Session: Say Vulnerabilities One More Time – Ending Open Source Security Fatigue

Log4Shell, Spring4Shell, are you tired of being told to drop everything and respond to the next critical vulnerability in an open-source package? Chances are, if you work in the engineering team of any software development organization, the answer is yes. You’ve probably had to pause other projects and throw hours of engineering effort into finding and replacing vulnerable versions of these packages. Open Source Security isn’t a new concept, but it has had many notable moments in the media extending back for over decade. So how do we stop causing upheaval every time a new vulnerability in a widely used package is announced but still ensure our software is secure.

In this session, Alyssa Miller dives into the lessons learned from three major open source security events, the Equifax breach via Struts, the Log4j vulnerabilities and the Spring4Shell exploit. She’ll use these situations as pseudo case-studies to discuss how security, engineering, and operations teams can streamline countermeasures that allow us to remain secure and resilient without creating a fire fight every time a new flaw is discovered in a popular package. She will shed light on what approaches have failed us in the past and while her solution won’t make the vulnerabilities go away, they will highlight how we can make them less of a headache going forward.

Presenters:

Alyssa Miller

This track proudly sponsored by

ATO 2022 SUMMARY

THANK YOU to everyone who participated in ATO 2022 for making year #10 AMAZING!

ATO 2022 Summary

EVENT OVERVIEW

Take a look at the 2022 All Things Open conference, including highlights and special events.

Event Overview

SPONSORSHIP

Want to help us make the event possible, and get in front of thousands of technologists and open source leaders?

Become a Sponsor