Celebrity Vulnerabilities: Effective Response to Critical Production Threats

Log4Shell, Spring4Shell, are you tired of being told to drop everything and respond to the next critical vulnerability in an open-source package? Chances are, if you work in the engineering team of any software development organization, the answer is yes. You’ve probably had to pause other projects and throw hours of engineering effort into finding and replacing vulnerable versions of these packages in production code. Open Source Security isn’t a new concept, but it has had many notable moments in the media extending back for over decade. So how do we respond effectively to these "celebrity vulnerabilities" without causing upheaval in our development pipelines and operations? 

In this session, Alyssa Miller dives into the lessons learned from three major open source security events, the Equifax breach via Struts, the Log4j vulnerabilities and the Spring4Shell exploit. She’ll use these situations as pseudo case-studies to discuss how security, engineering, and operations teams can streamline a response that allow us to prioritize and execute a response without creating a fire fight each time a new flaw is discovered in a popular package. She will shed light on what approaches have failed organizations in the past and while her solution won’t stop new vulnerabilities from being discovered, it will highlight how we can make them less of a headache going forward.


Speaker

Alyssa Miller

Chief Information Security Officer @EpiqGlobal

Alyssa Miller is the Chief Information Security Officer (CISO) at Epiq Global. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security and the software development functions. Her goal is to change how we look at the responsibility of information security within our organizations to focus on enabling efficient development and reducing the friction of onerous security practices.

A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 16 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved Application Security and DevSecOps practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and as host of Securing Bridges streamed live via ITSP Magazine.

Read more
Find Alyssa Miller at:

Date

Tuesday Mar 28 / 11:50AM BST ( 50 minutes )

Location

Fleming (3rd Fl.)

Topics

application security open source best practices

Share

From the same track

Session Java

Your Java Application Is Slow? Check Out These Open-Source Profilers

Tuesday Mar 28 / 04:10PM BST

Profilers help to analyze performance bottlenecks of your application - if you know which to use and how to work with them. There are many open-source profilers, like async-profiler or JMC. This talk will give you insights into these tools, focusing on:

Speaker image - Johannes Bechberger

Johannes Bechberger

Software Developer @SAP

Session debugging

Deconstructing an Abstraction to Reconstruct an Outage

Tuesday Mar 28 / 10:35AM BST

Abstractions are what allow us to build the complex applications that we all use day-to-day. For example, it's rare for us to care about the precise details of on-disk storage when building an application — that's why databases exist!

Speaker image - Chris Sinjakli

Chris Sinjakli

Infra Engineer @planetscaledata

Session web development

Observable Frontends

Tuesday Mar 28 / 01:40PM BST

As an industry, we’ve made big strides in working within complexity in microservices: we build in observability with OpenTelemetry standards. But what about client-side? This is the most inscrutable part of our system, because it runs on anyone’s computer.

Speaker image - Jessica Kerr

Jessica Kerr

Principal Developer Evangelist @honeycombio

Session

Unconference: Debugging in Production

Tuesday Mar 28 / 02:55PM BST

What is an unconference? An unconference is a participant-driven meeting. Attendees come together, bringing their challenges and relying on the experience and know-how of their peers for solutions.

Speaker image - Shane Hastie

Shane Hastie

Global Delivery Lead @SoftEd, Lead Editor for Culture & Methods @InfoQ

Session

No Instrumentation Observability With eBPF - Are We There Yet?

Tuesday Mar 28 / 05:25PM BST

Gaining interest for the past few years, eBPF promises zero-instrumentation observability with low performance overhead. Sounds like a dream, but are we there already?

Speaker image - Anna Kapuścińska

Anna Kapuścińska

Software Engineer @Isovalent