Fyodor Yarochkin (Trend Micro, TW)
Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Attacks On Infrastructure During Cyber Conflicts
February 16, 2024 11:30-17:00
Michael SchuelerMichael Schueler (Cisco, DE)
It is well-known that the team behind the US National Vulnerability Database (NVD) reviews vendor security advisories to confirm or - if deemed necessary - re-score product security vulnerabilities.
Based on feedback the Cisco PSIRT received via the NVD CVMAP Program, we compared the NVD scores to our PSIRT calculated scores for 80 security vulnerabilities Cisco disclosed between May and November 2023. We identified a set of reasons why NVD's and our PSIRT's scores could differ.
This talk will discuss the differences we found, the causes of those discrepancies, and the actions Cisco is taking to ensure NVD's and our PSIRT's scores are better aligned - so our common customers will benefit from the most consistent and accurate scores upon which to base their security risk and vulnerability management decisions.
Michael Schueler is a senior Incident Manager at Cisco's Product Security Incident Response Team (PSIRT). With over 16 years of industry experience, he currently focuses on vulnerability management and disclosure and Cisco products forensic. Prior to this he was working as a Customer Support Engineer at the Cisco EMEA TAC solving highly complex customer issues in technologies ranging from firewalls, VPN, and IDS/IPS over load-balancing and WAN optimization to data center switching. Michael holds a M.Sc. level degree in computer science (Dipl.-Inform.) from RWTH Aachen University, Germany. He is also CCIE Security #23835, CISSP #685496, and GCIH.
VulnCon-Black-and-Blue-or-White-and-Gold.pdf
MD5: 086dbc3c138548f0c59efd840d2d24fe
Format: application/pdf
Last Update: April 9th, 2024
Size: 1.13 Mb
Jon MoroneyJon Moroney (GitHub, US)
Great effort is often expended managing vulnerability disclosure, from ensuring disclosure is done responsibly to coordinating with software maintainers. Less effort has been spent ensuring that advisories make it to the parties actually using the vulnerable software. At GitHub, we maintain a database with the primary goal of enabling automated vulnerability alerting and remediation tools like Dependabot. We structure our database such that all advisories clearly apply to software that developers use, and we make it easy to get advisories delivered with high precision. The maintenance of the GitHub advisory database reduces noise in developer workflows and enables better experiences that result in more secure software. Come join to hear about tradeoffs, design goals, key insights, and about how GitHub thinks about the pipeline from advisory publication to alert consumption.
Jon Moroney (darakian) is a security analyst at GitHub working in the Security Lab. He is primarily concerned with designing and maintaining the advisory database with the goal that GitHub users have the best experience possible with security alerts.
VulnCon-Building-a-Better-Database-How-GitHub-Structures-Moroney.pdf
MD5: 2773ad069fb6af8b5adcc7501142d667
Format: application/pdf
Last Update: April 1st, 2024
Size: 33.7 Mb
Mohd. Akram KhanSeema KhanumMohd. Akram Khan (CERT.IN, IN), Seema Khanum (CERT.IN, IN)
Indian Computer Emergency Response Team (CERT-In) is the national agency for responding to cyber security incidents in India. CERT-In is also an authorized CVE Numbering Authority (CNA) to assign CVE IDs to vulnerabilities under the CVE program. CERT-In carries out responsible vulnerability disclosure and coordination activity for vulnerabilities reported in accordance to the CERT-In’s Responsible Vulnerability Disclosure and Coordination policy. This presentation will provide insights on the challenges faced by CERT-In, operating as both a CVE Numbering Authority (CNA) and as a National Computer Emergency Response Team (CERT).
The presentation will throw light on the challenges in taking responsible decisions as a National CERT and also as a CNA by taking all potential adverse impacts into account. The dual role requires constant coordination with vulnerability reporters, urging patience and allowing sufficient time for affected entities to patch vulnerabilities. The advantages of a national CERT being a CNA can help in expedited dissemination of vulnerabilities to all the stakeholders. This presentation explores the intricate coordination required between National CERTs, researchers, and OEMs to effectively manage and disclose vulnerabilities in a coordinated manner.
The risk of premature public disclosure by researchers, particularly when OEMs or vendors are unresponsive or exhibit delayed responses, poses a significant concern. Additionally, the reluctance of OEMs/vendors to confirm vulnerabilities, often influenced by National CERT's national stature, further complicates matters. The presentation will also touch upon the criticisms, strategic implications that a national CERT can face due to some decisions.
Mohd Akram Khan has over 16 years of experience at the national Computer Emergency Response Team of India (CERT-In). He currently oversees Responsible Vulnerability Coordination and CVE Numbering Authority activities at CERT-In. His area of expertise spans incident response, threat and breach investigation, insider threat management, cybersecurity situational awareness, security operations centre and responsible vulnerability coordination. He commits himself to support and provide diligent and competent cyber security services to the entire constituency of CERT-In.
Seema Khanum is a valued member of the Coordinated Vulnerability Disclosure (CVD) team at CERT-In and an active participant in CNA/CVE activities. Her extensive background includes expertise in cybersecurity incident response, network security, and vulnerability exploitation. Seema’s primary focus lies in vulnerability coordination, and she is keen on devising effective mechanisms for coordinating OEMs and researchers in vulnerability disclosure and management. Additionally, she has delivered numerous technical lectures on various cybersecurity topics at awareness programs to organised to promote cyber awareness among women.
VulnCon-CNA-Challenges-from-a-National-CERT-Perspective-Khanum.pdf
MD5: 6abe22e4daac1d1c2d41823286a99d25
Format: application/pdf
Last Update: April 3rd, 2024
Size: 1.36 Mb
Peter AllorPeter Allor (Red Hat, US), Josh Dembling (Intel, US)
Peter Allor is the Senior Director, Product Security for Red Hat. He is been instrumental in Red Hat’s secure development and incident response programs Red Hat and in upstream security groups such as CVE, CVSS, and PSIRTs. He focuses on developing solutions that integrate the full spectrum of security operations within an organizations domain in support of business.
Prior roles include Senior Director for security at Honeywell, Cybersecurity Strategist at BIM and managing vulnerability and incident coordination at IBM for the IBM X-Force. Prior to IBM acquiring Internet Security Systems (ISS), Peter was the Special Assistant to the CEO of ISS for working National Infrastructure Advisory Council (NIAC) problem sets and assisted in forming the Information Technology - Sector Coordinating Council (IT-SCC) where he recently returned to the Executive Committee and Treasurer. As the former Operations Center Director, he ran the Information Technology - Information Sharing & Analysis Center (IT-ISAC) operations and brought coordination across the sector ISACs.
Peter is a Member of the CVE Board, a former member Board of Director of the Forum of Incident Response and Security Teams (FIRST) and its Chief Financial Officer for FIRST. Peter was President to the Industry Consortium for Advancement of Security on the Internet (ICASI) and an Executive Committee Member of the IT Sector Coordinating Council (IT-SCC). A former Commissioner for the CSIS Cybersecurity Commission for the 44th Presidency, he assisted in developing recommendations for the Public and Private Sectors to work collaboratively on Cyber Security.
Peter is a retired Lieutenant Colonel from the US Army. He has Masters Degree from the University of Phoenix, a BS in Business Administration from Rollins College and is a Graduate of the US Army Command & General Staff College.
CLOSING-REMARKS-SLIDES-Updated.pdf
MD5: 1841fb7b3d97c0af14d6ef858ed32ce0
Format: application/pdf
Last Update: April 1st, 2024
Size: 907.64 Kb
Claus HoumannAmine Besson (Behemoth Cyberdefence, NL), Claus Houmann (Behemoth Cyberdefence, LU), Remi Seguy (European Commission, LU)
Amine Besson is a private contractor focused on designing and engineering large scalable detection systems for his clients, with a track record of innovative solutions deployed in critical sectors and challenging environments.
Claus Houmann is a curator of all things cyber, collecting news for his ever growing library as soon as blog posts get written.
Remi Seguy has worked in cybersecurity for more than 15 years mainly in Blue teams but is most interested to foster purple teaming. Remi fully supports Libre software and tries to contribute to the open source community.
This session will be moderated by: Nikolas Dobiasch (AT)
Amsterdam 2024 Technical Colloquium
Amsterdam, NL
March 6, 2024 15:45-16:30
Hosted by Human Security, Cisco
Benson-Housmann-Seguy-CoreTIDE-FIRST-TC-Amsterdam-2024.pdf
MD5: c6a77a065ebbb2fe8c3965fa65c254f3
Format: application/pdf
Last Update: March 14th, 2024
Size: 3.22 Mb
Martin PrpicMartin Prpic (Red Hat, US)
Security data is a central source of truth for Red Hat customer / consumers as a definitive product guide regarding published, known vulnerabilities and exploits. The availability of accurate information in security data can help provide the correct risk assessment process in customers' vulnerability management programs, which further helps with vulnerability patching prioritization.
In this talk we will focus on both technical and non-technical aspects of vulnerability management based on the new Red Hat Product Security data, and correlation to the Red Hat official SBOMs for Red Hat’s products. We will also discuss how CSAF and VEX data is used within SDL (Security Development Lifecycle) practices. During this session we also show implications of using incorrect security data and consequences visible in the security scanning results.
Key topics to be covered in this session include:
This talk is designed for PSIRT members and all security professionals who work on the vulnerability management processes.
Martin Prpic is a Principal Security Engineer at Red Hat. He is an active participant in the CVE Project's Automation Working Group, the CSAF Technical Committee, and the OpenEoX Technical Committee. Martin's main focus is on designing systems that enable automated vulnerability response, support publishing of accurate security data, and improve the security posture of software supply chains.
MD5: 1bcf7126d06ce472c851331ae34069a7
Format: application/pdf
Last Update: April 8th, 2024
Size: 687.13 Kb
Nick LealiNick Leali (Cisco and CVSS SIG Chair, US)
CVSS SIG Past, Present & Future:
With the recent release of the CVSS v4.0 standard, there continues to be a lot of activity in the FIRST CVSS SIG. This presentation gives an overview of the recent CVSS SIG past, our present ongoing work, and future considerations for CVSS. Attendees are encouraged to come with questions and feedback about their own organizations' use of CVSS, and how the standard and the accompanying documentation can be improved for use by everyone in the vulnerability management community.
CVSS v4.0 Beyond the Numbers:
CVSS numeric scores are simple and lack context helpful to guide vulnerability management. Sometimes we should care twice as much about a 5 than a 10!
This presentation features a discussion of new aspects of the CVSS v4.0 standard that give context to the resulting score, including: supplemental metrics, new to CVSS version 4.0, that provide additional details to describe a vulnerability without changes to the numeric score; the reconfigured vulnerable and subsequent system vulnerability impact metrics help to give increased granular impact ratings; and other new and changed metrics that give greater detail to each assessment. Examples of how score providers and consumers can use these new metrics will be included along the way.
Nick Leali works as an Incident Manager with Cisco PSIRT and serves on the FIRST CVSS SIG, most recently working on the CVSS v4 Examples document.
VulnCon-CVSS-Beyond-the-Numbers-Leali.pdf
MD5: 03c781723dc87a1c5ad0d1301f68239e
Format: application/pdf
Last Update: April 1st, 2024
Size: 532.44 Kb
VulnCon-CVSS-SIG-Past-Present-Future-Leali.pdf
MD5: 441bff9132001d92e100c562350ed25b
Format: application/pdf
Last Update: April 1st, 2024
Size: 2.08 Mb
Matt Frontz (Polsinelli PC, US)
Matt Frontz is a Shareholder with Polsinelli PC, an AM100 Law Firm. Originally, a software engineer, he focuses he legal practice on Intellectual Property and related fields.
This session will be moderated by: Joe Tallet (UK)
Amsterdam 2024 Technical Colloquium
Amsterdam, NL
March 6, 2024 10:30-11:15
Hosted by Human Security, Cisco
Matt-Frontz-Polsinelli-FIRST-Cybersecurity-Legalities-Presentation.pdf
MD5: 16e8da6dc70b4d7ccb13280a25124e46
Format: application/pdf
Last Update: March 14th, 2024
Size: 802.1 Kb
Andreas WeichslgartnerJoyabrata GhoshVineeth BharadwajAndreas Weichslgartner (CARIAD SE, DE), Joyabrata Ghosh (CARIAD SE, DE), Vineeth Bharadwaj (CARIAD SE, DE)
As the automotive industry undergoes a paradigm shift towards software-defined vehicles, the imperative for robust software security becomes obvious. This talk explores the nuanced landscape of identifying, managing, and preventing vulnerabilities from the perspective of an OEM software company.
Starting with an exploration of the escalating role of software in modern vehicles, the talk illuminates the complex software ecosystems that underpin contemporary automobiles. A thorough analysis follows, unraveling the primary sources of vulnerabilities and their potential ramifications on vehicle safety and security.
Central to the discussion is the challenge of handling vulnerabilities within the complex supply chains inherent to the automotive industry. The talk elucidates the difficulties in navigating this multifaceted network of suppliers, emphasizing the necessity for collaborative approaches and effective risk management strategies.
We detail best practices for developing automotive software along the software development life cycle along with various regulation requirements. Especially we highlight the significance of SBOMs in fostering transparency and traceability across the supply chain. The talk delves into how SBOMs can fortify cybersecurity measures by providing a comprehensive understanding of the software components integrated into automotive systems.
Looking forward, the presentation anticipates future challenges and outlines viable solutions confronting the automotive industry, including crypto agility and the incorporation of cryptographic bills of materials (CBOMs).
Mr. Andreas Weichslgartner is currently working as a Senior Technical Security Engineer at CARIAD SE in the product security department.
Joining the Volkswagen Group in 2017, he since then has been developing an embedded intrusion detection system, evaluating security testing technologies, managing vulnerabilities, enabling crypto agility, and working with machine learning in the area of security.
Before, he had been a researcher at the Department of Computer Science, Friedrich-Alexander University Erlangen-Nürnberg (FAU), Germany, from 2010 to 2017. He received his diploma degree (Dipl.-Ing.) in Information and Communication Technology and his Ph.D. (Dr.-Ing.) in Computer Science from the FAU, Germany, in 2010 and 2017, respectively.
Mr. Joyabrata Ghosh is presently working as a Connectivity products security owner at CARIAD SE. Before that, he was responsible for security and legal technical manager for the Elektrobit Automotive Linux platform for the series production of several automotive OEMs. He started his automotive journey with Direct HMI development for BMW ID7 platform. Over a decade ago, his development journey began in embedded and telecom security domains across many OEMs. He supports EO-14028 CISA SBOM working groups and contributed publications: Types of SBOM, Minimum Requirements for VEX. He contributes to nvd@nist.gov and cpe_dictionary@nist.gov for open-source triage. He was co-presenter of Cybersecurity Expectations in Automotive World, 2021, in ELISA Linux safety workgroup. Likewise, he is open-source enthusiast. He has Master’s Degree from the Illinois Institute of Technology in Computer Science, a BS in Computer Science from RCCIIT.
Mr. Vineeth Bharadwaj Prasanna is currently working as a Senior Technical Security Engineer at CARIAD SE in the product security department.
Vineeth joined the Volkswagen Group in 2018, as a security engineer for Audi AG. Since 2020, he has been a member of the offensive security team and has also been working on building up the vulnerability management system, end-to-end security engineering for China GB-T homologation project for the new PPE/PPC platform for the new Audi and Porsche cars at CARIAD SE.
Vineeth received his Master’s degree in Simulation Science from RWTH Aachen University in 2019 with special focus on optimization, and artificial intelligence.
VulnCon-Finding-Managing-Preventing-Vulnerabilities-Ghosh-Weichslagartner-Bharadwaj.pdf
MD5: 0e60f8191e306e00aeed4d86fdd15096
Format: application/pdf
Last Update: April 1st, 2024
Size: 2.2 Mb
Ben HirschbergBen Hirschberg (ARMO, IL)
Vulnerability Exploitability eXchange (VEX) documents have emerged as a manifest of vulnerabilities of a software product, aligned with the concept of Software Bill of Materials (SBOM), serving as a standardized way for software producers to communicate info about the exploitability of known vulnerabilities within products. The adoption and support of VEX documents represent a major shift in cloud native security, designed to help determine which vulnerabilities require immediate attention & remediation. Yet the widespread adoption of VEX faces a fundamental obstacle--the sourcing of reliable & accurate VEX docs.
Enter the CNCF & OSS projects, that have made significant progress in the generation of reliable VEX documents, by using eBPF technology, which then automatically categorizes vulnerabilities by priority and enables the loading to other popular OSS projects like Trivy or Grype, that support OpenVEX. Come to this session to learn how to get started with VEX immediately.
Ben Hirschberg is a veteran cybersecurity and DevOps professional, as well as computer science lecturer. Today, he is CTO and co-founder at ARMO, with a vision of making end-to-end Kubernetes security simple for everyone, and a core maintainer of the open source Kubescape project. He teaches advanced information security academically in both undergrad and graduate courses. In his previous capacities, he has been a security researcher and architect, pen-tester and lead developer at Cisco, NDS and Siemens.
VulnCon-SBOM-to-VEX-Discovering-What-s-in-the-Box-and-How-Badly-it-Can-Hurt-You-Hirschberg.pdf
MD5: d8e606b556c02745360ae1b8ab7ebb71
Format: application/pdf
Last Update: April 1st, 2024
Size: 3.86 Mb
David FrenchDavid French (Google Cloud , US)
David French is a Detection & Response Engineer and Threat Hunter with many years of experience both working as a defensive cybersecurity practitioner and on the vendor side of life doing threat research and building security solutions. He currently works at Google Cloud where he helps security practitioners defend their organization from attack using Chronicle Security Operations.
This session will be moderated by: Nikolas Dobiasch (AT)
Amsterdam 2024 Technical Colloquium
Amsterdam, NL
March 6, 2024 14:00-14:45
Hosted by Human Security, Cisco
David-French-From-soup-to-nuts.pdf
MD5: e59b1de5c492dd99a637afd60313d1e5
Format: application/pdf
Last Update: March 19th, 2024
Size: 6.2 Mb
Angelo PunurieroJenifer JimenezMartin KarelAngelo Punuriero (Nestlé, IT), Jenifer Jimenez (Nestlé, ES), Martin Karel (Nestlé, ES)
Nestlé and similar organizations encounter numerous challenges in Vulnerability Management. These include managing large and diverse environments, accommodating various technologies with distinct requirements, navigating complex ownership structures, coordinating multiple security teams and tools, and adapting to constant change. To address these challenges, my team and I have made it our mission to create a comprehensive platform that integrates the most practical approaches for each specific environment. By doing so, we aim to increase automation, enhance situational awareness, and unlock a multitude of use cases and reporting capabilities.
In addition to consolidating results from different traditional vulnerability scanning tools and penetration tests, we recognize the importance of analyzing vulnerabilities that are disclosed by vendors but may not be detected by scanners.
We have implemented a crucial activity that involves automatically categorizing non-critical vulnerabilities and communicating them to the respective patching teams, aligning with their specific patching schedules. For critical vulnerabilities, we have established a more aggressive remediation process. This process is closely integrated with the scanner findings, which helps to address challenges related to ownership, tracking, and SLA calculations. By linking these components together, we are able to streamline vulnerability management and ensure efficient resolution of identified issues and overall visibility.
Angelo Punturiero is an Italian native who has recently moved to the enchanting city of Barcelona. He proudly serves as a Vulnerability Management Senior Specialist in the Nestle’ CSOC Vulnerability Management team. With a deep passion for cybersecurity and the art of fine cuisine, he has improved he's skills through years of experience at renowned IT consulting firms. This professional journey has led him to Nestle’, where he coordinates the process that determines the Corporate Rating of the daily published CVEs, ensuring that the appropriate stakeholders are promptly informed of any imminent risks. Additionally, he actively engages in matters related to Cloud Security and contributes to projects involving Generative AI in the realm of cybersecurity.
Jenifer Jiménez, native of Spain, is currently working as a Senior Vulnerability Management Specialist at Nestlé Global Services in Barcelona. She is vulnerability management orchestration platform lead architect. Prior to her current role, she was part of the team providing security services to global Hewlett-Packard customers, as well as managing the development of security platforms for the CSIRT at CaixaBank. With a deep passion for her work and a commitment to staying at the forefront of industry trends, she strive to make a positive impact in the field of cybersecurity. Her dedication to securing critical systems and her love for salsa dancing and family bring a unique blend of expertise and personal fulfillment to her life.
Martin Karel, a native of Slovakia, is currently leading the Nestlé global vulnerability management and offensive security team based in Spain. He has been a part of the Global CSOC since its establishment in 2016 and has played a crucial role in various key projects, including incident response, security monitoring, and the centralization and automation of vulnerability management processes. Prior to his current role, Martin led similar projects at HP Enterprise and SEAT, a car manufacturer within the VW group. In his leisure time, he is passionate about ballroom dancing and values spending quality time with his two daughters.
VulnCon-Nestle-Presentation.pdf
MD5: 35bf68da57f8daf7ad0bef7f262936c0
Format: application/pdf
Last Update: April 3rd, 2024
Size: 1.69 Mb
Dave HerraldJohn StonerDave Herrald (Google Cloud Security, US), John Stoner (Google Cloud, US)
Dave Herrald has over 25 years of experience as a technical security practitioner and leader across many industries, including technology, payments, manufacturing, media, and software. In recent years, Dave’s passion has been to improve the experience of information security analysts by developing large-scale experiential learning programs. Dave co-created Splunk’s Boss of the SOC (BOTS) blue-team CTF, reaching tens of thousands of security professionals globally. Today, Dave leads the Adoption Engineering team at Google Cloud Security, focusing on field research and developing programs for the success of security practitioners. Dave holds a degree in computer science from Iowa State University and has earned many security certifications, including GIAC GSE #79. Dave and his family live in Colorado, where he enjoys skiing, cycling, and woodworking.
John Stoner is a Principal Security Strategist at Google Cloud and leverages his experience to improve users' capabilities in Security Operations, Threat Hunting, Incident Response and Threat Intelligence. He blogs on threat hunting and security operations and has built multiple APT threat emulations for blue team capture the flag events. John has presented and led workshops at various industry symposia including FIRST, BSides, SANS Summits and DefCon Packet Hacking Village. He also enjoys listening to what his former teammates referred to as "80s sad-timey music."
This session will be moderated by: Joe Tallet (UK)
Amsterdam 2024 Technical Colloquium
Amsterdam, NL
March 6, 2024 09:45-10:30
Hosted by Human Security, Cisco
Stoner-Herrald-Google-2024FIRST-TC-GraphRunner.pdf
MD5: 7bb0c7623d0f845fca3ada398f82cea3
Format: application/pdf
Last Update: March 14th, 2024
Size: 6.75 Mb
Rick Logan-StanfordAnish Bachu (TTCSIRT, TT), Rick Logan-Stanford (TTCSIRT, TT)
Rick Logan-Stanford is a progressive ICT/Security Professional who is fully capable of handling any challenges by engaging the sum of his collective experience and training. Thirteen years of employment has made him proficient in designing, maintaining and troubleshooting Active Directory, MS Exchange and network security. Currently focused on advancing in a career in Cyber Security, building proficiency in, but not limited to, incident response, digital forensics, vulnerability assessments and cyber-related laws.
This session will be moderated by: Gabi Cirlig (UK)
Amsterdam 2024 Technical Colloquium
Amsterdam, NL
March 7, 2024 14:00-14:45
Hosted by Human Security, Cisco
Rick-Logan-Stanford-TTCSIRT-Operationalizing-Threat-Intelligence.pdf
MD5: dbcf0401e3ff92442c819bfdea16e9b1
Format: application/pdf
Last Update: March 14th, 2024
Size: 1.24 Mb
Tomo ItoTomo Ito (JPCERT/CC, JP)
CVD is a global good practice. In today's CVD ecosystem, many different stakeholders exist, but they are largely from the United states or EU. "Asia-Pacific CVD" has not been cultivated. Many software product/component suppliers exist in the region, and the size of the enterprises vary from large to small. In the region, CVD readiness - such as Vulnerability Disclosure Policy preparation or being a CNA - is lacking overall. Also, cooperative structure by the CVD Coordinator organizations has not been built. Realizing such issues and to start tackling them, CVD Working group in the Asia-Pacific's CSIRT community APCERT, was created by the region's several CERT/CVD Coordinator organizations. Referencing precedents such as ENISA setting up a CVD structure in EU, the WG is first starting off with learning each member organization's activity through presentations, and is finding out what the characteristics and specific challenges are in the region.
In this presentation, the WG's motivation, activities, the challenges found so far will be explained. Also, discussions to gather information and opinions from the audiences for the WG to grow to become a good CVD supporter (e.g., topics such as "what would be helpful or what was not by the CVD coordinators in the region", efficient awareness raising methods, etc.,) will be held.
Tomo Ito has been working as a vulnerability information coordinator at JPCERT/CC for 4 years. His current focuses include international collaborations regarding vulnerability coordination topics with organizations around the globe.
VulnCon-Pushing-Coordinated-Vulnerability-Disclosure-forward-in-Asia-Pacific.pdf
MD5: 2790c49f3b22fc22689b3e533366b5a9
Format: application/pdf
Last Update: April 9th, 2024
Size: 1.32 Mb
Cassie CrossleyCassie Crossley (Schneider Electric, US)
There is some debate as to how SBOMs can enhance vulnerability management practices, and some believe that collecting SBOMs from internal teams or suppliers is too difficult and time-consuming. Learn how Schneider Electric has collected thousands of our product SBOMs and how we are leveraging the SBOMs as part of our corporate product CERT to quickly analyze and focus our attention when time is of importance. This presentation describes how we modified our policies and processes to collect, generate, and store thousands of SBOMs. You will hear how we have leveraged SBOMs during the Log4j and OpenSSL vulnerability events. Then we will conclude with key learnings, suggestions, and opportunities for improvement.
Cassie Crossley, Vice President, Supply Chain Security in the global Cybersecurity & Product Security Office at Schneider Electric, is an experienced cybersecurity technology executive in Information Technology and Product Development and author of Software Supply Chain Security: Securing the End‐to‐End Supply Chain for Software, Firmware, and Hardware. She has many years of business and technical leadership experience in supply chain security, cybersecurity, product/application security, software/firmware development, program management, and data privacy.
Cassie has designed frameworks and operating models for end‐to‐end security in software development lifecycles, third party risk management, cybersecurity governance, and cybersecurity initiatives. She is a member of the CISA SBOM working groups and presents frequently on the topic of SBOMs and Supply Chain Security.
Cassie has held previous positions at Ceridian, Hewlett‐Packard, McAfee, Lotus, and IBM. She has an M.B.A. from California State University, Fresno, and her Bachelor of Science degree in Technical and Professional Communication with a specialization in Computer Science.
Schneider-Electric-SBOM-Program-VulnCon-March-2024-FINAL-24-March-TLP-CLEAR.pdf
MD5: 29d1ebf5c71e174460f447818889837e
Format: application/pdf
Last Update: April 22nd, 2024
Size: 1.42 Mb
Andrew PollockAndrew Pollock (Google Open Source Security Team, AU)
Join Andrew Pollock, from Google’s Open Source Security Team, on a light-hearted and personally vulnerable (ha! see what I did there?) retrospective on what happens when you take a Security Engineer converting to Software Engineering, who last touched CVEs in any way shape or form 20 years ago, and get them to ramp up on a new project, that’s developed completely differently to anything internal at Google.
Andrew Pollock is a Senior Software Engineer on Google’s Open Source Security Team, working on OSV.dev. He recently worked on converting CVEs in the National Vulnerability Database relating to Open Source software vulnerabilities into the OSV schema. As a result, he discovered a hitherto unknown passion for data quality in CVE records."
VulnCon-The-Trials-and-Tribulations-of-Bulk-Converting-CVEs-to-OSV-Pollock.pdf
MD5: 4a74bae93c25c803a6d208f6364f80f9
Format: application/pdf
Last Update: April 1st, 2024
Size: 1.27 Mb
Fyodor Yarochkin (Trend Micro, TW)
Fyodor Yarochkin is a Senior Researcher, Forward-Looking Threat Research Senior at Trend Micro with a Ph.D. from EE, National Taiwan University. An early Snort Developer and Open Source Evangelist as well as a Programmer, his professional experience includes several years as a threat investigator and over eight years as an Information Security Analyst.
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
Understanding Criminal Business Behind Supply Chain Attacks on Android
February 16, 2024 11:30-17:00
Gavin ReidGavin Reid (HUMAN Security, US)
Gavin Reid Gavin Reid serves as the CISO for HUMAN Security, a cybersecurity company that specializes in safeguarding enterprises from digital attacks while preserving digital experiences for users. In addition, he leads the Satori Threat Intelligence and Research Team as VP of Threat Intelligence.
Gavin began his cybersecurity career in information security at NASA's Johnson Space Center. He later went on to create Cisco's Security Incident Response Team (CSIRT), Cisco's Threat Research and Communications (TRAC), and Fidelity's Cyber Information Group (CIG). Before joining HUMAN, Gavin served as the CSO for Recorded Future, where he was responsible for ensuring the protection, integrity, confidentiality, and availability of all customer-facing services, internal operational systems, and related information assets. For more than 20 years, Gavin has managed every aspect of security for large enterprises.
Amsterdam 2024 Technical Colloquium
Amsterdam, NL
March 7, 2024 09:30-09:45
Hosted by Human Security, Cisco
Gavin-Reid-Thursday-Intro-FIRST-2023.pdf
MD5: b995c2c16e2f396febf665acd0d343aa
Format: application/pdf
Last Update: March 14th, 2024
Size: 1.48 Mb
Bob LordChris HughesLindsey CerkovnikPatrick GarritySandy RadeskyBob Lord (CISA, US), Chris Hughes (Aquia, US), Lindsey Cerkovnik (CISA, US), Patrick Garrity (VulnCheck, US), Sandy Radesky (CISA, US)
Do you ever wonder what the US Government does behind the scenes to synchronize vulnerability management operations? In this panel, we will have CISA’s Vulnerability Management Associate Director, Sandy Radesky, lead a panel discussion with both government and industry leaders in this space. We’ll share the effort it takes to coordinate with partners, reasons why we continue to lead as a collaborative community. We’ll discuss major efforts, to include some new ones: Secure by Design, Coordinated Vulnerability Disclosure, KEV, Open Source Security, and some of our newly released vulnerability analysis.
Bob Lord is a Senior Technical Advisor at the Cybersecurity and Infrastructure Security Agency (CISA). Previously he was the Chief Security Officer at the Democratic National Committee where he brought more than 20 years of experience in the information security space to the Committee, state parties, and campaigns. Before that he was Yahoo’s Chief Information Security Officer, covering areas such as risk management, product security, security software development, e-crimes and APT programs. He was the Chief Information Security Officer in Residence at Rapid 7, and before that headed up Twitter’s information security program as its first security hire.
Chris Hughes is the Co-founder and President, Aquia, a Cybersecurity consulting firm. Chris brings nearly 20 years of IT and cybersecurity experience to his role as co-founder and President at Aquia. Chris also serves as a Cyber Innovation Fellow (CIF) at the Cybersecurity Infrastructure and Security Agency (CISA) focusing on software supply chain security. Additionally, Chris advises various tech startups, including serving as the Chief Security Advisor at Endor Labs.
As a United States Air Force veteran and former civil servant in the U.S. Navy and the General Services Administration’s FedRAMP program, Chris is passionate about making a lasting impact on his country and our global community at large.
In addition to his public service, Chris spent several years as a consultant within the private sector and currently serves as an adjunct professor for cybersecurity master’s programs at the University of Maryland Global Campus. Chris participates in industry working groups, such as the Cloud Security Alliance’s Incident Response and SaaS Security Working Group, and serves as the Membership Chair for Cloud Security Alliance D.C. He is the co-host of the Resilient Cyber Podcast and runs the Resilient Cyber Substack where he shares episodes as well as detailed articles on topics such as Cloud, Vulnerability Management, DevSecOps and more.
Lindsey Cerkovnik is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by funding and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability enrichment information, and engaging in valuable technical collaboration with the vulnerability research community.
Patrick Garrity is a security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors. Patrick Garrity is a seasoned cybersecurity professional with over 15 years of experience helping build high-growth SaaS cybersecurity companies including VulnCheck, Nucleus Security, Blumira, Censys and Duo Security.
Sandy J. Radesky serves as the Associate Director for Vulnerability Management at the Cybersecurity and Infrastructure Security Agency (CISA). Prior to this role, Ms. Radesky served as the Deputy Command Information Officer (CIO) for U.S. Fleet Cyber Command/ U.S. TENTH Fleet from December 2020 to February 2023. In this position she oversaw the cybersecurity, policy, design, and future plans for the Navy in order to support full spectrum Cyberspace Operations to enable FLTCYBERCOM as the central operating authority for Navy Networks. Her efforts continued to improve, integrate and directly support joint warfighters, national-level leaders, and other mission and coalition partners across the full spectrum of global operations.
VulnCon-Panel-What-it-Takes-to-Lead-America.pdf
MD5: 9fafdde3bb579de0758e47c3f352f76a
Format: application/pdf
Last Update: April 1st, 2024
Size: 2.03 Mb
Yotam PerkalYotam Perkal (Rezilion, IL)
In the dynamic realm of vulnerability management, the proliferation of standards and frameworks like CVSS (Common Vulnerability Scoring System), EPSS (Exploit Prediction Scoring System), and VISS (Vulnerability Information and Severity Score) often leads to confusion, fragmentation, and inconsistency. This talk explores the underlying tensions between these standards, particularly in the context of vulnerability prioritization.
Our journey begins with an exploration of each framework, highlighting their unique methodologies, strengths, and limitations. Then, we will center our discussion around the Strategic Stakeholder-Specific Vulnerability Categorization (SSVC), a framework that can act as a unifying bridge in this fragmented landscape. We will dissect how SSVC's adaptable and stakeholder-specific approach can harmonize these varying standards, providing a more cohesive and comprehensive vulnerability management strategy.
Key aspects of this talk include:
In conclusion, this talk aims not just to highlight the challenges posed by the diversity of standards in vulnerability management but to offer a pragmatic and unifying solution through SSVC, paving the way for a more harmonized and effective approach to vulnerability prioritization and management in the cybersecurity domain.
Yotam Perkal leads the vulnerability research team at Rezilion, focusing on research around vulnerability validation, mitigation, and remediation. Prior to Rezilion, Yotam filled several roles at PayPal Security organization, dealing with vulnerability management, threat intelligence, and Insider threat. Additionally, Yotam takes part in several OpenSSF working groups around open-source security, several CISA work streams around SBOM and VEX, and is a member of the PyCon Israel organization committee. Yotam is passionate about the intersection between Cyber Security and Machine Learning, whether it be using ML in order to help solve Cyber Security challenges or exploring the challenges in securing AI/ML applications.
VulnCon-Why-Can-t-We-All-Just-Get-Along.pdf
MD5: 44d272825d619c0a2064ff9a25537bc3
Format: application/pdf
Last Update: April 8th, 2024
Size: 7.42 Mb