Stop that Release, There's a Vulnerability!

Presented at Black Hat USA 2018, Aug. 9, 2018, 9 a.m. (25 minutes).

Software companies can have hundreds of software products in-market at any one time, all requiring support and security fixes with tight release timelines or no releases planned at all. At the same time, the velocity of open source vulnerabilities that rapidly become public or vulnerabilities found within internally written code can challenge the best intentions of any SDLC.

How do you prioritize publicly known vulnerabilities against internally found vulnerabilities? When do you hold a release to update that library for a critical vulnerability fix when it's already slipped? How do you track unresolved vulnerabilities that are considered security debt? You ARE reviewing the security posture of your software releases, right?

As a software developer, product owner, or business leader being able to prioritize software security fixes against revenue-generating features and customer expectations is a critical function of any development team. Dealing with the reality of increased security fix pressure and expectations of immediate security fixes on tight timelines are becoming the norm.

This presentation looks at the real world process of the BlackBerry Product Security team. In partnership with product owners, developers, and senior leaders, they've spent many years developing and refining a software defect tracking system and a risk-based release evaluation process that provides an effective software 'security gate.' Working with readily available tools and longer-term solutions including automation, we will provide solutions attendees can take away and implement immediately.

• Tips on how to document, prioritize, tag, and track security vulnerabilities, their fixes, and how to prioritize them into release targets

• Features of common tools [JIRA, Bugzilla, and Excel] you may not know of and examples of simple automation you can use to verify ticket resolution.

• A guide to building a release review process, when to escalate to gate a release, who to inform, and how to communicate.


Presenters:

  • Christine Gadsby - Director, Product Security Operations, BlackBerry
    Christine Gadsby is the Director of BlackBerry's global Product Security Operations Team. This highly respected team is responsible for building and maintaining BlackBerry Secure software. Christine played a critical role in creating BlackBerry's 30-day Android patching strategy, Customer Advisory program, and leads BlackBerry's open source software vulnerability management strategy. She has presented security response strategies and services to several high assurance governments including the NSA, CESG, CSE, and GCHQ as well as several enterprise organizations. She has contributed to publications such as CSO magazine and Dark Reading and has spoken as an industry expert at several security industry conferences including Black Hat, IotSF and FIRST. She sits on several boards of industry response organizations and programs. She holds a Bachelors of Science degree in Information Technology and Business Management from Western Governors University.

Links:

Similar Presentations: