5 Big Ideas from VulnCon 2024
Cyber security professionals and stakeholders met in North Carolina for the first annual VulnCon convention focused on vulnerability management.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt65f492eee3fc6c58/6603432b1637d4040a47537d/DSC_2189_copy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Photo by Shane Snider
This discussion focused on root mapping that serves to identify the underlying cause of a vulnerability. Panelists used various states of bone health as a metaphor for software security.
The panel included Erin Alexander, section chief for ecosystem advancement within the vulnerability management group at the Cybersecurity and Infrastructure Security Agency (CISA); Alec Summers, principal cybersecurity engineer at the MITRE Corp.; Deana O’Meara, senior technical program manager for PSIRT operations at NVIDIA; and MITRE Corp.’s Chris Levendis, a project manager.
“A healthy human bone in this context represents the secure-by-design methodology,” CISA’s Alexander said. “They’re functional and foundationally secure. But as we know, bones can break for a number of different reasons … Each of these reasons represents a different type of weakness. And that’s our analogy for what we’re going into here with root cause mapping.”
MITRE Corp.’s Levendis said even weaknesses that don’t lead to a vulnerability need to be addressed. “Root mapping is a pretty straightforward proposition,” he said. “It’s a function of taking a vulnerability and aligning it with the problem or problems that led to the vulnerability … they don’t always become exploitable vulnerabilities. Root cause mapping takes us to a point where we can begin to understand why the weakness is there.”
Jon Moroney, a security analyst at developer platform GitHub, detailed the company’s advisory database structure and how it allows users to stay up to date with security alerts. Moroney talked about tradeoffs, design goals, and more.
Moroney said all stakeholders need to come together to make GitHub’s database more effective for vulnerability detection and prevention. “We are not perfect. We have issues and they are out in the open for you to see. Similarly, we get advisory data wrong sometimes because we are human … and we live in a world of imperfect information.”
He added, “So, if you are interested, we would love your help. We cannot do this alone … It happens occasionally that we get something wrong, and the community will sort of come together and tell us we’re wrong. This is a good thing. This is a self-correcting mechanism that helps us get better over time.”
Przemyslaw Roguski, a Poland-based security architect for Red Hat specializing in cloud products security, detailed the importance of Software Bill of Materials (SBOM), which are an inventory of key ingredients making up software components. SBOMs were a key recurring theme throughout the conference.
Red Hat Product Security produces its own “Build SBOM” to aid clients. Roguski detailed Red Hat’s product and how it fits in with the overall SBOM landscape and why that ecosystem is important for security.
After his talk, Roguski told InformationWeek that IT leaders can get a better understanding of vulnerabilities by keeping up with SBOMs. “They can tell you what the impact on your environment is, what the impact is on your product and give you a chance to find where else you might be impacted.”
Also, he adds, IT leaders can ask themselves about the next steps. “They can say, ‘What would be the next step and where can I go look for a solution?’ This is something that will give them a clearer picture of how you might be affected by a problem and where to look for additional information.”
Lisa Bradley, Dell Technologies’ senior director of product and application security, and Dell’s Sara Evans, a security innovation researcher for the company’s product and operations global CTO research and development team, hosted a discussion about how more businesses are relying on open source software (OSS).
The discussion delved into the importance of SBOMs in the role of the OSS lifecycle.
Johannes Clos, a security expert with the European Union Agency for Cybersecurity (ENISA), hosted a discussion on the EU policy initiatives that have led to changes in coordinated vulnerability disclosure (CVD).
Europe has played a leadership role in developing guardrails around cybersecurity and tech policy, setting the tone for global policy, including efforts in the United States.
“The integral part … when policy developments are taking place that these are being supported by CISA, and we kind of act as a consultant on behalf of policymakers, but also supporting member states.”
Johannes Clos, a security expert with the European Union Agency for Cybersecurity (ENISA), hosted a discussion on the EU policy initiatives that have led to changes in coordinated vulnerability disclosure (CVD).
Europe has played a leadership role in developing guardrails around cybersecurity and tech policy, setting the tone for global policy, including efforts in the United States.
“The integral part … when policy developments are taking place that these are being supported by CISA, and we kind of act as a consultant on behalf of policymakers, but also supporting member states.”
VulnCon 2024, the inaugural cybersecurity and vulnerability management conference co-sponsored by the Forum of Incident Response and Security Teams (FIRST) and the CVE Program, kicked off in Raleigh, NC this week, attracting hundreds of industry professionals and experts to share insights about software security, vulnerability and more.
Featuring more than 40 sessions over three days, the conference aimed to develop actionable ideas for organizations to bolster their vulnerability management ecosystem.
Pete Allor, senior director of product security for Red Hat and a CVE board member, kicked off the event with opening remarks.
“Every day we hear about a new vulnerability, hack or breach,” Allor said. “Partnering with FIRST to host ecosystem events like VulnCon is a major contribution to providing professionals with the focus of collaborating and coordinating systems and resources.”
The event also gives security professionals the opportunity to explore newer vulnerability initiatives, like the Vulnerability Exploitability eXchange (VEX) requirements. “For an IT leader, this is having a view of the works under the hood … to see the capabilities of the tools to make risk assessments on your infrastructure.”
InformationWeek was on site to cover the event.
The following slides showcase some key moments:
About the Author(s)
You May Also Like