- PL USTLP:CLEAR
Jarek Potiuk (Apache Software Foundation , PL), Michael Winser (Alpha-Omega , US)
The “Airflow Beach Cleaning” project explores an innovative approach of dealing with Open Source Software Supply Chain problems. This is a collaborative effort between Alpha-Omega fund, Python Software Foundation, Apache Software Foundation and Apache Airflow PMC.
Jarek and Michael will share their learnings from running the cleaning exercise for about 6 months and will encourage other Open-Source project maintainers as well as those who fund security efforts to scale that approach within the whole Python ecosystem.
Link to slides: https://go.xwind.io/vulncon-beach-cleaning
Jarek Potiuk is an Engineer with a broad experience in many subjects - Open-Source, Cloud, Mobile, Robotics, AI, Backend, Developer Experience, Security, but he also had a lot of non-engineering experience - building a Software House from scratch, being CTO, organizing big, international community events, technical sales support, pr and marketing advisory but also looking at legal aspects of security, licensing, branding and building open-source communities are all under his belt.
With the experience in very small and very big companies and everything in-between, Jarek found his place in Open-Source world, where his internal individual-contributor drive can be used to the uttermost of the potential.
Michael Winser is a 40 year veteran in the software industry, with over 25 of those years at Google and Microsoft. He co-founded Alpha-Omega while at Google. Michael is an industry expert in software supply chain security, software development, and developer ecosystems. In addition to Alpha-Omega, Michael works with corporations and open source organizations to develop and execute on their security strategy. Michael is also a Security Strategy Ambassador for the Eclipse Foundation.
- USTLP:CLEAR
Alpha-Omega: What We've Learned From Funding Open Source Security Over the Past 3 Years, What's Ahead
Michael Winser (Alpha-Omega , US)
Since its inception, Alpha-Omega has granted over $8M to various open source security efforts. This presentation will explore how we do it, the lessons learned, and how it's shaping our vision for a secure and sustainable open source ecosystem.
Alpha-Omega is an open source fund, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. The project aims to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly.
Link to Slides: https://docs.google.com/presentation/d/1_9KiqTZFFgUwA7nZ9awDH2dH-rFtUVI-QlAmuIDLhv4/edit
Michael Winser is a 40 year veteran in the software industry, with over 25 of those years at Google and Microsoft. He co-founded Alpha-Omega while at Google. Michael is an industry expert in software supply chain security, software development, and developer ecosystems. In addition to Alpha-Omega, Michael works with corporations and open source organizations to develop and execute on their security strategy. Michael is also a Security Strategy Ambassador for the Eclipse Foundation.
- ROTLP:CLEAR
Applying Cybersecurity Regulations and Industry Standards to Open Source Projects
Luci Stanescu (Canonical , RO)
"Information security standards and regulations are constantly gaining more traction and adoption, in an effort to counter-balance the expanding cybercriminal “business sector”. However, these are, understandably, often devised on the assumption that they will be implemented within enterprises, which are centrally managed and have well-defined boundaries. Nevertheless, open source software has become ubiquitous within enterprise infrastructure and consumer products, with little consideration given by regulators or standards bodies.
With open source projects acting as suppliers, often with a governance structure that’s not defined in detail, the question of the suitability of cybersecurity regulations and industry standards within the OSS context becomes increasingly relevant. While organisations such the Open Source Security Foundation (OpenSSF) are making a huge difference by providing best practices, tools and information, these would also need to be recognised by regulators and standards bodies in order to bridge the gap with the enterprises’ burdens. This talk explores the beneficial aspects that can be learned from regulations and standards to further improve the security posture of OSS projects, as well as the requirements which are difficult to map in this context."
Luci Stanescu is Security Engineering Manager at Canonical, part of the team responsible for the security maintenance of Ubuntu and the Canonical PSIRT. With almost 20 years of professional experience, he is passionate about making information security matter and an advocate for not treating cybersecurity regulations and standards as a tick-box exercise.
- USTLP:CLEAR
Krassimir Tzvetanov, PHDKrassimir Tzvetanov, PHD (Purdue University, US)
Over the past decade, the term "fake news" has become overused and divisive, prompting many to dismiss it outright. This raises questions about how this narrative benefits society—or even aids adversaries. Discussions around "active measures" often miss the mark, failing to grasp the broader implications of such tactics. In today’s information age, traditional cautionary warnings evolve into modern ones like “Beware of geeks bearing gifts,” underscoring the potential manipulation of seemingly benign messages.
This presentation will explore reflexive influence operations, techniques that exploit messaging to align segments of a target audience with adversary objectives. By examining second- and third-order effects, the discussion aims to reveal how such operations succeed in reshaping perceptions and achieving strategic goals. Examples illustrating these tactics will also be provided..
Beware of Geeks Bearing Gifts
January 2, 2025 09:00-10:00
- USTLP:CLEAR
Building a PSIRT for a Standards Organization
Jim Duncan (Jim Duncan, US)
Standards groups should have a policy for handling alleged flaws in their "product" and in upstream code, if any, that they modify and include in their own product. However, few such organizations have a well-defined process and policy. There are many challenges, the least of which is that the participants are competitors (as mentioned previously) and it will be inferred that agreeing to a PSIRT policy and process for a standards group will imply a loss of control
over the intellectual property. This presentation will highlight the unexpected challenges of establishing a PSIRT within a standards organization with a goal of helping others to bootstrap and run a vulnerability-handling mission for other standards groups.
Jim Duncan pioneered CSIRT & PSIRT practices, and has over forty years experience in incident response.
- PLTLP:CLEAR
Building Trust Through Proactive Security - Key Parts of the Trusted Software Supply Chain
Przemysław RoguskiPrzemysław Roguski (Red Hat Product Security, PL)
As security concerns continue to grow in the software industry, customers seek assurance that the software they rely on is built securely. While applying security patches is essential, it is equally important to understand the proactive measures taken throughout the development process to ensure that our software is built securely and is compliant with regulatory requirements and industry security standards.
Red Hat follows a comprehensive Secure Software Development Lifecycle (SDLC) framework to improve software security during the entire software lifecycle, mitigating risks, including vulnerabilities, before products are released to production and ensuring that customers can trust Red Hat’s products. We also use an end-to-end build and release environment, which uses SLSA (Supply-chain Levels for Software Artifacts) framework as a guide for reinforcing and gating the build process to better secure and fortify your software supply chain against various threats.
Przemysław “Rogue” Roguski is a Security Architect at Red Hat who specializes in shift-left security initiatives included in build and release processes. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security.
He is focused on the security data improvements, especially security data usability in the vulnerability management process and production of attestation data as a part of the Secure Software Development Lifecycle (SDLC) work to address security issues proactively.
An active participant of various upstream and downstream security initiatives and projects like CWE UEWG, OASIS OpenEoX Technical Committee, CISA VEX Working Group and Red Hat Vulnerability Scanner Certification program.
- USTLP:CLEAR
Context Matters: Qualitative Insights into Developers’ Approaches and Challenges with Software Composition Analysis
Elizabeth LinElizabeth Lin (North Carolina State University, US)
Software Composition Analysis (SCA) is an important part in the software security lifecycle. Establishing the individual software components and versions that make up an application allows for identifying and remediating vulnerabilities. However, SCA tools have not kept up with the ever growing number of new vulnerabilities each year. Developers are flooded with vulnerability alerts and often struggle to quickly remediate critical issues with external components.
We conducted 16 interviews with developers to investigate their processes and challenges around using SCA in their software projects. Interviews covered how SCA tools are integrated into workflows, how reports are interpreted and acted upon, and what challenges were encountered. We find that SCA tools are most often integrated into build pipelines and that users report that information in SCA alerts is too generic and lack context. Based on our findings we conclude that context matters throughout the SCA process, including for evaluating impact, when to trigger SCA scan runners, and how to integrate and communicate tool findings.
Elizabeth Lin is a PhD student at North Carolina State University. She is currently part of the WSPR lab, focusing on security research and tools used by developers.
- USTLP:CLEAR
CVE Records: The Cybersecurity Glow-Up You Didn’t Know You Needed
Julia Turkevich
Rina RakipiJulia Turkevich (CISA, US), Rina Rakipi (CISA, US)
CVE (Common Vulnerabilities and Exposures) records are the unsung heroes of the cybersecurity world. But are yours up to the task? This session will dive into how CVE Numbering Authorities (CNAs) can level up their CVE record submissions to create a lasting impact on the global cybersecurity landscape. From enriching CVE records with critical details like Common Weakness Enumeration assignments and Common Vulnerability Scoring System scores to ensuring timely and accurate data, we’ll explore the best practices that make all the difference. Whether you're a CNA or part of the cybersecurity community, this talk will show you how improving the quality of CVE records can strengthen defenses and enhance threat detection across the digital ecosystem. Get ready to take your CVE game to the next level and be a champion of cybersecurity!
Rina Rakipi specializes in cultivating strategic partnerships to enhance vulnerability programs through Secure by Design principles at the Cybersecurity and Infrastructure Security Agency (CISA). As a leader of the Secure by Design Alert publication series, she is dedicated to mitigating recurring vulnerabilities at scale in software products, fostering a more secure technological landscape for the nation. Rina also plays a key role in driving the enhancement of the CVE Program, ensuring that CVE records are complete, accurate, and published in a timely manner to improve cybersecurity resilience across the nation. Previously, she served as a lead technical editor and writer for major joint cybersecurity publications for the Agency. Rina holds a Bachelor of Arts
in International Relations from Michigan State University and a Master of Engineering in Cybersecurity Policy and Compliance from the George Washington University. Much of her work falls at the intersection of the two increasingly interconnected disciplines.
Julia Turkevich leads CISA’s CVE Numbering Authority (CNA) Recruitment efforts. As a member of the Vulnerability Response and Coordination Branch in CISA-CSD-Vulnerability Management (VM) subdivision, Julia works to advance maturity across the cybersecurity ecosystem, particularly in the critical infrastructure, industrial control systems (ICS), and medical device sectors. Since becoming a Root in the CVE Program in 2020, CISA has announced over 50 new CNA Partners and continues to actively recruit CNA partners that are committed to proactive and responsible vulnerability disclosure.
CVE-Glow-Up-.pdf
MD5: 427e58e74093c000b30ce6c044b73e16
Format: application/pdf
Last Update: April 21st, 2025
Size: 3.09 Mb
- USTLP:CLEAR
CVSS v4.0 By The Numbers
Nick LealiNick Leali (Cisco and CVSS SIG Chair, US)
CVSS v4.0 has been with us for a little over a year, and quite a bit of data exists out there to tell us about how vulnerability scores may change between CVSS v3.1 and v4.0 assessments.
If you are concerned about the impact that adopting CVSS v4.0 will have on your environment, interested in learning about how the numbers may change, or if you want to craft a narrative using math to either push for v4.0 adoption or avoid it entirely, then this talk is for you! I will go through an analysis of the changes between CVSS v3.1 and v4.0 scores, giving you the context necessary for understanding how adoption may impact vulnerability disclosure and vulnerability management.
In addition to the numbers, we'll discuss some of the shortcomings of CVSS v4.0 and how you can use the standard to its full extent. You can even use the tool I developed to create this talk to look at CVSS v3.1 and v4.0 data in your own environment!
Nick Leali is a current CVSS SIG co-chair, currently working on improving the adoption of CVSS v4.0 to make transition to the new version of the standard easier for vendors and consumers.
Nick works for Cisco as a PSIRT incident manager.
CVSS-SIG-VulnCon-2025.pdf
MD5: 1e8e3ef166dabacada90cc5ee66e5fba
Format: application/pdf
Last Update: April 14th, 2025
Size: 1.19 Mb
- FRTLP:CLEAR
Distribution Builders Meet VEX (Virtual)
Marta Rybczynska (Ygreky, FR) (FR)
The Yocto Project allows embedded vendors to build their custom Linux (and not only) distributions from scratch, so from the source code. This talk explains the challenges we faced when adding support for multiple vulnerability databases and trying to express our "VEX-like" data as VEX.
Marta Rybczynska has a network security background and 20 years of experience in Open Source. She has been working with embedded operating systems like Linux and various real-time ones, system libraries, and frameworks up to user interfaces. In the recent years she has worked in Open Source security, setting up best practices and processes. She is currently helping Eclipse Foundation as a Technical Program Manager for the Security Team, where she is managing the vulnerability reporting process.
- USTLP:CLEAR
Don’t Forget the Little Guy: Vulnerability Management in Operational Technology
Alex Assante (Network and Security Technologies , US), Kylie McClanahan (Bastazo, US)
What comes after coordinated vulnerability disclosure (CVD)? When the issue is confirmed and the advisory is published, what comes next?
Vulnerability management is a mature and robust—if imperfect—process in information technology (IT). The same process, though, poses unique challenges for engineers, technicians, and security teams in operational technology (OT) environments. The difficulties faced in the OT space may not be widely known or understood by vulnerability researchers and IT security professionals. Understanding these differences is key to securing operational environments, which, along with being ever more connected, are also increasingly interdependent with IT systems.
Kylie and Alex will present a view of vulnerability management in OT environments, examining this process in practice at electric utilities. Their presentation will include current approaches, the regulatory requirements specific to the space, data needs, and the unique challenges posed by OT environments."
Alex Assante, Security Consultant at Network + Security Technologies Inc. (NST), is an innovative lead in cybersecurity and critical infrastructure protection with a focus on the development and maintenance of cyber and information security programs. In his current role, Alex supports analysis of technical vulnerabilities in IT and OT environments, reviews and documents cyber security processes, and prepares entities for audits by collecting and validating the quality of evidence artifacts. He is also experienced in the creation of cross-standard mapping tools and integrating corresponding controls from various security frameworks. He grew up in and around the cybersecurity and Industrial Control Systems (ICS) space which ignited his passion for national and critical infrastructure protection and led him to where he is today. Alex is a graduate of Westminster college with a degree in computer science. He holds GIAC Critical Infrastructure Protection (GCIP) and the GIAC Response and Industrial Defense (GRID) certifications.
Kylie McClanahan, Chief Technology Officer (CTO) at Bastazo, is a forward-thinking leader with expertise in cybersecurity and critical infrastructure. With nearly a decade of experience in the electric utility sector and as a PhD candidate in Computer Science (expected May 2025), Kylie plays a pivotal role in advancing cybersecurity solutions for operational technology. At Bastazo, she focuses on leading the technology teams to develop Bastazo’s platform to address vulnerabilities, ensuring the resilience and safety of critical infrastructure. Kylie is passionate about protecting vital systems, advocating for practical solutions, and bridging the gap between research and real-world application. Kylie also holds a GCIP certification from GIAC, the only certification available for the NERC CIP standards.
- USTLP:CLEAR
Exploited CVEs of 2024: Lessons for Vendors and Defenders
Patrick GarrityPatrick Garrity (VulnCheck, US)
In 2024, over 750 CVEs were confirmed as exploited in the wild for the first time. This talk will focus on the trends and patterns observed in these known exploited vulnerabilities, offering comprehensive analysis to empower both vendors and defenders.
Key Takeaways: Insights into 2024 exploited CVE trends and patterns. A look at how known exploitation maps to common vulnerability metadata. A deep dive into examples of last year’s exploited vulnerabilities and how to identify risks before exploitation occurs. Recommendations on how vendors and defenders can get early indicators that a threat actor might exploit a vulnerability.
Patrick Garrity is a security researcher at VulnCheck where he focuses on vulnerabilities, vulnerability exploitation and threat actors. Patrick has spent the last decade helping building Cybersecurity companies including Duo Security, Censys, Blumira, Nucleus Security and VulnCheck.
- USTLP:CLEAR
From Idea to Open-Source: Building CNA-GURU, a Generative AI Assistant for Security Advisories
Ryan NoletteRyan Nolette (AWS, US)
This presentation will share the story of how an idea born at the VulnCon 2024 conference grew into CNA-GURU, an open-source generative AI assistant to help security professionals manage the complexities of working with security advisories. The speaker will discuss the motivation behind creating the tool, the challenges faced by security teams in keeping up with the volume and complexity of vulnerability reports, and the iterative process of developing CNA-GURU through collaboration with industry peers. The presentation will provide a detailed overview of the tool's features, its evolution from a proof-of-concept to a robust solution, and the techniques and technologies used to build it, including the leveraging of AWS Bedrock. The audience will gain insights into the benefits of using generative AI to streamline security advisory tasks and the potential for such tools to improve the efficiency and consistency of vulnerability management.
Ryan is AWS's Senior Security Engineer for the Outreach Team and CoAuthor of AWS Detective. He has previously held a variety of roles including threat research, incident response consulting, and every level of security operations. With almost 2 decades in the infosec field, Ryan has been on the development and operations side of companies such as Postman, Sqrrl, Carbon Black, Crossbeam Systems, SecureWorks and Fidelity Investments. Ryan has been an active speaker and writer on threat hunting and endpoint security.
- NOTLP:CLEAR
From Your Gut to a Gold Standard: Introducing the Admiralty System in CTI
Freddy MurstadFreddy Murstad (Nordic Financial CERT, NO)
This interactive presentation introduces the Admiralty System, a framework for evaluating the reliability of information, originally used for intelligence and now adapted for modern Cyber Threat Intelligence. It explores the system's two core concepts: Source Reliability and Information Credibility, enabling participants to critically assess and rate sources and information using practical CTI examples.
Freddy Murstad is the senior advisor for cyber threat intelligence (CTI) at Nordic Finance CERT (NFCERT) and has a specific focus on strategic reporting, as well as training in structured analysis techniques (SAT) and intelligence for CTI professionals in the financial sector. Murstad is educated in intelligence from King's College London with a focus on cyber security and a master's degree in counter-terrorism from the University of St Andrews, focusing on critical infrastructure. In May 2023, Murstad started his PhD education at the Norwegian University of Science and Technology (NTNU) and will research how to implement intelligence methodology into CTI programs and how AI might change how we do intelligence analysis, and thus, how this may change how we use intelligence in CTI.
- CH
In-Depth Study of Linux Rootkits: Evolution, Detection, and Defense
Stephan Berger (InfoGuard AG, CH)
This talk, "In-Depth Study of Linux Rootkits," will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today.
Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will have the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.
Beginning with an introduction to the fundamental capabilities of Linux rootkits, this talk traces the history of these malicious tools from their origins to their increasingly sophisticated techniques. It categorizes rootkits into kernel-level, user-mode, and hybrid types, explaining their respective methods for hooking kernel functions, intercepting user-space processes, and combining techniques from both realms. The discussion includes an analysis of rootkit persistence mechanisms and stealth techniques, which allow them to remain undetected.
Next, we shift to detection strategies, starting with signature-based detection, which involves identifying known rootkits through specific patterns but also addresses the limitations of this approach. It explores behavioral analysis by monitoring system anomalies and presents case studies demonstrating the effectiveness of this method. The importance of integrity checking is highlighted, emphasizing the challenges in maintaining accurate baselines for system files and binaries.
Furthermore, this talk reviews advanced detection tools and frameworks, providing an overview of popular rootkit detection tools and practical demonstrations of their use. This comprehensive analysis underscores the ongoing battle between rootkit developers and cybersecurity professionals, emphasizing the need for continuous advancements in detection and mitigation techniques.
Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.
- LTTLP:CLEAR
Incident Response: How to Get Others in the Organisation to Care?
Živilė NečejauskaitėŽivilė Nečejauskaitė (NRD Cyber Security, LT)
The presentation will focus on engagement with other stakeholders within the organisation. Effective means of communicating and building relationships with specific stakeholders within an organisation can significantly improve response times and mobilisation in the event of a significant cyber incident and prevent the situation from escalating.
During the presentation we will look at how to map the stakeholders within an organisation, how to group them and how to determine the level of engagement with each group. We will also explore the precise communication examples - potential messages to each stakeholder group to create greater engagement and relevance.
Živilė Nečejauskaitė is a communications professional, specializing in change and impact communication. She is a co-trainer of the ITU Academy course on Cyber Crisis Management. Živilė has co-organized and co-hosted several cybersecurity capacity building conferences in East Africa Region, called "Cyber Defense East Africa", one of which has focused on national cyber crisis management. She holds a Master's degree in Communication for Development from Malma University in Sweden. Živilė has worked in the public and private sectors in Lithuania and abroad, and has focused on cybersecurity capacity building for the past 7 years. Currently, she dedicates her time to building frameworks for communication during a cyber incident.
- NL
Incident Response in Kubernetes Environment
Mahdi Alizadeh (Databricks, NL)
Kubernetes has become a critical component of modern production environments, valued for its scalability, flexibility, and ability to streamline container orchestration. However, its complexity and dynamic nature present unique challenges for security incident response. A compromised Kubernetes environment can provide attackers with substantial computational resources and access, enabling activities such as data exfiltration, intellectual property theft, or cryptocurrency mining.
Incident response in Kubernetes requires specialized knowledge, as traditional security practices often fall short in addressing the nuances of containerized systems. For example, the ephemeral nature of containers, combined with limited logging and monitoring practices and insufficient support from detection tools, makes it challenging to detect, contain and respond to incidents effectively. Many security teams are unfamiliar with Kubernetes-specific attack vectors and lack the expertise needed to respond to breaches in such environments.
This presentation will first provide examples of Kubernetes attack chains and highlight techniques—such as privilege escalation through "bad pods"—that are specific to this environment. It will then review critical logs that should be collected and explain how disk and memory forensics can aid in incident response. It will also discuss the challenges that a team might face during the analysis.
Mahdi Alizadeh has 13 years of experience in computer security, spanning both academia and industry. He earned his Ph.D. in computer security from Eindhoven University of Technology. Throughout his career, he has worked in various security operations teams, serving as a security analyst, detection engineer, and security manager.
- USTLP:CLEAR
Investigating Triad Nexus and Pivoting from a Pig Butchering Investment Scam Website into an Entire Malicious Network
Zach EdwardsZach Edwards (Silent Push, US)
This presentation will walkthrough how Silent Push analysts traced pig butchering scams to FUNNULL CDN-hosted money laundering networks, retail phishing campaigns targeting luxury brands, and more. Technical analysis of each step will be provided and explained in-depth as we cover the threat we have dubbed: “Triad Nexus."
Zach Edwards is a Senior Threat Researcher at SilentPush, joining the team in 2024, with a focus on understanding and tracking how APT groups are evolving. His expertise includes a deep knowledge of global data supply chains and advertising systems.
Zach is passionate about Data Privacy, is active in numerous communities, and has been involved in high-profile GDPR complaints, including cases against online dating apps and Google auction systems. Zach has presented at high profile events, including a 2023 Blackhat USA session titled, “Kids in the Ad Fraud Crosshair: Why International Threat Actors are Targeting Children to Steal Money from Banks and Major Corporations.” In 2024, Zach has presented at PIVOTcon, Virus Bulletin, and MWISE on various cyber threats."
- USTLP:CLEAR
KPIs for CSIRTs
Logan WilkinsLogan Wilkins (Cisco, US)
In the rapidly evolving landscape of cybersecurity, organizations increasingly rely on effective Cybersecurity Incident Response Teams (CSIRTs) to detect, respond to, and mitigate security incidents. Key Performance Indicators (KPIs) play a crucial role in assessing the efficiency and effectiveness of CSIRT operations. This half-day training class is designed to empower CSIRT professionals with the knowledge and skills to develop, implement, and leverage KPIs for enhanced incident response. The training will cover essential topics, including:
- Understanding CSIRT Objectives: Participants will gain insights into the core objectives of a CSIRT and how KPIs align with these goals. A comprehensive overview will be provided to establish a foundation for KPI development.
- Identification and Selection of Relevant KPIs: Explore a range of KPIs applicable to CSIRTs, considering factors such as incident detection, response times, and containment effectiveness.
- Metrics and Measurement Techniques: Delve into the methodologies for measuring KPIs accurately. Participants will learn how to define and collect relevant metrics.
- Establishing Baselines and Targets: Understand the significance and pitfall of setting baselines and realistic targets for KPIs. Practical examples and case studies will be discussed to illustrate how organizations can benchmark their CSIRT performance.
- Visualization and Reporting: Learn effective ways to present KPI data through visualizations and reports.
Following this training, participants have additional knowledge and tools to help establish a KPI framework tailored to their CSIRT's objectives. This class provides a opportunity for CSIRT professionals to enhance their skills, optimize their operations, and contribute to the overall security posture of their organizations.
Logan Wilkins currently leads a software engineering team in Cisco’s CSIRT, overseeing development programs related to incident detection and response, data management, and security metrics. Within FIRST he is the co-chair of the Metrics SIG and has served as a Candidate Sponsor for multiple groups. In addition to his experience in Cisco’s security organization, Logan has also worked in e-commerce, pharmaceutical drug discovery and was previously a high school teacher, giving countless students their first introduction to Computer Science.
- JPTLP:GREEN
Lessons Learned From Assigning CWE's to Test Items for Security Assessments
Yuichi KikuchiYuichi Kikuchi (Panasonic PSIRT, JP), Takayuki Uchiyama (Panasonic PSIRT, JP)
At the Product Security Center at Panasonic, we have a team dedicated to testing for vulnerabilities in products prior to shipment. The testing activities cover a wide range of products and has been ongoing for around 20 years.
Identifying and understanding vulnerabilities is easier for a security team than for product development teams. To fill this gap, I explored a way to match CWE's with each test item to both enhance the quality of our tests and vulnerability report outputs. In my talk, I will discuss the CWE assignment process I went through for the test items, some internal trends that I identified about our products, and how CWE has been useful when assigning to test items.. Lastly, I will discuss some of the challenges that I encountered during the CWE assignment process and some progress on the review of test items.
Yuichi Kikuchi joined Panasonic in 2019 out of school and joined the vulnerability testing team at the Product Security Center as his first job in the cyber security field.
His daily work involves vulnerability testing various products and devices for Panasonic business units and alongside that work he thinks about better ways to score and classify vulnerabilities.
Takayuki Uchiyama is a member of Panasonic PSIRT and is responsible for product security activities at the business divisions overseas. His main roles include, the handling of vulnerabilities, creating and conducting product security training to product developers and providing assistance to product development teams related to product security as necessary. Aside from his role in Panasonic, Takayuki has been a CVE Board Member since 2016. Prior to joining Panasonic, Takayuki worked at JPCERT/CC, where his main tasks involved the coordination of vulnerability reports with PSIRTs, taking part in various discussions groups related to the identification / analysis / coordination / disclosure of vulnerabilities.
- AUTLP:CLEAR
Let’s Talk About Fitness for Purpose: Comparing and Contrasting the CVE List with OSV.dev
Andrew Pollock (OpenSSF, AU)
Last year the CVE Program turned 25. This year OSV.dev turns 4.
The CVE Program's federated approach enabled scaling of CVE issuance, but failed to implement any meaningful record quality enforcement. This means the data quality problem scales with CNA growth.
This presentation compares the venerable CVE Program's approach with the 4 year old OSV.dev and offers suggestions on how things can be improved.
Andrew Pollock has most recently been a Senior Software Engineer on Google’s Open Source Security Team (GOSST), working on OSV.dev. He is passionate about consistent high quality, machine readable vulnerability metadata for detecting and remediating vulnerabilities in open source
software. He is based in Brisbane, Australia.
- NL
Emanuele MezziEmanuele Mezzi (Vrije Universiteit Amsterdam / Ethikon Institute, NL)
Several recent works have argued that Large Language Models (LLMs) can be used to tame the data deluge in the cybersecurity field, by improving the automation of Cyber Threat Intelligence (CTI) tasks.
We present an evaluation methodology that other than allowing to test LLMs on CTI tasks when using zero-shot learning, few-shot learning and fine-tuning, also allows to quantify their consistency and their confidence level. We run experiments with three state-of-the-art LLMs and a dataset of 350 threat intelligence reports and present new evidence of potential security risks in relying on LLMs for CTI.
We show how LLMs cannot guarantee sufficient performance on real-size reports while also being inconsistent and overconfident. Few-shot learning and fine-tuning only partially improve the results, thus posing doubts about the possibility of using LLMs for CTI scenarios, where labelled datasets are lacking and where precise confidence model estimates are necessary to rely on LLMs predictions.
Emanuele Mezzi is researcher at VU Amsterdam and TNO, where he focuses on the applications of AI to cybersecurity and threat intelligence. Concurrently he is also co-founder and AI Lead Researcher at Ethikon Institute, where he focuses on the development of methodologies to make LLMs explainable and trustworthy. Emanuele holds a BSc in Computer Science from the University of Salerno and an MSc in Data Science from the University of Amsterdam
- RS SETLP:CLEAR
Localization of Transits I Course in the Republic of Serbia
Marko Krstić
Vladimir BoborMarko Krstić (SRB-CERT (RATEL), RS), Vladimir Bobor (SIRT Officer Swedbank CDC, SE)
SRB-CERT has a tradition of organizing cybersecurity related workshops and trainings for different stakeholders in the Republic of Serbia. In order to further educate existing CERTs and to motivate establishment of new ones, National CERT and Cybersecurity Network Foundation with the support of EU project "Cyber Balkans" localized Transits I to Serbian language and incorporate details about legal framework of Serbia. In this talk we will present results of our efforts, as well as approach we took to successfully localize Transits I course.
Marko Krstić completed his bachelor, master, and doctoral studies at the School of Electrical Engineering in Belgrade. He has been working in the field of information technology and security at the Regulatory Authority for Electronic Communications and Postal Services (RATEL) for almost ten years. He is currently serving as the Head of the Cyber Security Division and National CERT Affairs in the RATEL. Marko was part of several projects related to the application of artificial intelligence for children protection on the Internet as well as for digital forensics at the European level.
Vladimir Bobor was born 1971 in Belgrade, Serbia. He has lived in Stockholm, Sweden since 1994. He achieved and B.Sc. in Computer Engineering in 2000 and 2006 his M.Sc. with a specialization in Information and Communication Systems Security from Royal Institute of Technology (KTH) Stockholm. In 2024 he joined Swedbank CDC team as incident handler. He has long experience in Information Security field; Network Security and Computer-Network Forensics. Vladimir was a member of TF-CSIRT Steering Committee from 2014 – 2019; 2020-2023, and is one of initiators of Swedish CERT Forum.
- LUTLP:CLEAR
LUKS Full Disk Encryption Upside-Down
Michael HammMichael Hamm (CIRCL, LU)
A use case where full disk encryption do not do what you expected, and you should be aware of it.
A live demo where I show, what happen with plaintext data, that was stored on the disk before full disk encryption got activated.
Michael Hamm has worked for more than 10 years as Ingénieur-Sécurité in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center “CRP Henri Tudor” in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.
dfir-kickstart.pdf
MD5: b7a09d5d9dfe2147dcbd9f2183d9fdac
Format: application/pdf
Last Update: January 7th, 2025
Size: 177.47 Kb
Luks.pdf
MD5: 3afa308a3b9a7a3280b3919c3e1d5cff
Format: application/pdf
Last Update: January 7th, 2025
Size: 251.51 Kb
- GB USTLP:CLEAR
Madness of Vulnerability Management in Modern Cloud, Container, How to Win the Battle Practitioners View
Francesco Cipollone
Nate SandersFrancesco Cipollone (Phoenix Security , GB), Nate Sanders (Bazaarvoice , US)
Abstract: Navigating the Challenges of Risk-Based Vulnerability Management in a Cloud-Native World
Since 2015, the advent of containerized environments and modern software development practices has transformed how we build and secure applications. These advancements have redefined the cybersecurity landscape, introducing unprecedented challenges in vulnerability management related to scale, complexity, and data consistency. This panel discussion brings together two leading experts to explore how a risk-based approach can address these challenges, offering actionable insights and methodologies.
Key Topics:
-
The Inconsistency of Data: Fragmented and siloed security data often hampers efforts to prioritize vulnerabilities effectively. The panel explores strategies to consolidate and normalize data from disparate tools and environments, enabling a unified view that supports informed decision-making.
-
Vulnerability Management at Scale: Managing vulnerabilities in sprawling, dynamic infrastructures demands innovative approaches. The speakers share insights into automating prioritization and remediation workflows, addressing the unique challenges of containerized and serverless architectures.
-
Reachability Analysis: Identifying exploitable vulnerabilities through reachability analysis has emerged as a game-changer. The panel discusses how contextualizing vulnerabilities within the software supply chain and runtime environments can help organizations focus their resources on the most critical risks.
Learning Objectives:
Attendees will gain a deeper understanding of:
- How to overcome the barriers posed by inconsistent data in vulnerability management workflows.
- Best practices for managing vulnerabilities across diverse and rapidly scaling environments.
- The value of incorporating reachability analysis into risk-based prioritization to reduce noise and focus on actionable threats.
This panel discussion explores the challenges of risk-based vulnerability management in a cloud-native world, focusing on overcoming data inconsistency, managing vulnerabilities at scale, and leveraging reachability analysis. As organizations navigate complex, dynamic infrastructures, fragmented security data and the sheer volume of vulnerabilities pose significant hurdles. The session highlights strategies for consolidating data, automating prioritization, and contextualizing vulnerabilities within their runtime and supply chain environments. Designed for security leaders, the talk provides practical insights, real-world use cases, and actionable methods to scale and modernize vulnerability management in an interconnected, containerized ecosystem.
Francesco Cipollone is a renowned entrepreneur and CISO, founder of Phoenix Security, an ASPM platform offering actionable, contextual code-to-runtime insights. A multi-award-winning podcast host, author, and global speaker, Francesco is known for his visionary contributions to cybersecurity. He serves on the UK&I Cloud Security Alliance Chapter board and is a faculty member at IANS on application and cloud security. His insights have appeared in Forbes, Helpnet Security, and Hacker Noon, and he has been featured in prominent podcasts like Application Security Weekly and Cloud Security Podcast. Francesco has keynoted at major conferences such as AppSec Cali and Cyber Security & Cloud Expo, and previously led application and cloud security at HSBC and served as Senior Security Consultant at AWS. An avid marathon runner, snowboarder, and whiskey enthusiast, Francesco balances his professional accomplishments with a passion for adventure and fine spirits.
Nate Sanders, also known as mauvehed, has traversed a long and winding career path through hacking, system and network administration, computer security, and leadership. Now leading people across security engineering and security operations, he takes great pride in building teams, developing individuals, and solving business challenges. With expertise spanning vulnerability management, application security, and the ever growing cloud, he combines technical acumen with strong leadership and collaboration skills to drive impactful results. Outside of his professional exploits, Nate is a vocal advocate for mental health, frequently speaking on topics such as ADHD, Autism, CBT/DBT, and EMDR, with a mission to normalize mental health conversations in the workplace and society.
- ROTLP:CLEAR
Managing Vulnerabilities through SSDLC
Luci Stanescu (Canonical , RO)
Canonical has recently implemented a company wide Secure Software Development Lifecycle (SSDLC), that aims to systematically address security concerns, and manage vulnerabilities throughout the companies entire portfolio.
In this talk I will share how these policies allow us to prevent and respond to vulnerabilities, and how this can be achieved with very minimal security team. The lessons learned through this process will be shared, to allow others to better manage their company-wide vulnerability posture, and maximise the results they can achieve.
Luci Stanescu is Security Engineering Manager at Canonical, part of the team responsible for the security maintenance of Ubuntu and the Canonical PSIRT. With almost 20 years of professional experience, he is passionate about making information security matter and an advocate for not treating cybersecurity regulations and standards as a tick-box exercise.
- JETLP:GREEN
Never mind the Pollocks: Aligning Incident Response with Emergency Response Using JESIP
James McLarenJames McLaren (Jersey Cyber Security Centre, JE)
“We should be learning from the way emergency services operate, not reinventing the wheel”. Staff at JCSC who heard this at TRANSITS 1 last April had an almost immediate chance to do this after being invited to JESIP training. This session explains some of the principles behind JESIP, looks at how we might use it for alignment in our context, and seeks to open up a conversation about how it might go elsewhere.
James McLaren, the Senior Analyst at the Jersey Cyber Security Centre, still has no programming chops to speak of after spending 19 years with the UK Civil Service (where he designed and delivered an early Internet security training course in 2001) and eight with a managed security service provider in Jersey - but he is really quite good at acquiring and analysing information, and no slouch at writing about it either. He’s #ActuallyAutistic, makes a mean Hungarian gulyas, and still speaks Russian just about well enough to tell Putin where to stick it.
NMTP-CLEAR-version.pdf
MD5: fdb582a4d19497aeb347d2f04282e2e5
Format: application/pdf
Last Update: January 28th, 2025
Size: 1.07 Mb
- USTLP:CLEAR
No Action Required: CVE for Software as a Service
Art ManionArt Manion (ANALYGENCE Labs, US), Lisa Olson (Microsoft, US), Don Bailey (AWS, US), Michael Coté (Google , US)
Fixing or otherwise mitigating a vulnerability requires action. By someone. For user- or customer-controlled software, this “someone” is the user or customer who performs actions such as update, upgrade, patch, make a change configuration, rebuild, or fetch new dependencies. For software as a service, this “someone” is the service provider, while the user or customer may not need to take any material action. A browser refresh, session timeout, or a new API call uses the fixed software. What does it mean to assign CVE IDs to no-user-action” vulnerabilities? What are the costs and benefits? Is there danger of decreasing the CVE signal-to-noise ratio? How do changes in the CNA Operational Rules apply? A panel of major cloud service CNAs will discuss these questions and more.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Lisa Olson is a Principal Security Program Manager at Microsoft, has a lot to do with patch Tuesdays, and a CVE Board member since 2018.
Don "Beetle" Bailey Senior Principal Security Engineer at AWS, previously MITRE, previously U.S. Army.
Michael Coté is a veteran with 82nd Airborne. Lead for Google Cloud VRP and Vulnerability Response which includes publishing CVEs for critical vulnerabilities within Cloud.
- USTLP:CLEAR
Numbers Game: The Case for Quantifying Cyber Threats
Scott SmallScott Small (Tidal Cyber, US)
Most CTI practitioners agree that threat prioritization is essential, but consensus hardly exists on how to prioritize something as complex as one APT group or ransomware operation over another. This session outlines why, after a decade supporting & consulting 100+ intelligence teams, the speaker firmly believes that quantification is the solution for more consistent & less biased threat prioritization, highlighting a tangible, successful case study from the physical security space (an ongoing U.S. government cargo security program launched in 2001). Then, we will dive into a review of numerous public data sources that can yield value for threat quantification, and a simplified methodology for using that data to generate rank-ordered lists of priority threats.
Scott Small is a security & intelligence practitioner and expert in cyber threat intelligence & threat modeling, open source research & investigations, and data analysis & automation. He currently serves as Director of Cyber Threat Intelligence at Tidal Cyber. Scott has advised enterprise and public sector security teams across maturity levels on technical and strategic applications of intelligence and on using technology to help identify and mitigate organizational risk. Throughout his career, he has briefed and trained large and small audiences and has presented original content at major security conferences, including DEFCON, FIRSTCON, MITRE ATT&CKcon, & BSides, and ISAC & other industry events.
Scott is an active member of the professional security and intelligence communities and a proponent of open-source information for upskilling and strengthening our collective security. In addition to contributing to community projects, he has published independent projects that aggregate and streamline publicly accessible security resources, as well as his own original tools & resources.
- PLTLP:CLEAR
OpenEoX - Unified Machine-Readable Approach to Software and Hardware Product Lifecycle Data Representation
Przemysław RoguskiPrzemysław Roguski (Red Hat Product Security, PL)
To perform various security activities like vulnerability management, license compliance or support model verification, software and hardware customers must rely on various metadata like CSAF, VEX or SBOM data. Unfortunately together with the market expansion it’s getting harder to easily find out and verify specific product lifecycles, especially in a machine readable format and easily accessible way. Almost all vendors publish their products' lifecycle data definitions, but there is no standardization around format and delivery method.
In this talk we will focus on both technical and non-technical aspects of precise product identification, product versioning, support model including target dates. We will discuss how significantly it can help customers with various lifecycle or support scope regulatory requirements and security implications.
Przemysław “Rogue” Roguski is a Security Architect at Red Hat who specializes in shift-left security initiatives included in build and release processes. He contributes security analysis work on Red Hat OpenShift and other OpenShift-related products. He also designs security solutions and processes across Red Hat Product Security.
He is focused on the security data improvements, especially security data usability in the vulnerability management process and production of attestation data as a part of the Secure Software Development Lifecycle (SDLC) work to address security issues proactively.
An active participant of various upstream and downstream security initiatives and projects like CWE UEWG, OASIS OpenEoX Technical Committee, CISA VEX Working Group and Red Hat Vulnerability Scanner Certification program.
VulnCon2025-OpenEoX.pdf
MD5: de46274340135c018475c9c930bf536c
Format: application/pdf
Last Update: April 16th, 2025
Size: 471.11 Kb
- DETLP:CLEAR
Operationalization of Sigma Rules
Thomas PatzkeThomas Patzke (Evonik Industries AG, DE)
Log events appear differently in SIEMs. There are plenty of different taxonomies, possibilities for customization or just migration scenarios that make it challenging to generate queries from Sigma rules that match on events in given log repositories. Processing pipelines are a feature of the open-source Sigma toolchain that offer a solution for these challenges and this workshop shows some real-world use cases for them.
For this workshop, Thomas has released a GitHub repository containing some instructions for installation of the prerequisites that participants need for doing the hands-on exercises.
Thomas has 18 years' experience in information security and has done lots of stuff in this area, from offensive to defensive security topics. Now he is doing incident response, threat hunting and threat intelligence at the Evonik Cyber Defense Team. Furthermore, he is co-founder of the Sigma project and maintains the open-source toolchain (pySigma/Sigma CLI).
- FRTLP:GREEN
Post-Incident Remediation at ANSSI: A Full Scale Effort
Christophe RenardChristophe Renard (Agence Nationale de la Sécurité des Systèmes d'Information, FR)
As the French national cyber-security authority, ANSSI, and more specifically CERT-FR has been handling major cyber-incidents since its inception in 2009. It has also faced the rise of destructive cybercriminal attacks when sensitive services were concerned. As such, we see post-incident impact often lasting years after the initial events. To mitigate this, we have launched a multipronged effort to formalize what is post-incident remediation, improve victims support, and encourage private sector offer. This presentation summarize what we have been doing in the last 3 years on the subject and what we plan to do next.
Christophe Renard has been working in multiple roles in IT for 25+ years, in computer security for 13 years, in incident response for 8 years.
At CERT-FR he heads a team dedicated to assist in victims in regaining control and restoring their information systems after cyber-incidents.
- USTLP:CLEAR
Product Security Incident Response at a Fortune 500 SaaS
Garrett McNamara (ServiceNow, US)
Product security incident response at a SaaS technology company comes with challenges and opportunities different from those at a strictly on prem vendor. Rapid risk-based decision-making is enabled by the ability to measure exposure at scale and monitor for exploitation activity. Challenges include easily discoverable and often wide-open Internet connected attack surface area.
Garrett McNamara is a Product Security Incident Response Team (PSIRT) manager. He has a software development and application security background at multiple tech companies. He has a master’s degree specializing in Intelligence Technologies and a bachelor’s in Information Security. He has spoken internationally and self-published his research through blog posts, news articles, videos, and proof of concept code. He has served on multiple non-profit boards and is currently studying his MBA.
He volunteers as a highly trained search and rescue leader specializing in tracking and cold cases at the request of federal, state, and local law enforcement in Virginia and surrounding states. Garrett works remotely from the mountains in Virginia and the Space Coast of Florida.
- DETLP:CLEAR
Quantum Computers: Should We Worry?
Morton SwimmerMorton Swimmer (Trend Micro, Inc, DE)
The potential threat of quantum computers to computer security first emerged in the mid-1990s with Shor's discovery of an exponentially faster algorithm for integer factorization. This threat has become more tangible with the development of real quantum computers over the past decade. Although the immediate risk has not materialized, it continues to pose a significant challenge to forward secrecy. In this talk, I will explore the fundamental differences between quantum and classical computers and explain how Shor's algorithm undermines cryptographic systems. Additionally, I will provide an overview of the current state of quantum machine learning, which, despite significant advancements, remains limited in its practical applications. Although quantum computers are not yet ready for purposes beyond research, I will discuss the key challenges that need to be addressed to bring them into practical use and highlight important aspects to consider. This presentation aims to offer a balanced perspective on this complex and often misunderstood field, where expectations frequently surpass current achievements.
Dr. Morton Swimmer is a researcher in the Forward-Looking Threat Research (FTR) team in Trend Micro Research. His focus is on future threats, especially Web3, machine learning and quantum computing.
His experience in computer security stretches back past 35 years with the founding of the first European malware research lab (VTC) at the University of Hamburg, Germany in 1988 and he has been involved in most of the innovations in security, first at university, later IBM Research and now Trend Micro. Early activities included malware analysis and computer forensics for which he built an early Malware sandbox system in 1992. This led to the development of the Digital Immune System at IBM Research, a fully automated virus analysis and signature generation system. More recently, he has been researching machine learning techniques, probabilistic reasoning and CTI ontologies to automate detection, hunting and mitigation of threats. New research topics also include the nascent Web3 technology stack and quantum computing’s effect on security issues, both positive and negative. He currently organizes the BSidesMunich and Elbsides security conferences.
Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and currently resides in the Hamburg, Germany area.
- USTLP:CLEAR
Resolution Revolution: Turbocharging Security Ticketing Timelines
Joseph Seasly (Adobe, US), Shruti Datta Gupta (Adobe, US)
Explore how to streamline the resolution of security tickets, including those from PSIRTs and bug bounty programs, by effectively gathering and integrating
knowledge from company, product, and expert insights. This session will highlight the role and limitations of AI in the ticket resolution process, enabling more efficient and informed outcomes. Discover how to build a comprehensive system that incorporates continuous feedback loops, driving iterative improvements and ensuring your team is well-prepared to address the complexities of modern security challenges.
Joseph Seasly is currently on the Security AI & Data Engineering team at Adobe. In his former life, he spent 13 years in the U.S. Intelligence Community working in a variety of agencies, technical roles, and missions.
Shruti Datta Gupta is a Product Security Engineer at Adobe where she works in Security AI & Data Engineering. Her current role involves building AI-powered tools to automate security processes and reduce engineering toil. She is passionate about applying AI to solve challenging problems in security and has worked on projects ranging from draining car batteries to predicting attacker behavior in a network, all using AI.“
Resolution-Revolution.pdf
MD5: 5f3a6d64b687b4f026227c96c0bc5ed9
Format: application/pdf
Last Update: April 14th, 2025
Size: 1.21 Mb
- BETLP:GREEN
Scaling Vulnerability Management: A Scale-Up's Journey to Enterprise-Grade Security
Niels HofmansNiels Hofmans (Intigriti, BE)
Rapid growth presents unique security challenges for scale-ups. Limited resources necessitate efficient vulnerability management practices to meet stringent security requirements. This presentation details a pragmatic approach to scaling vulnerability management, emphasizing the crucial role of metadata. We will share our journey of building a custom vulnerability management pipeline in Go, integrated with our SIEM system, and demonstrate how enriching vulnerability data with threat intelligence and business context drives effective prioritization. Attendees will gain practical insights into
leveraging vulnerability metadata for actionable security decisions. Our approach centers on a custom-built Go pipeline that seamlessly integrates various vulnerability data sources, enriching them with threat intelligence and business impact
assessments. We'll showcase how this data-driven approach informs prioritization and empowers stakeholders through
self-service portals and SIEM dashboards, providing clear visibility into vulnerability trends and remediation progress. This presentation offers valuable takeaways for organizations seeking to optimize their vulnerability management processes and maximize their security posture with limited resources.
Niels Hofmans is the Head of Security at Intigriti, Europe's largest bug bounty platform which connects 125,000+ security researchers worldwide to customers' assets. He manages cloud security, SoC, threat intelligence, application security, compliance, detection & response, infrastructure, incident response & more. When not with his head in the trenches, he spends time writing experimental security tooling or consulting for customers to make the world a safer place.
- NL
Scattered Spider's Cloud Tactics: Understanding the Ransomware Deployment Life Cycle
Arda Büyükkaya (EclecticIQ, NL)
In today's cloud-centric business landscape, cyber threat actors are increasingly targeting cloud infrastructures to conduct high-impact ransomware attacks. This presentation delves into the tactics, techniques, and procedures (TTPs) of the threat actor known as Scattered Spider, with a focus on understanding their ransomware deployment life cycle within cloud environments.
Drawing from in-depth research and real-world case studies targeting the insurance and financial sectors, we will explore how Scattered Spider employs advanced social engineering methods—such as voice phishing (vishing) and SMS phishing (smishing)—to compromise high-privileged accounts like IT service desk administrators and identity administrators. The session will examine their use of SIM swapping to bypass multi-factor authentication (MFA) and gain unauthorized access to critical cloud services and Software as a Service (SaaS) platforms.
We will uncover how Scattered Spider leverages legitimate cloud features, including Cross-Tenant Synchronization in Microsoft Entra ID and federated identity providers, to establish persistent access and escalate privileges within compromised environments. The talk will highlight their use of open-source tools for cloud reconnaissance, their methods for impairing security tools, and their strategies for evading detection—such as utilizing remote monitoring and management (RMM) tools, protocol tunneling, and creating unmanaged virtual machines.
Furthermore, the presentation will dissect Scattered Spider's ransomware deployment strategies targeting cloud Infrastructure as a Service (IaaS) platforms like VMware ESXi. We will discuss their automated deployment tactics, and cloud-native tools to execute ransomware payloads efficiently, making recovery efforts more challenging for victims.
By mapping out Scattered Spider's comprehensive attack life cycle—from initial cloud account compromise to ransomware execution—we aim to equip cybersecurity professionals with actionable insights to bolster their cloud security posture. The session will conclude with prevention opportunities, offering best practices in authentication and account security, cloud environment hardening, and detection queries to identify and mitigate malicious activities.
Key Takeaways:
- Understand the new TTPs used by Scattered Spider in cloud environments.
- Gain insights into the ransomware deployment life cycle within cloud infrastructures.
- Learn how to detect and prevent similar attacks through practical security measures.
- Explore real-world incidents and case studies for a comprehensive understanding of the cloud threat landscape.
Arda Büyükkaya is a Senior Cyber Threat Intelligence Analyst with experience in advanced threat analysis, proactive threat hunting, and incident response. Specialized in tracking financially motivated cybercriminals and nation-state actors. Authored intelligence reports uncovering novel adversary tactics, techniques, and procedures (TTPs), providing actionable intelligence that supports Fortune 500 companies and government entities in enhancing their threat detection and response strategies.
ArdaBuyukkaya.pdf
MD5: 3272b3be6ea9070d5dfe32c70c29ab65
Format: application/pdf
Last Update: April 23rd, 2025
Size: 3.72 Mb
- FR LUTLP:CLEAR
Scoring Vulnerabilities by Leveraging Activity Data from the Fediverse
Cédric Bonhomme
Alexandre DulaunoyCédric Bonhomme (CIRCL, FR), Alexandre Dulaunoy (CIRCL, LU)
We have observed that vulnerabilities, proof-of-concepts (PoCs), and remediation strategies are frequently discussed online before they are officially published—sometimes from just a few hours to several weeks in advance.
Twitter’s restriction on free API access has impacted many communities that relied on its data. Meanwhile, Twitter is increasingly being abandoned in favor of Mastodon, especially within the infosec community. Consequently a new category of social network is emerging, more decentralized and more challenging to monitor. Of course, our work is not limited to social networks.
Monitoring information and discussions related to vulnerabilities across the web is essential. We believe that enriching vulnerability information before its public release can be highly beneficial for analysts. When people actively seek or exchange information about a vulnerability, it signals that the issue should be prioritized.
Cédric Bonhomme is a seasoned computer scientist with a deep passion for computer security and privacy. From 2010 to 2017, he worked as an R&D Engineer at a research center, specializing in Multi-Agent Systems and Cybersecurity. Since 2017, he has been an integral part of CIRCL, actively contributing to CSIRT operations and the development of innovative open-source software projects. Currently, he serves as the lead developer of Vulnerability-Lookup, driving advancements in vulnerability research and management.
Alexandre Dulaunoy encountered his first computer in the eighties, and he disassembled it to know how the thing works. While pursuing his logical path towards information security and free software, he worked as senior security network consultant at different places (e.g. Ubizen, now Cybertrust). He co-founded a startup called Conostix, which specialised in information security management. For the past 6 years, he was the manager of global information security at SES, a leading international satellite operator. He is now working at CIRCL in the research and operational fields. He is also a lecturer in information security at Paul-Verlaine University in Metz and the University of Luxembourg. He is also the lead developer of various open source tools including cve-search and member of the MISP core team. Besides his activities in cyber-security, he's also fond of generally fixing anything that's broken around the office.
- USTLP:CLEAR
Securing the Future: Navigating AI Vulnerabilities and Evolving Security Practices
Lisa Bradley
Sarah EvansLisa Bradley (Dell, US), Sarah Evans (Dell, US)
As artificial intelligence (AI) becomes increasingly integrated into software products, it introduces new types of vulnerabilities that challenge traditional security practices. This talk will explore how AI-specific vulnerabilities, such as adversarial attacks and model poisoning, necessitate changes in product security vulnerability response. This talk will also propose areas of the AI supply chain that will need to evolve to improve vulnerability management. By examining the unique characteristics of AI supply chain components, vulnerabilities and the evolving landscape of AI security, we will discuss how organizations can adapt their vulnerability management strategies to address these emerging threats. The presentation will highlight current best practices, case studies, and future trends in AI security.
Dr. Lisa Bradley is a distinguished cybersecurity expert and visionary leader, currently serving as the Senior Director of Product & Application Security at Dell Technologies. With over two decades of experience in enterprise-class engineering, including 13 years in Product Security leadership, she has established herself as a trailblazer in product security and vulnerability management. In her current role, Dr. Bradley oversees Dell’s Product Security Incident Response Team (PSIRT), Bug Bounty Program, Dependency Management, and supports Dell’s SBOM initiative.
Outside of her professional life, Lisa enjoys quality time with her three children. She actively participates in cybersecurity speaking opportunities and podcasts, and supports industry growth through contributions such as being a co-author of the FIRST PSIRT Services Framework. Her unwavering dedication to cybersecurity and extensive industry experience make her a leading figure in the ever-evolving landscape of technology and cyber defense, fostering trust and innovation.
Sarah Evans is a security innovation researcher at Dell Technologies on the global CTO research and development team. She leverages diverse experiences as an IT and security practitioner to improve security by design in emerging technologies. Prior to Dell, Sarah has had roles in the finance, defense, manufacturing and education industries. Sarah also contributes to efforts to help secure the open-source software supply chain. These include contribution in SCORED and OpenSSF as Governing Board observer and AIML Working Group. Sarah is based in Denver, Colorado.
- JP USTLP:GREEN
SIG Activities Update (Spring 2025)
Hendrik AdrianKrassimir Tzvetanov, PHDHendrik Adrian (LACERT, JP), Krassimir Tzvetanov, PHD (Purdue University, US)
Authors: Krassimir Tzvetanov, PhD and Hendrik Adrian (SIG Chairs)
Date: April 21, 2025
This presentation is for FIRST Members only, authentication is required on FIRST Portal to preview the video.
SIG Activities Update (Spring 2025)
April 29, 2025 09:00-09:15
- USTLP:CLEAR
Streamlining Vulnerability Management: The Power of VEX Inheritance in Container Ecosystems
Jessica Butler (NVIDIA, US), Kaajol Dhana (NVIDIA , US)
This talk introduces an innovative approach to parent image detection and management that leverages Vulnerability Exploitability eXchange (VEX) inheritance. The presentation addresses the critical challenges of maintaining secure and compliant container ecosystems in large-scale environments
by exploring a system designed to track approved parent images, their associated VEX statements, and perform in-pipeline detection and compliance checks.
This groundbreaking method enhances container security by ensuring the use of approved base images while streamlining vulnerability management through VEX inheritance. By automatically suggesting VEX information from parent images to child images, the system significantly reduces false
positives and focuses attention on truly exploitable vulnerabilities. DevOps teams, security professionals, and incident responders will gain valuable insights into automating parent image tracking, inheriting VEX statements across image layers, and conducting more accurate vulnerability assessments throughout the container lifecycle, ultimately transforming container security postures and accelerating vulnerability triage processes.
Jessica Butler is an engineering manager for NVIDIA’s Product Security Tools team. Her passion is providing an easy button for security tools by designing and implementing internal enterprise applications with a focus on developer integration and support. Jessica has over 18 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. In her free time Jessica enjoys gardening and traveling with her family.
Kaajol Dhana is a software engineer for NVIDIA’s Product Security Tools team. She is interested in container security and providing actionable and insightful reports for teams to be able to remediate security risks. Kaajol has over 5 years of experience and earned her BS in Computer Engineering from the University of Texas at Austin. Outside of work, Kaajol enjoys playing tennis, trying out new restaurants, and traveling with her husband.
Power-of-VEX-Inheritance.pptx
MD5: 1a29cc1e6a572a8d01b2689cfbd9e34b
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: April 14th, 2025
Size: 6.51 Mb
- USTLP:AMBER
The Human Factor: Psychological Safety in Cybersecurity Frontlines
Cristiana Brafman KittnerCristiana Brafman Kittner (Google Cloud, US)
Cybersecurity isn't just about technology; it’s fundamentally about people. Cybersecurity's human element is undeniable. Recognizing the link between psychology and psychological safety in cybersecurity frontlines, particularly within incident response, is crucial. Research emphasizes the importance of a blame-free culture where individuals can take risks, share ideas, and learn from mistakes, fostering consistent success.
Cultivating psychological safety can be challenging, especially in high-stakes environments like cybersecurity incident response. Strategies to address this include prioritizing people over technology, integrating psychological safety into onboarding, and fostering a culture of trust and transparency. By prioritizing psychological safety, organizations can unlock the full potential of their cybersecurity teams and bolster their defenses against cyber threats. This approach aligns with global perspectives on effective cybersecurity practices, ensuring a resilient and adaptive defense in the face of evolving cyber risks.
Cristiana Brafman Kittner has over two decades of experience in military strategy, weapons analysis, and strategic defense with a focus on cyber threat intelligence. Currently, Cris is the Chief Analyst at Google Cloud's Product Security Engineering and provides enterprise customers across various industries as well as senior executives and government officials with cutting-edge cyber threat intelligence and risk management solutions. She is a subject matter expert in cyber threat intelligence with a focus on Chinese military strategy, particularly on the development of the People's Republic of China's cyber threat landscape and ecosystem. Cris is a board member of The Diana Initiative and Torchlight. In her spare time, Cris is also engaged as a mentor and coach with Girl Security, The Women's Society for Cyberjutsu, and the Executive Women's Forum.
FIRST-HumanFactor_2025.pdf
MD5: ce83e7a49714b9dc0194a99fbbec205d
Format: application/pdf
Last Update: January 15th, 2025
Size: 3.55 Mb
- USTLP:CLEAR
The National Vulnerability Database (NVD) – Where It Is and Where It’s Going (Virtual)
Matthew Scholl
Tanya BrewerMatthew Scholl (NIST, US), Tanya Brewer (NIST, US)
This presentation will discuss the current status of the NVD, as well as short- and long-term goals of the program. Recent developments, developments planned for later in 2025, and goals looking out 2 to 5 years, along with steps that will need to happen to reach these goals, will be discussed. This presentation will also include the current status of NIST’s Vulntology. There will be a Q&A time at the end.
Tanya Brewer is a Cybersecurity Program Manager at the US's National Institutes of Standards and Technology. She manages the National Vulnerability Database (NVD) Program, so folks around the world can know more about publicly disclosed vulnerabilities. She has worked on technical standards and program management in the areas of cybersecurity and privacy for smart grids, electric vehicles, identity management, biometrics, and industrial control systems; cybersecurity education, and workforce training. She has done so with experts from NIST, ITU-T, OECD, SAE, privacy watchdogs, power companies and co-ops, the Department of State, and the U.S. Senate. She blends her background in public policy and cybersecurity to scale complex, multi-stakeholder programs while keeping them approachable to people of all backgrounds. When not managing her team and thousands of vulnerabilities, she is crafting beautiful miniatures or using a stick to turn string into soft and warm beauty.
Matthew Scholl is the Chief of the Computer Security Division in the Information Technology Laboratory at the National Institute of Standards and Technology (NIST). His responsibilities include Cryptographic Standards used by the US Government and the Nation as well as internationally by allies and NATO partners. He is also responsible for Cybersecurity Research and Development at NIST, as well as Cybersecurity Standards and Guidelines used for Federal Agency Security Programs. He leads NIST participation with Cybersecurity National and International Standards Development Organizations (SDOs) and associated conformance testing programs. Mr. Scholl has a Masters in Information Systems from the University Of Maryland and a Bachelors Degree from the University of Richmond.
- USTLP:CLEAR
Towards a Minimum Viable Enumeration of Vulnerabilities
Art Manion
Jay JacobsArt Manion (ANALYGENCE Labs, US), Jay Jacobs (Empirical Security , US)
Vulnerability databases come in all shapes and sizes and contain a variety of information elements. Some elements overlap across databases, other elements do not and database records can vary in size depending for example on how many references are included or how much software status (“affected”) is provided. These databases and their elements are intended to support vulnerability management which we organize into four phases: discovery, prioritization, mitigation, and feedback. Which data elements contribute to these phases? More importantly, which are required to enable the first essential phase of discovery? A Minimum Viable Vulnerability Enumeration (MVVE) is the smallest possible number of information elements required to discover (identify and disambiguate) a vulnerability. Without an MVVE element, discovery, and therefore vulnerability management in its entirety, are not possible. This talk will define phases of vulnerability management and how information elements support those phases, with a strong focus on the MVVE necessary for the essential first discovery phase. We map the MVVE to a few well-known vulnerability databases, including CVE.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.
MVVE_VulnCon2025.pdf
MD5: db71e705e10aa4571d203f9011932fd0
Format: application/pdf
Last Update: April 11th, 2025
Size: 1.43 Mb
- USTLP:CLEAR
UC2 Risk Ruler for CVSS 4.0: Visualizing Vulnerability Severity and Data Confidence (Virtual)
Rob Arnold (Acorn Pass, US)
The UC2 Risk Ruler enhances the Common Vulnerability Scoring System (CVSS) version 4.0 by integrating confidence levels into vulnerability scores, offering a visual representation that aligns numeric scores with qualitative severity labels and data reliability. While CVSS 4.0 offers standardized quantitative scores mapped to qualitative labels, it lacks a built-in mechanism for representing confidence in the underlying data quality, impacting decision accuracy. The UC2 Risk Ruler addresses this gap by aligning CVSS scores with distinct confidence levels—High, Medium, Low, and Unknown—enabling stakeholders to assess the reliability of vulnerability scores in addition to severity. This framework assists decision-makers by reducing "false precision" in low-confidence data, promoting transparency, and facilitating clear communication across technical and non-technical teams. Practical applications include aiding leadership in determining adequate certainty levels for defensible decisions and allowing teams to gauge model sensitivity to confidence adjustments, ultimately refining vulnerability management and supporting robust cybersecurity strategies.
Rob Arnold is a retired Senior Advisor for Cybersecurity and Risk Management at the National Risk Management Center, part of CISA under the U.S. Department of Homeland Security (DHS). He led the creation of the first National Critical Functions Risk Register to help federal leaders prioritize risk management.
Previously, Arnold was CEO of Threat Sketch, specializing in large-scale cyber risk management. He holds a graduate degree in information security from East Carolina University and is CRISC-certified by ISACA.
He authored Cybersecurity: A Business Solution, a guide for small business risk management, and has represented small organizations before Congress. He was a founding member of the ICT Supply Chain Task Force Executive Council, the first chairman of the North Carolina Center for Cybersecurity, and served on advisory boards for multiple universities.
- USTLP:CLEAR
Updates from the CVSS SIG
Nick LealiNick Leali (Cisco and CVSS SIG Chair, US)
During this talk, Nick will present the recent past, present, and near future business of the FIRST CVSS SIG. Topics include the updates from the CVSS SIG over the past year; results from the CVSS SIG survey; and the progress of CVSS v4.0 adoption.
Please bring your questions and requests for examples to discuss.
Nick Leali is a current CVSS SIG co-chair, currently working on improving the adoption of CVSS v4.0 to make transition to the new version of the standard easier for vendors and consumers.
Nick works for Cisco as a PSIRT incident manager.
CVSS-SIG-VulnCon-2025.pdf
MD5: 1e8e3ef166dabacada90cc5ee66e5fba
Format: application/pdf
Last Update: April 14th, 2025
Size: 1.19 Mb
- AUTLP:CLEAR
Vulnerability Data Analysis with Google Spreadsheets and Apps Script for Fun and Profit
Andrew PollockAndrew Pollock (Google Open Source Security Team, AU)
Andrew will share tips and tricks on how to use Google Sheets, Apps Script and the various JSON APIs available from the CVE List, the NVD and OSV.dev to slice and dice vulnerability metadata, based on his experiences in Spreadsheet Engineering
Andrew Pollock has most recently been a Senior Software Engineer on Google’s Open Source Security Team (GOSST), working on OSV.dev. He is passionate about consistent high quality, machine readable vulnerability metadata for detecting and remediating vulnerabilities in open source
software. He is based in Brisbane, Australia.
- PTTLP:CLEAR
Vulnerability Response of Last Resort: Dealing with Un(der)maintained Packages in the Open Source Ecosystem
Diogo SousaDiogo Sousa (Canonical, PT)
The open-source software ecosystem continues to steadily expand, with millions of packages across repositories. However, this growth is not matched by a corresponding increase in maintainers, leading to challenges in package sustainability and opening the door to potential issues in vulnerability management. To help address these issues, open-source distributions can act as a "Vulnerability Responder of Last Resort" for under-maintained packages, providing community guidance and helping to process reports. Also discussed is the particular impact of vulnerability reports on packages facing these challenges.
Diogo Sousa is an Engineering Manager at Canonical, working in support of the Ubuntu Security team’s mission of providing Canonical users with the most secure and reliable open source experience possible. His day-to-day focus is on Ubuntu Pro’s Expanded Security Maintenance offering, prioritizing workloads and coordinating fixes across main and universe packages for all Ubuntu LTS releases.
Outside professional endeavors, but still within arm's reach, he co-leads the OWASP Lisboa chapter, delivers talks at cybersecurity events, participates in alumni events with current students, mentors people undergoing career upskilling, and writes some content here and there.
In his (truly) free time, you can find him cooking (still can't do baking), expanding his movie collection, teaching math, and playing board games.
- US IETLP:CLEAR
Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis
Alec Summers
Chris MaddenAlec Summers (The MITRE Corporation, US), Chris Madden (Yahoo Product Security Team , IE)
Root cause mapping is the identification of the underlying cause(s) of a vulnerability. This is best done by correlating CVE Records and/or bug or vulnerability tickets with CWE entries. Accurate root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This enables trend analysis where a valuable feedback loop into SDLC or architecture design planning can help remove of whole classes of vulnerabilities in organizations’ products. However, widespread adoption of root cause mapping has been elusive due to several challenges including CWE usability, completeness, the diversity of terminology interpretation, and organizational resource constraints, to name a few.
This presentation touches on the value of root cause mapping and recognizes recent adoption in the CNA community, before exploring what is being done to address existing challenges and develop practical solutions. Additionally, we evaluate the performance of a grounded large language model (LLM) tool against the CWE Top 25 Most Dangerous Software Weaknesses dataset. The comparative analysis sheds light on the viability of advancements in LLM capabilities in helping to scale decentralized root cause mapping throughout the vulnerability management ecosystem, offering actionable insights for practitioners and researchers alike.
Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse and extensive experience in software assurance and vulnerability management, as well as cyber operations, assessments, and supply chain risk management. He is MITRE’s CVE and CWE Project Leader, managing teams that support vulnerability and weakness research & analysis, content production, program coordination, infrastructure and services development, and community engagement across a global stakeholder community comprising industry, government, and academia. He also serves as the moderator for the CVE Board.
Chris Madden is a software engineer and system architect building secure trustworthy software at scale for embedded and cloud for 30+ years. He likes to understand things deeply - and uses data analysis and dumb questions to build that understanding. He’s not big on titles, hierarchy or status quo. He does his best work while asleep or on a mountain bike. He works at Yahoo Product Security team. Yahoo delivers value to customers through software; Chris exists to help developers deliver high quality software efficiently and securely. His primary focus is Risk-based prioritization at scale across the DevSecOps pipeline. He led an effort with some industry thought leaders to publish a Risk-based prioritization guide: https://riskbasedprioritization.github.io/. He is now applying LLMs to reduce toil and improve CVE enrichment and capturing his learnings in a guide: https://cybersecai.github.io/ https://www.linkedin.com/in/chrisamadden/
- USTLP:CLEAR
Vulnrichment: Year One (In-Person & Virtual)
Art Manion
Lindsey CerkovnikArt Manion (ANALYGENCE Labs, US), Lindsey Cerkovnik (CISA, US)
Vulnrichment is CISA's effort to fill in the gaps on vulnerability data—namely, gauging impact and risk of vulnerabilities as they are published by CVE. Our approach on tackling the daily dozens to hundreds of vulnerabilities on behalf of the federal government embraces radical transparency, and this talk by Lindsey and Art will go over the requirements for Vulnrichment, the realized and expected outcomes, and the federal government's use of an open forum like GitHub Issues to deal with errors, omissions, and discrepancies.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Lindsey Cerkovnik is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by funding and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability enrichment information, and engaging in valuable technical collaboration with the vulnerability research community.
- CATLP:CLEAR
Where Do We Aim? A Look at the State of Vulnerable Software Identification and Its Future (Virtual)
Andrew Suter (BlackBerry Ltd , CA)
How can application, package and library producers help their consumers to stay safe? CPE and PURL are the major contenders for mapping vulnerabilities to impacted software. But which is best? The answer may actually be to use both. Each have strengths and weaknesses, and both have opportunities where they may be able to improve.
Additionally we’ll explore the responsibility of software producers to provide the metadata needed for informed decision making and how organizations like Mitre and NIST can help push us towards a more informed future.
Andrew Suter is the Senior Manager of BlackBerry PSIRT. He has spent the past 10 years reviewing 3rd party vulnerability metadata to efficiently triage and prioritize actions for product engineering teams. Member of OWASP, FIRST PSIRT and CVSS SIGs.
