VEXed by Vulnerabilities That Don't Affect Your Product? Try This! скачать в хорошем качестве

VEXed by Vulnerabilities That Don't Affect Your Product? Try This!

VEXed by Vulnerabilities That Don't Affect Your Product? Try This! Speakers: Allan Friedman (CISA, US), Thomas Schmidt (BSI, DE) About Speakers: Allan Friedman is the guy who won't shut up about SBOM at the Cybersecurity and Infrastructure Security Administration. He coordinates the global cross-sector community efforts around software bill of materials (SBOM), and works to advance its adoption inside the US government. He was previously the Director of Cybersecurity Initiatives at NTIA, leading pioneering work on vulnerability disclosure, SBOM, and other security topics. Prior to joining the Federal government, Friedman spent over a decade as a noted information security and technology policy scholar at Harvard's Computer Science department, the Brookings Institution, and George Washington University's Engineering School. He is the co-author of the popular text "Cybersecurity and Cyberwar: What Everyone Needs to Know", has a degree in computer science from Swarthmore college, and a PhD in public policy from Harvard University. He is quite friendly for a failed-professor-turned-technocrat. Thomas Schmidt works in the 'Industrial Automation and Control Systems' section of the German Federal Office for Information Security (BSI). His focus is the automation of advisories at both sides: vendors/CERTs and asset owners. Schmidt has been a leader in the OASIS Open CSAF technical committee, and key in bridging this work with the CISA SBOM work. Prior to this, Schmidt was BSI's lead analyst for TRITION/TRISIS/HatMan and developed, together with partners, a rule set for Recognizing Anomalies in Protocols of Safety Networks: Schneider Electric's TriStation (RAPSN SETS). To increase security of ICS and the broader ecosystem, BSI responsibilities cover many areas including establishing trust and good relations with vendors and asset owners. Mr. Schmidt completed his masters in IT-Security at Ruhr-University Bochum (Germany) which included a period of research at the SCADA Security Laboratory of Queensland University of Technology (Brisbane, Australia). ---- Vulnerabilities in soft- and hardware have become a growing concern in the supply chain. Therefore, organisations developing products invest into new security programs, doing security assessments of their products, analysing the results and publishing security advisories. Also the community of security researchers contributes to this process by actively searching for vulnerabilities in widely used components. However, as SBOMs become more widespread, many of the results can be “false positives,” as the underlying component vulnerability isn’t actually exploitable. Vendors and users will have to prioritize and process this information. This talk gives an overview of the Vulnerability Exploitability eXchange (VEX). VEX allows software providers and PSIRTs to explicitly communicate that their software is not affected by a vulnerability. Built on the OASIS Common Security Advisory Framework (CSAF), VEX will increase SBOM adoption. It also helps in propagating information faster through the supply chain.