Session: Say Vulnerabilities One More Time – Ending Open Source Security Fatigue

Log4Shell, Spring4Shell, are you tired of being told to drop everything and respond to the next critical vulnerability in an open-source package? Chances are, if you work in the engineering team of any software development organization, the answer is yes. You’ve probably had to pause other projects and throw hours of engineering effort into finding and replacing vulnerable versions of these packages. Open Source Security isn’t a new concept, but it has had many notable moments in the media extending back for over decade. So how do we stop causing upheaval every time a new vulnerability in a widely used package is announced but still ensure our software is secure.

In this session, Alyssa Miller dives into the lessons learned from three major open source security events, the Equifax breach via Struts, the Log4j vulnerabilities and the Spring4Shell exploit. She’ll use these situations as pseudo case-studies to discuss how security, engineering, and operations teams can streamline countermeasures that allow us to remain secure and resilient without creating a fire fight every time a new flaw is discovered in a popular package. She will shed light on what approaches have failed us in the past and while her solution won’t make the vulnerabilities go away, they will highlight how we can make them less of a headache going forward.

Presenters:

This track proudly sponsored by