Program Overview

David Spencer manages the PSIRT Engineering team at Dell Technologies, and in that role he leads the Open Source Component Management service, implemented using Synopsys Black Duck. Prior to his joining the PSIRT team at Dell, David was a software engineering manager and software engineer at Dell EMC.

Tricia Tarro is the Technical Program Manager for the Open Source Component Management service at Dell Technologies. She's pursuing her graduate degree in Administration of Justice and Homeland Security with a concentration on cybersecurity and intelligence, and holds a masters degree in Digital Forensics.

As has become industry standard, developers at Dell Technologies utilize open source components in their codebase. Though this approach greatly accelerates time to market, it also introduces risks which developers may not fully understand or be able to enumerate. Industry research shows that virtually all codebases containing open source software also contain embedded vulnerabilities. This has introduced the necessity to inventory and track the embedded open source components. Software Composition Analysis (SCA) has provided a programmatic solution to this problem, producing a Bill of Materials (BOM) which is associated with a software project.

In this BoF discussion, we will first share a brief overview of Dell's journey to integrate SCA into our Secure Development Lifecycle (SDL). As a part of our "Shift Security Left" initiatives, we are committed to putting security practices and tooling into the hands of our developers. We will then have an open discussion with audience participation, to share the experiences of both those just starting their journey and those already well on their way.

Christopher Robinson (aka CRob) is the Program Architect for the Red Hat Product Security Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He’s also been heavily involved in the Forum for Incident Response and Security Teams’ (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework.

He enjoys herding cats and moonlit walks on the beach.

Join CRob and friends to talk about the FIRST PSIRT Maturity Assessment and how you can use it or similar tools to understand your program's strengths and weakness and develop plans to move your team forward.

Chris Romeo is CEO and co-founder of Security Journey where he creates and deploys security culture influencing training, consults, and speaks. His passion is to bring security culture change to all organizations large and small through the creation and design of gamified security education. He was the Chief Security Advocate at Cisco for five years, where he empowered engineers to shift security left in all products at Cisco and led the creation of Cisco’s security belt program. Chris has twenty years of experience in security, holding positions across the gamut, including application security, penetration testing, and incident response. Chris holds the CISSP and CSSLP certifications. For more information, see https://www.linkedin.com/in/securityjourney/

Everyone wants to improve the application security of their organization, but what if your company does not have a million dollars to spend? How do small/medium organizations and those with limited budget make any progress with application security? What if you could learn which open source projects fit together to solve your application security problems, and receive advice on how to get started?

In this session, explore the various application security open source projects that exist in the OWASP universe. You’ll learn how to choose the right projects to match your organizational needs.

Training/awareness, process/measurement, and tools are the categories of projects explored. Each explanation includes project purpose, a plan for use, a risk rating based on maturity/lifespan, the required number of human resources for success, and a measure of impact.

Advice per project provides an idea for how you can start rolling each of these application security improvements out to your organization. Explore how to engage your organization with a plan, experience enormous advances, and change application security forever.

It started off like every other normal day. No one plans to have a bad day, but they sometimes happen. After entering the datacenter you gasp in horror! The server racks are empty! What do you do? Race around in a panic - turn to page 200 Call Physical Security! - turn to page 98 Oh wait, we moved all our servers to the cloud last week - turn to page 25

Based upon a popular series of books, join Red Hat Product Security and decide with your peers how a cyber incident gets resolved. This is an exciting twist on a traditional Mock Incident or tabletop walkthrough you might participate in back in your office.

Attendees will learn: Common attack patterns for cyber-incidents today How to apply a battery of controls to help detect and prevent those attacks from being successful To live, laugh, and learn

Brian English, Product Security Lead, SAS Technical Support

Sallie Newton, PSIRT Lead, SAS Product Security Office

Steve Hart, Head of Product Security, SAS Institute

While product security is not a new topic at SAS Institute, the concept of having a PSIRT was new to SAS just a few years ago. In this presentation we will discuss how the PSIRT was established at SAS using aspects of the FIRST PSIRT Framework, our current mode of operation, and the challenges encountered. As a leading analytics software vendor, we believe that statistics can and should be used to solve hard problems. In the context of PSIRT we have used our own Visual Analytics software to measure and track security defects across R&D. We will discuss the metrics we have found to be most useful to drive change across the organization.

Lasse works as the Head of Ericsson PSIRT and is responsible for products security incident response and vulnerability management across Ericsson portfolio. He has previous experiences of being a senior specialist at the NCSC-FI and was responsible for the Public-Private-Partnerships.

Over 40 hackers for 24h were targeting Ericsson 5G new generation radio equipment in a 5G cyber security hackathon that was arranged in November 2019 in Finland. The hackathon was arranged by NCSC-FI in collaboration with Ericsson, Nokia and the University of Oulu.

Ericsson provided test bed setup of the new generation 5G radio equipment and exposed it in different test scenarios for the professional security researchers to be hacked. The presentation will cover the following steps of the project with extensive reflections on the lessons learned, benefits and shortcomings:

1. Organizational decision making and approvals
2. Building the test bed
3. Participant selection
4. On-site activity
5. Reflections

Johnson Controls is a global manufacturer of smart building products. PSIR at Johnson Controls operates under a hybrid model. PSIR manages the response to product-related vulnerabilities and field incidents involving products. PSIR has experienced some quality program maturity and awareness over the last two years.

• History of PSIR at JCI
• Current Structure
• Lessons Learned

Jessica Butler is a Senior Application Developer and lead for NVIDIA’s Product Security Tools team. Jessica has over 13 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. She has earned certifications in Java, Ruby and Cisco’s CCNA. In her free time Jessica enjoys gardening, rehabbing her 100+ year old urban home and traveling with her family, BJ, Sebastian (5) and Eliza (3).

Adam Wallis is a Senior Application Developer for NVIDIA’s Security Tools team operating in a security devops role in addition to providing custom software security solutions to product teams at NVIDIA. Adam has over 13 years of software and security experience and earned a BS in Electrical Engineering from Virginia Tech and MS in Electrical and Computer Engineering from Johns Hopkins University. Outside of work, Adam enjoys the sport of lock-picking and smart-home integration/hacking.

Often, security bolts on at release phase. This causes risk triage to happen at the most stressful part of the development cycle. And, can cause one-off scans which are neither effective nor sustainable.

Shift security left by integrating security services into build pipelines! It’s important to collaborate with product teams by helping with integration. This helps security tools developers spread best practices and become a friendly face!

Security doesn’t have to be the foe! We’ll demo how to add security vulnerability detection to a build pipeline in a few lines. Session attendees will benefit by leaving with a solution they can try now!

In 2017, the National Cyber Crimes Unit published a study indicating Autism Spectrum Disorder (ASD) is more prevalent in cyber criminals than the general population. There have also been numerous reports highlighting how people within the ASD have aptitudes and interests that are well suited for cybersecurity.

After several experiences with security researchers on the autism spectrum reporting vulnerabilities to Microsoft, I began researching ways to improve our communication with a neuro-diverse community. During this presentation, I would like to share my research, and ask the audience to apply a growth mindset to neurodiverse communications moving forward.

In this talk I would like to cover both written and in-person communication. This talk will mainly cover ASD, but I will also be discussing other disorders such as (but not limited to): Asperger's, ADHD, ADD, and Dyslexia.

Christopher Robinson (aka CRob) is the Program Architect for the Red Hat Product Security Team. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals.

CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He’s also been heavily involved in the Forum for Incident Response and Security Teams’ (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework.

He enjoys herding cats and moonlit walks on the beach.

Join Red Hat Product Security with an overview of the data around security vulnerabilities in open source.

Art Manion is the Vulnerability Analysis Technical Manager at the CERT Coordination Center (CERT/CC), part of the Software Engineering Institute at Carnegie Mellon University. He and his team coordinate complex vulnerability disclosures, automate the discovery of new vulnerabilities, and influence practice and policy. Art has said things like "Don't Use IE," "Replace CPU hardware," and "CVSS is inadequate."

Many organizations use the Common Vulnerability Scoring System (CVSS) to prioritize actions during vulnerability management. This includes PSIRTs, who may use CVSS directly and also provide it to their users. This talk presents a testable Stakeholder-Specific Vulnerability Categorization (SSVC) that avoids some of the problems with CVSS. SSVC delves in to risk assessment territory and takes the form of decision trees for different vulnerability management communities, one of which is patch developers (i.e., vendors and PSIRTs). We seek feedback on the ideas behind SSVC, particularly the patch developer decision process.

Dario Ciccarone, CCIE No. 10395, works as a PSIRT Incident Manager in the Security Research and Operations organization at Cisco. In this role, Dario investigates, drives to resolution and writes associated security advisories for any reported vulnerability affecting Cisco products. He's also created mitigation techniques to be used in conjunction with Cisco security advisories and white papers that detail specific security threats, techniques or technologies. In addition to that, Dario has also been an invited speaker at multiple FIRST conferences.

We will discuss the THANGRYCAT vulnerability reported by Red Balloon to Cisco in November/2018. We will briefly talk about the vulnerability itself and we will then discuss the required internal coordination required to be performed at Cisco between multiple business functions in order to not only successfully disclose but also fix it. We will share some observations on what went well, what could be improved, and general recommendations and guidance.

Omar Santos is an active member of the security community, where he leads several industry-wide initiatives and standards bodies. His active role helps businesses, academic institutions, state and local law enforcement agencies, and other participants that are dedicated to increasing the security of the critical infrastructure. Omar is the author of over 20 books and video courses; numerous white papers, articles, and security configuration guidelines and best practices. Omar is a Principal Engineer of Cisco’s Product Security Incident Response Team (PSIRT) where he mentors and leads engineers and incident managers during the investigation and resolution of security vulnerabilities.

It's 2020. Are we doing better now than the previous decade with respect to open source and third-party software security? Do we have better tools, disclosure procedures, and multi-party coordination? Do we have a software bill of materials? What about hardware vulnerabilities? This session will be an active discussion on the current state of open source and third-party security in the industry and in relation to a Product Security Incident Response Team (PSIRT). In addition, we will discuss what should be the next steps to address current issues and challenges.

Emily Sarneso is a Member of the Technical Staff at Carnegie Mellon’s University’s Software Engineering Institute. As a software developer in the Threat Analysis Directorate, Emily develops tools for the vulnerability coordination and malware analysis teams. She is the lead developer of VINCE. Prior to joining the Threat Analysis Team, Emily was a member of the Security Automation Directorate where she developed tools to detect and mitigate network security threats. She was the lead developer of Yet Another Flowmeter (YAF), libfixbuf, and Super Mediator. She graduated with a Master’s Degree in Information Science from the University of Pittsburgh (2009) and a Bachelor’s Degree in Mathematics from Saint Vincent College (2007).

In the spirit of moving the ball forward, the CERT Coordination Center presents our new vulnerability coordination platform: the Vulnerability INformation and Coordination Environment (VINCE).

VINCE represents a substantial change from the hub-and-spoke model of communication we previously used to perform coordination. As a web-based platform, VINCE also moves away from PGP email as the primary mode of communication.

The primary goal of VINCE is to provide a common environment for all participants working on a vulnerability report. It aims to bring the reporter directly to the affected parties. It will also facilitate communication and increase efficiency and collaboration of relevant stakeholders. As an organization that has been coordinating vulnerability reports for decades, we understand that there is no single tool or method to accomplish this task. VINCE will offer an API to allow participants to easily pull report information and relevant discussions into their own existing tracking systems.

This presentation will review how CERT/CC traditionally coordinated with multiple vendors, discuss the reasons for moving away from that model, and then give a brief demonstration of VINCE. We are actively soliciting feedback from the PSIRT Community on our new method of multiparty vulnerability coordination.

Jorge leads part of the Microsoft PSIRT in the Microsoft Security Response Center. Prior to Microsoft, Jorge was a US Air Force officer working IT and communications - otherwise known as piloting a desk. When not at work he spends time fixing major architectural issues in his tennis game.

The problem is known: despite our best efforts to ship secure products, every year we continue to deal with a large number of vulnerabilities in software, hardware, and services. Improvements in tools to identify vulnerabilities prior to release, increased training and pen-testing, and established security teams have helped, but we are all still spending too much time and energy playing whack-a-mole: fixing individual security issues. This talk is about how security teams, especially PSIRTs, can leverage the information, insights, and (yes) pain of dealing with security vulnerabilities over and over again to drive changes in their company's products and services.

This talk will present some of the strategies we have used at Microsoft and in the Microsoft Security Response Center to stop playing whack-a-mole and address bug classes or common vulnerabilities across our products and services. We will share successes, failures, and current endeavors.