logo
allArticlesConferencesPresentations

Keynote: Vulnerability Data is Not Enough: The Case for an Actionable UI

Conference:  Cloud Native SecurityCon North America 2022

2022-10-25

Authors:   Kara Yimoyines

Summary

The presentation discusses the need for an actionable user interface to address the challenges of vulnerability data and CVEs in the security space.
  • Vulnerability data alone is not enough to secure software supply chain
  • An actionable user interface is needed to automate remediation and understand blast radius of CVEs
  • GUI can help prioritize work and alert when things go sideways
  • GUI should allow annotation of CVEs and weigh potential harm and risk to the business
  • GUI becomes the central location to collaborate and communicate with cross-functional teams
  • GUI should be extensible and interoperable with other tools solving adjacent problems
  • Building accessible tools that don't require exclusive use of the terminal is important
The presentation highlights the challenges faced by platform operators in triaging thousands of CVEs and the pressure faced by security analysts to generate reports on compliance with SLAs. The tension between platform operators and developers is palpable, and the risk of CVE fatigue is high. An actionable user interface can help prioritize work and prevent critical CVEs from being dropped. The GUI should also allow annotation of CVEs and weigh potential harm and risk to the business. The GUI becomes the central location to collaborate and communicate with cross-functional teams, enabling a unified interface. The presentation emphasizes the need for accessible tools that don't require exclusive use of the terminal.

Abstract

Data without the ability to act on CVEs adds little value to platform hygiene and productivity. As we recognize what we need to secure our software supply chain we understand that vulnerability data is not enough. Vulnerability data with inventory data - the form of a software bill of materials, is also not enough. Without the ability to automate remediation, understanding blast radius of your CVEs, while maintaining up-time and a golden path to production data is not helpful. Security analysts and platform engineers need a complete view that is tailored for their concerns so they can make sure remediation is done at the right level.  In this talk we’ll discuss considerations for a user interface that presents the right data to the right teams, empowers them to address any bugs or CVEs quickly, and a software bill of materials so they can make sure all the affected components and dependencies are remediated.
Materials:
Slides
Tags:
data
cybersecurity
CVE
remediation
automation

Post a comment

Related work

From SBOMs to IBOMs - Know What's Happening in Your Clusters

Conference:  KubeCon + CloudNativeCon Europe 2023
Authors: Ido Neeman
2023-04-19

Protecting Ourselves from CNCFgate. Software Supply Chain Security at CNCF - Practices, and Tools - Andres Vega & Emily Fox, CNCF SIG

Conference:  KubeCon + CloudNativeCon Europe 2021
Authors: Emily Fox, Andres Vega, Jonathan Meadows

It's Dangerous To SLSA Alone Out There! Take This Artifact Knowledge Graph!

Conference:  KubeCon + CloudNativeCon North America 2022
Authors: Michael Lieberman, Mihai Maruseac
2022-10-27

SBOM Ingestion and Analysis at New York-Presbyterian Hospital - Katie Bratman & Adam Kojak, NewYork

Conference:  SupplyChainSecurityCon 2022
Authors: Katie Bratman, Adam kojak
2022-06-21

Improving supply chain security with OWASP Dependency Track

Conference:  Global AppSec Dublin 2023
Authors: Vinod Anandan, Meha Bhargava, Niklas Jan Duster
2023-02-15

Leveraging SBOMS to Automate Packaging, Transfer, and Reporting of Dependencies Between Secure Environments - Ian Dunbar

Conference:  Cloud Native SecurityCon North America 2023
Authors: Jerod Heck, Ian Dunbar-Hall