How to have perfect vulnerability reports and still get hacked

Presented at BSidesLV 2023, Aug. 8, 2023, 6 p.m. (45 minutes).

What vulnerabilities are really lurking in a given application? The assumption that we can answer that question undergirds US government mandates both recent and decades-old. Hackers, of course, know that this is absurd: attackers have 0days and aren't afraid to use them. But even a much-humbler goal, "free of known vulnerabilities," isn't as feasible as we've been led to believe. In this talk, we'll see the pitfalls of common tools-software composition analysis (SCA) and software bills of material (SBOMs)-commonly brought up as silver bullets for this issue. We'll see the vulnerability reporting ecosystem, including databases and manual triage of vulnerabilities in your application. Nonetheless, we're hopeful: these tools are stronger together and can do a good job in many scenarios. Further, we'll see what the future holds for bringing us closer to "free of known vulnerabilities" status, from open-source tooling to better government policy. Attendees to this session will learn about:

Presenters:

  • Zachary Newman
    Zack is passionate about developer tooling, supply chain security, and applied cryptography. After 4 years as a software engineer and tech lead on Google Cloud SDK, he moved to MIT CSAIL to research authenticated data structures and Tor network performance. Now, as a research scientist at Chainguard, he works with the TUF and Sigstore communities to make open source more secure.
  • Luca Guerra
    Luca is an experienced software engineer, specializing in software design and security research. His professional experience includes designing security solutions for multiple platforms, building and breaking secure systems, and vulnerability management. As a Sr. Software Engineer at Sysdig, Luca is responsible for software design and implementation, recently focusing on Falco, its associated libraries, and more open source software.

Links:

Similar Presentations: