting up a CVD structure in EU, the WG is first starting off with learning each member organization's activity through presentations, and is finding out what the characteristics and specific challenges are in the region.
In this presentation, the WG's motivation, activities, the challenges found so far will be explained. Also, discussions to gather information and opinions from the audiences for the WG to grow to become a good CVD supporter (e.g., topics such as "what would be helpful or what was not by the CVD coordinators in the region", efficient awareness raising methods, etc.,) will be held.
Tomo Ito has been working as a vulnerability information coordinator at JPCERT/CC for 4 years. His current focuses include international collaborations regarding vulnerability coordination topics with organizations around the globe.
March 26, 2024 10:00-10:30
VulnCon-Pushing-Coordinated-Vulnerability-Disclosure-forward-in-Asia-Pacific.pdf
MD5: 2790c49f3b22fc22689b3e533366b5a9
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.32 Mb
Shelby CunninghamShelby CunninghamShelby Cunningham (GitHub, US)
With the rise of the CVE Services API, low reserved-but-public (RBP) ratios are easier to obtain than the days when requesting CVEs was entirely manual. Requesting CVE IDs on an as-needed basis, rather than making a bulk CVE request at the start of the year, is an important practice for reducing RBP ratios. But it’s not the only practice. CNAs have multiple CVE reservation and publication practices available, such as publishing CVE records as soon as possible rather than waiting to publish CVE records in monthly or quarterly batches, to help reduce the number of reserved-but-public CVEs they have at any given time and avoid rejecting large numbers of CVEs at the end of the year. This talk discusses different practices and which kinds of CNAs may benefit from each practice, encouraging CNAs to combine practices to customize their RBP ratio reduction.
Shelby Cunningham is an advisory curator for the GitHub Advisory Database. Her duties include, but are not limited to, organizing and publishing vulnerability information for the GitHub Advisory Database and gathering vulnerability information from project maintainers on GitHub to submit to the CVE list. Working for a team with the responsibilities of a CVE Numbering Authority and a vulnerability database leads to her seeing a wide range of practices in vulnerability information disclosure. Prior to joining GitHub, Shelby wore a variety of hats at music label, distributor, and retailer Get Hip Recordings in Pittsburgh, PA.
March 27, 2024 15:30-16:30
MD5: 61fa5da460894bd0094aa43d77a3b058
Format: application/pdf
Last Update: June 10th, 2024
Size: 4.97 Mb
Art ManionArt ManionArt Manion (ANALYGENCE Labs, US)
By the time you read this, the CVE Program should be nearing the end of a year-long process to revise the CNA Operational Rules. While the overall spirit of the rules has not significantly changed, the rules themselves have been almost entirely rewritten. What happens if a CNA declines to assign a CVE ID? How does a CNA determine that a vulnerability exists? Is that one vulnerability or five? What does Janet Jackson have to do with CVE? I'm the acting editor of this revision of the CNA Operational Rules, ask me anything!
Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
March 25, 2024 11:00-12:00
Cassie CrossleyCassie CrossleyCassie Crossley (Schneider Electric, US)
There is some debate as to how SBOMs can enhance vulnerability management practices, and some believe that collecting SBOMs from internal teams or suppliers is too difficult and time-consuming. Learn how Schneider Electric has collected thousands of our product SBOMs and how we are leveraging the SBOMs as part of our corporate product CERT to quickly analyze and focus our attention when time is of importance. This presentation describes how we modified our policies and processes to collect, generate, and store thousands of SBOMs. You will hear how we have leveraged SBOMs during the Log4j and OpenSSL vulnerability events. Then we will conclude with key learnings, suggestions, and opportunities for improvement.
Cassie Crossley, Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric, is an experienced cybersecurity technology executive in Information Technology and Product Development and author of Software Supply Chain Security: Securing the End‐to‐End Supply Chain for Software, Firmware, and Hardware. She has many years of business and technical leadership experience in supply chain security, cybersecurity, product/application security, software/firmware development, program management, and data privacy.
Cassie has designed frameworks and operating models for end‐to‐end security in software development lifecycles, third party risk management, cybersecurity governance, and cybersecurity initiatives. She is a member of the CISA SBOM working groups and presents frequently on the topic of SBOMs and Supply Chain Security.
Cassie has held previous positions at Ceridian, Hewlett‐Packard, McAfee, Lotus, and IBM. She has an M.B.A. from California State University, Fresno, and her Bachelor of Science degree in Technical and Professional Communication with a specialization in Computer Science.
March 25, 2024 13:00-14:00
Schneider-Electric-SBOM-Program-VulnCon-March-2024-FINAL-24-March-TLP-CLEAR.pdf
MD5: 29d1ebf5c71e174460f447818889837e
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.42 Mb
Jay JacobsJay JacobsJay Jacobs (Cyentia, US)
Vulnerability management is reactive. Day after day is spent reacting to newly discovered weaknesses, reacting to the latest headline, or reacting to reports of new exploitation activity. It is a relentless stream of information that requires constant attention, which means not a lot of time is spent in retrospection, until now. This talk will be looking back at several years of exploitation activity collected in the EPSS project and how they fall across the vulnerability landscape. Using the data, we will be addressing many of the common questions. How many vulnerabilities are being exploited? How widespread and sustained is exploitation? What patterns can we detect in exploitation? Should we focus more on zero-days or end-of-life vulnerabilities? Are there any clear indicators of exploitation activity before exploitation occurs? And many others!
Jay Jacobs is the Chief Data Scientist at Cyentia Institute, the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST.
March 25, 2024 15:30-16:30
Andrew PasternakAndrew PasternakAndrew Pasternak (USG, US)
The 2023 National Cybersecurity Strategy states that the Federal government must "continue to invest in the development of secure software, including memory-safe languages and software development techniques, frameworks, and testing tools," and that collaboration with the public and private sectors is necessary to make global supply chains more secure, resilient, and trustworthy. In this talk, you will hear from the Office of the National Cyber Director on initiatives to reduce the vulnerabilities of hardware and software supply chains. From eliminating classes of vulnerabilities, to measuring software quality, to ensuring the security of semiconductors, this talk will cover the broad array of efforts underway to make our digital ecosystem more easily and inherently defensible, resilient, and aligned with our values.
Andrew Pasternak is a senior policy advisor for supply chain and technology security in the Office of the National Cyber Director. Andrew leads supply chain-related efforts for ONCD, Including interagency supply chain security coordination and hardware and software security initiatives. Prior to ONCD, Andrew worked as a section chief and senior risk analyst at the Cybersecurity and Infrastructure Security Agency, providing cyber and physical risk analysis on critical infrastructure and emerging technologies.
March 25, 2024 09:00-10:00
Alec SummersAlec SummersAlec Summers (The MITRE Corporation, US)
Common Weakness Enumeration (CWETM) is a community-developed list of cybersecurity weaknesses. A weakness, in the context of CWE, is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.
First released in 2006, CWE initially focused on software weaknesses because organizations of all sizes want assurance that the software products they acquire and develop are free of known types of security flaws. Follow-on releases refined these weaknesses and their classification trees — referred to as a "CWEs" — while also adding coverage for new domains (e.g., mobile applications).
In 2019, the CWE Program began implementing a strategy of federation to achieve its program goals of growing program adoption and growing program coverage. The CWE Board was established, as well as several community groups including the CWE User Experience Working Group, CWE REST API Working Group, Hardware CWE Special Interest Group (SIG), and the CWE ICS/OT SIG. These collaborative bodies bring together program partners in government, industry, and academia to work collaboratively towards ensuring the CWE program brings value to the cybersecurity community.
This talk will provide an overview of the CWE program’s current efforts to implement its federation strategy to increase program coverage and adoption. This will include efforts to modernize CWE program infrastructure (e.g., deploying a REST API), federate CWE content development (e.g., launch the CWE Content Development Repository (CDR) to provide a platform for program partners to collaborate transparently on CWE content development), and an overview of the CWE community working groups / SIGs and what they are trying to accomplish.
Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse experience leading cybersecurity teams in software assurance, vulnerability management, attack surface analysis, and supply chain risk management. He is the day-to-day manager of the Common Weakness Enumeration (CWE) project team, overseeing content development, research, and engagement with its stakeholder community.
March 26, 2024 15:30-16:30
Andrew PollockAndrew PollockAndrew Pollock (Google Open Source Security Team, AU)
Join Andrew Pollock, from Google’s Open Source Security Team, on a light-hearted and personally vulnerable (ha! see what I did there?) retrospective on what happens when you take a Security Engineer converting to Software Engineering, who last touched CVEs in any way shape or form 20 years ago, and get them to ramp up on a new project, that’s developed completely differently to anything internal at Google.
Andrew Pollock is a Senior Software Engineer on Google’s Open Source Security Team, working on OSV.dev. He recently worked on converting CVEs in the National Vulnerability Database relating to Open Source software vulnerabilities into the OSV schema. As a result, he discovered a hitherto unknown passion for data quality in CVE records."
March 25, 2024 11:00-12:00
VulnCon-The-Trials-and-Tribulations-of-Bulk-Converting-CVEs-to-OSV-Pollock.pdf
MD5: 4a74bae93c25c803a6d208f6364f80f9
Format: application/pdf
Last Update: June 7th, 2024
Size: 1.27 Mb
Przemyslaw RoguskiPrzemyslaw RoguskiPrzemyslaw Roguski (Red Hat, PL)
SBOMs have the intent and hope to provide transparency to ‘consumers’ of software with a list of the ‘ingredients’ that compose an application. SBOMs help with reviews for procurement,in what is included in a set of software applications/libraries, and provide general information on the composition of a software product. They also provide a basis for establishing a vulnerability program as part of an organization’s Risk Management approach. Red Hat Product Security publishes an official Red Hat Build SBOM (software bill of materials) to aid downstream consumers in addressing these concerns.
In this talk we will discuss a general overview of what an SBOM is, what types of SBOMs can be produced by vendors, how to understand the individual components of an SBOM (products, software components and their dependencies) from an Open Source Software ‘producer’s’ perspective. We will show our approach to SBOM production, why and where SBOMs are important in the Security Development Lifecycle (SDLC).
Main topics to be covered in this session include:
This talk is designed for security professionals, compliance officers, compliance auditors and everyone who works on the supply chain aspects of software.
Przemysław Roguski is a Security Architect at Red Hat who specializes in Cloud Products security aspects. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security. He is focused on the security data improvements (various upstream and downstream security initiatives and projects like CWE, Kubernetes, Red Hat Vulnerability Scanner Certification program) to build better understanding of the security issues and improve client satisfaction.
March 25, 2024 14:00-15:00
Jessica Butler (NVIDIA, US), Amy Rose (NVIDIA, US)
Vulnerability tracking in software, particularly open-source software (OSS), poses challenges when vulnerabilities remain unaddressed within a reasonable timeframe. Traditional workflows often fail to synchronize with Software Bill of Materials (SBOM) and vulnerability data, leading to manual tracking, unverified processes, and an influx of false positives, causing noise in the system.
To address these challenges, the security team at NVIDIA has developed a tool that helps development teams track vulnerability analysis and seamlessly integrates with report data. This tool streamlines the workflow and allows publication using Vulnerability Exploitability eXchange (VeX) standards. The data captured is then added to the internal tooling reporting platform providing a comprehensive view of the vulnerability landscape.
Our solution defines workflows based on the state of vulnerability analysis, including false positives, unaffected vulnerabilities, and those exploitable but not resolved within the expected fix timeframe. Each workflow is designed with appropriate expiration dates and approval tracking, ensuring that the reporting remains up to date and actionable. Key features include automated filtering of data after exception/analyses are approved, automatic tracking of issue resolution and reprioritization of time-bounded records.
In this presentation, we will showcase how our tool addresses the existing challenges in vulnerability tracking, providing a more efficient and effective way to manage OSS vulnerabilities. We will also demonstrate the pilot VeX publication offering for NVIDIA’s AI Enterprise catalog, offering a comprehensive view of the vulnerability landscape for our customers.
Come hear about NVIDIA’s innovative approach to vulnerability tracking and reporting, and learn valuable insights for organizations seeking to enhance their vulnerability management processes.
Amy Rose is the Manager of the PSIRT team at NVIDIA. She has worked in Product Security Incident Response as well as various other security roles for multiple companies, has an interest in improving processes to make life easier, and has over 75 patents. Amy lives in Chapel Hill, North Carolina with her family.
Jessica Butler is an engineering manager for NVIDIA’s Product Security Tools team. Her passion is providing an easy button for security tools by designing and implementing internal enterprise applications with a focus on developer integration and support. Jessica has over 17 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. In her free time Jessica enjoys gardening, rehabbing her 130 year old urban home and traveling with her family, BJ, Sebastian, Eliza and Azalea.
March 26, 2024 15:30-16:30
Johannes ClosJohannes ClosJohannes Clos (ENISA, BE)
Recent EU policy initiatives triggered a number of changes with regard to vulnerability disclosure in the Union. As part of this talk we will describe the latest situation covering the legislative changes, the resulting implementation activity, and highlight how the European Union Agency for Cybersecurity (ENISA) is planning to actively contribute to the enhancement of European CVD structures.
Johannes Clos discovered his interest in computers initially through his passion for audio engineering and signal processing. After encountering the strength of cryptography he got interested in information security and the political implications of technology. After receiving his diploma in computer science from Technische Universität Darmstadt he followed initial research (e.g., at Fraunhofer SIT and IGD) and network security work before starting at BSI’s national CSIRT section CERT-Bund. While supporting the team in various ways (vulnerability disclosure, abuse automation, OSS development) he cultivated a passion for CSIRT collaboration and is now part of ENISA’s Operational Cooperation Unit where his tasks include supporting the CSIRTs Network Secretariat and the EU vulnerability database implementation.
March 26, 2024 09:00-10:00
Peter AllorPeter AllorPeter Allor (Red Hat, US)
Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat’s secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.
Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.
Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.
Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.
March 25, 2024 08:30-09:00
Bob LordBob LordChris HughesChris HughesLindsey CerkovnikLindsey CerkovnikPatrick GarrityPatrick GarritySandy RadeskySandy RadeskyBob Lord (CISA, US), Chris Hughes (Aquia, US), Lindsey Cerkovnik (CISA, US), Patrick Garrity (VulnCheck, US), Sandy Radesky (CISA, US)
Do you ever wonder what the US Government does behind the scenes to synchronize vulnerability management operations? In this panel, we will have CISA’s Vulnerability Management Associate Director, Sandy Radesky, lead a panel discussion with both government and industry leaders in this space. We’ll share the effort it takes to coordinate with partners, reasons why we continue to lead as a collaborative community. We’ll discuss major efforts, to include some new ones: Secure by Design, Coordinated Vulnerability Disclosure, KEV, Open Source Security, and some of our newly released vulnerability analysis.
Bob Lord is a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency (CISA). Previously he was the Chief Security Officer at the Democratic National Committee where he brought more than 20 years of experience in the information security space to the Committee, state parties, and campaigns. Before that he was Yahoo’s Chief Information Security Officer, covering areas such as risk management, product security, security software development, e-crimes and APT programs. He was the Chief Information Security Officer in Residence at Rapid 7, and before that headed up Twitter’s information security program as its first security hire.
Chris Hughes is the Co-founder and President, Aquia, a Cybersecurity consulting firm. Chris brings nearly 20 years of IT and cybersecurity experience to his role as co-founder and President at Aquia. Chris also serves as a Cyber Innovation Fellow (CIF) at the Cybersecurity Infrastructure and Security Agency (CISA) focusing on software supply chain security. Additionally, Chris advises various tech startups, including serving as the Chief Security Advisor at Endor Labs.
As a United States Air Force veteran and former civil servant in the U.S. Navy and the General Services Administration’s FedRAMP program, Chris is passionate about making a lasting impact on his country and our global community at large.
In addition to his public service, Chris spent several years as a consultant within the private sector and currently serves as an adjunct professor for cybersecurity master’s programs at the University of Maryland Global Campus. Chris participates in industry working groups, such as the Cloud Security Alliance’s Incident Response and SaaS Security Working Group, and serves as the Membership Chair for Cloud Security Alliance D.C. He is the co-host of the Resilient Cyber Podcast and runs the Resilient Cyber Substack where he shares episodes as well as detailed articles on topics such as Cloud, Vulnerability Management, DevSecOps and more.
Lindsey Cerkovnik is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by funding and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability enrichment information, and engaging in valuable technical collaboration with the vulnerability research community.
Patrick Garrity is a security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors. Patrick Garrity is a seasoned cybersecurity professional with over 15 years of experience helping build high-growth SaaS cybersecurity companies including VulnCheck, Nucleus Security, Blumira, Censys and Duo Security.
Sandy J. Radesky serves as the Associate Director for Vulnerability Management at the Cybersecurity and Infrastructure Security Agency (CISA). Prior to this role, Ms. Radesky served as the Deputy Command Information Officer (CIO) for U.S. Fleet Cyber Command/ U.S. TENTH Fleet from December 2020 to February 2023. In this position she oversaw the cybersecurity, policy, design, and future plans for the Navy in order to support full spectrum Cyberspace Operations to enable FLTCYBERCOM as the central operating authority for Navy Networks. Her efforts continued to improve, integrate and directly support joint warfighters, national-level leaders, and other mission and coalition partners across the full spectrum of global operations.
March 27, 2024 09:00-10:00
VulnCon-Panel-What-it-Takes-to-Lead-America.pdf
MD5: 9fafdde3bb579de0758e47c3f352f76a
Format: application/pdf
Last Update: June 7th, 2024
Size: 2.03 Mb
Yotam PerkalYotam PerkalYotam Perkal (Rezilion, IL)
In the dynamic realm of vulnerability management, the proliferation of standards and frameworks like CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), and VISS (Vulnerability Information and Severity Score) often leads to confusion, fragmentation, and inconsistency. This talk explores the underlying tensions between these standards, particularly in the context of vulnerability prioritization.
Our journey begins with an exploration of each framework, highlighting their unique methodologies, strengths, and limitations. Then, we will center our discussion around the Strategic Stakeholder-Specific Vulnerability Categorization (SSVC), a framework that can act as a unifying bridge in this fragmented landscape. We will dissect how SSVC's adaptable and stakeholder-specific approach can harmonize these varying standards, providing a more cohesive and comprehensive vulnerability management strategy.
Key aspects of this talk include:
In conclusion, this talk aims not just to highlight the challenges posed by the diversity of standards in vulnerability management but to offer a pragmatic and unifying solution through SSVC, paving the way for a more harmonized and effective approach to vulnerability prioritization and management in the cybersecurity domain.
Yotam Perkal leads the vulnerability research team at Rezilion, focusing on research around vulnerability validation, mitigation, and remediation. Prior to Rezilion, Yotam filled several roles at PayPal Security organization, dealing with vulnerability management, threat intelligence, and Insider threat. Additionally, Yotam takes part in several OpenSSF working groups around open-source security, several CISA work streams around SBOM and VEX, and is a member of the PyCon Israel organization committee. Yotam is passionate about the intersection between Cyber Security and Machine Learning, whether it be using ML in order to help solve Cyber Security challenges or exploring the challenges in securing AI/ML applications.
March 25, 2024 11:00-12:00
VulnCon-Why-Can-t-We-All-Just-Get-Along.pdf
MD5: 44d272825d619c0a2064ff9a25537bc3
Format: application/pdf
Last Update: June 7th, 2024
Size: 7.42 Mb