Log4Shell, Spring4Shell, are you tired of being told to drop everything and respond to the next critical vulnerability in an open-source package? Chances are, if you work in the engineering team of any software development organization, the answer is yes. You’ve probably had to pause other projects and throw hours of engineering effort into finding and replacing vulnerable versions of these packages in production code. Open Source Security isn’t a new concept, but it has had many notable moments in the media extending back for over decade. So how do we respond effectively to these "celebrity vulnerabilities" without causing upheaval in our development pipelines and operations?
In this session, Alyssa Miller dives into the lessons learned from three major open source security events, the Equifax breach via Struts, the Log4j vulnerabilities and the Spring4Shell exploit. She’ll use these situations as pseudo case-studies to discuss how security, engineering, and operations teams can streamline a response that allow us to prioritize and execute a response without creating a fire fight each time a new flaw is discovered in a popular package. She will shed light on what approaches have failed organizations in the past and while her solution won’t stop new vulnerabilities from being discovered, it will highlight how we can make them less of a headache going forward.
Chief Information Security Officer @EpiqGlobal
Alyssa Miller is the Chief Information Security Officer (CISO) at Epiq Global. She blends a unique mix of technical expertise and executive presence to bridge the gap that can often form between security and the software development functions. Her goal is to change how we look at the responsibility of information security within our organizations to focus on enabling efficient development and reducing the friction of onerous security practices.
A life-long hacker, Alyssa has a passion for technology and security. She bought her first computer herself at age 12 and quickly learned techniques for hacking modem communications and software. Her serendipitous career journey began as a software developer which enabled her to pivot into security roles. Beginning as a penetration tester, her last 16 years have seen her grow as a security leader with experience across a variety of organizations. She regularly advocates for improved Application Security and DevSecOps practices and shares her research with business leaders and industry audiences through her international public speaking engagements, online content, and as host of Securing Bridges streamed live via ITSP Magazine.