- PL USTLP:CLEAR
Jarek Potiuk (Apache Software Foundation , PL), Michael Winser (Alpha-Omega , US)
The “Airflow Beach Cleaning” project explores an innovative approach of dealing with Open Source Software Supply Chain problems. This is a collaborative effort between Alpha-Omega fund, Python Software Foundation, Apache Software Foundation and Apache Airflow PMC.
Jarek and Michael will share their learnings from running the cleaning exercise for about 6 months and will encourage other Open-Source project maintainers as well as those who fund security efforts to scale that approach within the whole Python ecosystem.
Link to slides: https://go.xwind.io/vulncon-beach-cleaning
Jarek Potiuk is an Engineer with a broad experience in many subjects - Open-Source, Cloud, Mobile, Robotics, AI, Backend, Developer Experience, Security, but he also had a lot of non-engineering experience - building a Software House from scratch, being CTO, organizing big, international community events, technical sales support, pr and marketing advisory but also looking at legal aspects of security, licensing, branding and building open-source communities are all under his belt.
With the experience in very small and very big companies and everything in-between, Jarek found his place in Open-Source world, where his internal individual-contributor drive can be used to the uttermost of the potential.
Michael Winser is a 40 year veteran in the software industry, with over 25 of those years at Google and Microsoft. He co-founded Alpha-Omega while at Google. Michael is an industry expert in software supply chain security, software development, and developer ecosystems. In addition to Alpha-Omega, Michael works with corporations and open source organizations to develop and execute on their security strategy. Michael is also a Security Strategy Ambassador for the Eclipse Foundation.
- USTLP:CLEAR
Alpha-Omega: What We've Learned From Funding Open Source Security Over the Past 3 Years, What's Ahead
Michael Winser (Alpha-Omega , US)
Since its inception, Alpha-Omega has granted over $8M to various open source security efforts. This presentation will explore how we do it, the lessons learned, and how it's shaping our vision for a secure and sustainable open source ecosystem.
Alpha-Omega is an open source fund, established in February 2022, funded by Microsoft, Google, and Amazon, and with a mission to protect society by catalyzing sustainable security improvements to the most critical open source software projects and ecosystems. The project aims to build a world where critical open source projects are secure and where security vulnerabilities are found and fixed quickly.
Link to Slides: https://docs.google.com/presentation/d/1_9KiqTZFFgUwA7nZ9awDH2dH-rFtUVI-QlAmuIDLhv4/edit
Michael Winser is a 40 year veteran in the software industry, with over 25 of those years at Google and Microsoft. He co-founded Alpha-Omega while at Google. Michael is an industry expert in software supply chain security, software development, and developer ecosystems. In addition to Alpha-Omega, Michael works with corporations and open source organizations to develop and execute on their security strategy. Michael is also a Security Strategy Ambassador for the Eclipse Foundation.
- ROTLP:CLEAR
Applying Cybersecurity Regulations and Industry Standards to Open Source Projects
Luci Stanescu (Canonical , RO)
"Information security standards and regulations are constantly gaining more traction and adoption, in an effort to counter-balance the expanding cybercriminal “business sector”. However, these are, understandably, often devised on the assumption that they will be implemented within enterprises, which are centrally managed and have well-defined boundaries. Nevertheless, open source software has become ubiquitous within enterprise infrastructure and consumer products, with little consideration given by regulators or standards bodies.
With open source projects acting as suppliers, often with a governance structure that’s not defined in detail, the question of the suitability of cybersecurity regulations and industry standards within the OSS context becomes increasingly relevant. While organisations such the Open Source Security Foundation (OpenSSF) are making a huge difference by providing best practices, tools and information, these would also need to be recognised by regulators and standards bodies in order to bridge the gap with the enterprises’ burdens. This talk explores the beneficial aspects that can be learned from regulations and standards to further improve the security posture of OSS projects, as well as the requirements which are difficult to map in this context."
Luci Stanescu is Security Engineering Manager at Canonical, part of the team responsible for the security maintenance of Ubuntu and the Canonical PSIRT. With almost 20 years of professional experience, he is passionate about making information security matter and an advocate for not treating cybersecurity regulations and standards as a tick-box exercise.
- USTLP:CLEAR
Krassimir TzvetanovKrassimir Tzvetanov (Purdue University, US)
Over the past decade, the term "fake news" has become overused and divisive, prompting many to dismiss it outright. This raises questions about how this narrative benefits society—or even aids adversaries. Discussions around "active measures" often miss the mark, failing to grasp the broader implications of such tactics. In today’s information age, traditional cautionary warnings evolve into modern ones like “Beware of geeks bearing gifts,” underscoring the potential manipulation of seemingly benign messages.
This presentation will explore reflexive influence operations, techniques that exploit messaging to align segments of a target audience with adversary objectives. By examining second- and third-order effects, the discussion aims to reveal how such operations succeed in reshaping perceptions and achieving strategic goals. Examples illustrating these tactics will also be provided..
Beware of Geeks Bearing Gifts
January 2, 2025 09:00-10:00
- USTLP:CLEAR
Building a PSIRT for a Standards Organization
Jim Duncan (Jim Duncan, US)
Standards groups should have a policy for handling alleged flaws in their "product" and in upstream code, if any, that they modify and include in their own product. However, few such organizations have a well-defined process and policy. There are many challenges, the least of which is that the participants are competitors (as mentioned previously) and it will be inferred that agreeing to a PSIRT policy and process for a standards group will imply a loss of control
over the intellectual property. This presentation will highlight the unexpected challenges of establishing a PSIRT within a standards organization with a goal of helping others to bootstrap and run a vulnerability-handling mission for other standards groups.
Jim Duncan pioneered CSIRT & PSIRT practices, and has over forty years experience in incident response.
- USTLP:CLEAR
CVSS v4.0 By The Numbers
Nick LealiNick Leali (Cisco and CVSS SIG Chair, US)
CVSS v4.0 has been with us for a little over a year, and quite a bit of data exists out there to tell us about how vulnerability scores may change between CVSS v3.1 and v4.0 assessments.
If you are concerned about the impact that adopting CVSS v4.0 will have on your environment, interested in learning about how the numbers may change, or if you want to craft a narrative using math to either push for v4.0 adoption or avoid it entirely, then this talk is for you! I will go through an analysis of the changes between CVSS v3.1 and v4.0 scores, giving you the context necessary for understanding how adoption may impact vulnerability disclosure and vulnerability management.
In addition to the numbers, we'll discuss some of the shortcomings of CVSS v4.0 and how you can use the standard to its full extent. You can even use the tool I developed to create this talk to look at CVSS v3.1 and v4.0 data in your own environment!
Nick Leali is a current CVSS SIG co-chair, currently working on improving the adoption of CVSS v4.0 to make transition to the new version of the standard easier for vendors and consumers.
Nick works for Cisco as a PSIRT incident manager.
CVSS-SIG-VulnCon-2025.pdf
MD5: 1e8e3ef166dabacada90cc5ee66e5fba
Format: application/pdf
Last Update: April 14th, 2025
Size: 1.19 Mb
- FRTLP:CLEAR
Distribution Builders Meet VEX (Virtual)
Marta Rybczynska (Ygreky, FR) (FR)
The Yocto Project allows embedded vendors to build their custom Linux (and not only) distributions from scratch, so from the source code. This talk explains the challenges we faced when adding support for multiple vulnerability databases and trying to express our "VEX-like" data as VEX.
Marta Rybczynska has a network security background and 20 years of experience in Open Source. She has been working with embedded operating systems like Linux and various real-time ones, system libraries, and frameworks up to user interfaces. In the recent years she has worked in Open Source security, setting up best practices and processes. She is currently helping Eclipse Foundation as a Technical Program Manager for the Security Team, where she is managing the vulnerability reporting process.
- USTLP:CLEAR
Don’t Forget the Little Guy: Vulnerability Management in Operational Technology
Alex Assante (Network and Security Technologies , US), Kylie McClanahan (Bastazo, US)
What comes after coordinated vulnerability disclosure (CVD)? When the issue is confirmed and the advisory is published, what comes next?
Vulnerability management is a mature and robust—if imperfect—process in information technology (IT). The same process, though, poses unique challenges for engineers, technicians, and security teams in operational technology (OT) environments. The difficulties faced in the OT space may not be widely known or understood by vulnerability researchers and IT security professionals. Understanding these differences is key to securing operational environments, which, along with being ever more connected, are also increasingly interdependent with IT systems.
Kylie and Alex will present a view of vulnerability management in OT environments, examining this process in practice at electric utilities. Their presentation will include current approaches, the regulatory requirements specific to the space, data needs, and the unique challenges posed by OT environments."
Alex Assante, Security Consultant at Network + Security Technologies Inc. (NST), is an innovative lead in cybersecurity and critical infrastructure protection with a focus on the development and maintenance of cyber and information security programs. In his current role, Alex supports analysis of technical vulnerabilities in IT and OT environments, reviews and documents cyber security processes, and prepares entities for audits by collecting and validating the quality of evidence artifacts. He is also experienced in the creation of cross-standard mapping tools and integrating corresponding controls from various security frameworks. He grew up in and around the cybersecurity and Industrial Control Systems (ICS) space which ignited his passion for national and critical infrastructure protection and led him to where he is today. Alex is a graduate of Westminster college with a degree in computer science. He holds GIAC Critical Infrastructure Protection (GCIP) and the GIAC Response and Industrial Defense (GRID) certifications.
Kylie McClanahan, Chief Technology Officer (CTO) at Bastazo, is a forward-thinking leader with expertise in cybersecurity and critical infrastructure. With nearly a decade of experience in the electric utility sector and as a PhD candidate in Computer Science (expected May 2025), Kylie plays a pivotal role in advancing cybersecurity solutions for operational technology. At Bastazo, she focuses on leading the technology teams to develop Bastazo’s platform to address vulnerabilities, ensuring the resilience and safety of critical infrastructure. Kylie is passionate about protecting vital systems, advocating for practical solutions, and bridging the gap between research and real-world application. Kylie also holds a GCIP certification from GIAC, the only certification available for the NERC CIP standards.
- LTTLP:CLEAR
Incident Response: How to Get Others in the Organisation to Care?
Živilė NečejauskaitėŽivilė Nečejauskaitė (NRD Cyber Security, LT)
The presentation will focus on engagement with other stakeholders within the organisation. Effective means of communicating and building relationships with specific stakeholders within an organisation can significantly improve response times and mobilisation in the event of a significant cyber incident and prevent the situation from escalating.
During the presentation we will look at how to map the stakeholders within an organisation, how to group them and how to determine the level of engagement with each group. We will also explore the precise communication examples - potential messages to each stakeholder group to create greater engagement and relevance.
Živilė Nečejauskaitė is a communications professional, specializing in change and impact communication. She is a co-trainer of the ITU Academy course on Cyber Crisis Management. Živilė has co-organized and co-hosted several cybersecurity capacity building conferences in East Africa Region, called "Cyber Defense East Africa", one of which has focused on national cyber crisis management. She holds a Master's degree in Communication for Development from Malma University in Sweden. Živilė has worked in the public and private sectors in Lithuania and abroad, and has focused on cybersecurity capacity building for the past 7 years. Currently, she dedicates her time to building frameworks for communication during a cyber incident.
- USTLP:CLEAR
Investigating Triad Nexus and Pivoting from a Pig Butchering Investment Scam Website into an Entire Malicious Network
Zach EdwardsZach Edwards (Silent Push, US)
This presentation will walkthrough how Silent Push analysts traced pig butchering scams to FUNNULL CDN-hosted money laundering networks, retail phishing campaigns targeting luxury brands, and more. Technical analysis of each step will be provided and explained in-depth as we cover the threat we have dubbed: “Triad Nexus."
Zach Edwards is a Senior Threat Researcher at SilentPush, joining the team in 2024, with a focus on understanding and tracking how APT groups are evolving. His expertise includes a deep knowledge of global data supply chains and advertising systems.
Zach is passionate about Data Privacy, is active in numerous communities, and has been involved in high-profile GDPR complaints, including cases against online dating apps and Google auction systems. Zach has presented at high profile events, including a 2023 Blackhat USA session titled, “Kids in the Ad Fraud Crosshair: Why International Threat Actors are Targeting Children to Steal Money from Banks and Major Corporations.” In 2024, Zach has presented at PIVOTcon, Virus Bulletin, and MWISE on various cyber threats."
- USTLP:CLEAR
KPIs for CSIRTs
Logan WilkinsLogan Wilkins (Cisco, US)
In the rapidly evolving landscape of cybersecurity, organizations increasingly rely on effective Cybersecurity Incident Response Teams (CSIRTs) to detect, respond to, and mitigate security incidents. Key Performance Indicators (KPIs) play a crucial role in assessing the efficiency and effectiveness of CSIRT operations. This half-day training class is designed to empower CSIRT professionals with the knowledge and skills to develop, implement, and leverage KPIs for enhanced incident response. The training will cover essential topics, including:
- Understanding CSIRT Objectives: Participants will gain insights into the core objectives of a CSIRT and how KPIs align with these goals. A comprehensive overview will be provided to establish a foundation for KPI development.
- Identification and Selection of Relevant KPIs: Explore a range of KPIs applicable to CSIRTs, considering factors such as incident detection, response times, and containment effectiveness.
- Metrics and Measurement Techniques: Delve into the methodologies for measuring KPIs accurately. Participants will learn how to define and collect relevant metrics.
- Establishing Baselines and Targets: Understand the significance and pitfall of setting baselines and realistic targets for KPIs. Practical examples and case studies will be discussed to illustrate how organizations can benchmark their CSIRT performance.
- Visualization and Reporting: Learn effective ways to present KPI data through visualizations and reports.
Following this training, participants have additional knowledge and tools to help establish a KPI framework tailored to their CSIRT's objectives. This class provides a opportunity for CSIRT professionals to enhance their skills, optimize their operations, and contribute to the overall security posture of their organizations.
Logan Wilkins currently leads a software engineering team in Cisco’s CSIRT, overseeing development programs related to incident detection and response, data management, and security metrics. Within FIRST he is the co-chair of the Metrics SIG and has served as a Candidate Sponsor for multiple groups. In addition to his experience in Cisco’s security organization, Logan has also worked in e-commerce, pharmaceutical drug discovery and was previously a high school teacher, giving countless students their first introduction to Computer Science.
- AUTLP:CLEAR
Let’s Talk About Fitness for Purpose: Comparing and Contrasting the CVE List with OSV.dev
Andrew Pollock (OpenSSF, AU)
Last year the CVE Program turned 25. This year OSV.dev turns 4.
The CVE Program's federated approach enabled scaling of CVE issuance, but failed to implement any meaningful record quality enforcement. This means the data quality problem scales with CNA growth.
This presentation compares the venerable CVE Program's approach with the 4 year old OSV.dev and offers suggestions on how things can be improved.
Andrew Pollock has most recently been a Senior Software Engineer on Google’s Open Source Security Team (GOSST), working on OSV.dev. He is passionate about consistent high quality, machine readable vulnerability metadata for detecting and remediating vulnerabilities in open source
software. He is based in Brisbane, Australia.
- RS SETLP:CLEAR
Localization of Transits I Course in the Republic of Serbia
Marko Krstić
Vladimir BoborMarko Krstić (SRB-CERT (RATEL), RS), Vladimir Bobor (SIRT Officer Swedbank CDC, SE)
SRB-CERT has a tradition of organizing cybersecurity related workshops and trainings for different stakeholders in the Republic of Serbia. In order to further educate existing CERTs and to motivate establishment of new ones, National CERT and Cybersecurity Network Foundation with the support of EU project "Cyber Balkans" localized Transits I to Serbian language and incorporate details about legal framework of Serbia. In this talk we will present results of our efforts, as well as approach we took to successfully localize Transits I course.
Marko Krstić completed his bachelor, master, and doctoral studies at the School of Electrical Engineering in Belgrade. He has been working in the field of information technology and security at the Regulatory Authority for Electronic Communications and Postal Services (RATEL) for almost ten years. He is currently serving as the Head of the Cyber Security Division and National CERT Affairs in the RATEL. Marko was part of several projects related to the application of artificial intelligence for children protection on the Internet as well as for digital forensics at the European level.
Vladimir Bobor was born 1971 in Belgrade, Serbia. He has lived in Stockholm, Sweden since 1994. He achieved and B.Sc. in Computer Engineering in 2000 and 2006 his M.Sc. with a specialization in Information and Communication Systems Security from Royal Institute of Technology (KTH) Stockholm. In 2024 he joined Swedbank CDC team as incident handler. He has long experience in Information Security field; Network Security and Computer-Network Forensics. Vladimir was a member of TF-CSIRT Steering Committee from 2014 – 2019; 2020-2023, and is one of initiators of Swedish CERT Forum.
- LUTLP:CLEAR
LUKS Full Disk Encryption Upside-Down
Michael HammMichael Hamm (CIRCL, LU)
A use case where full disk encryption do not do what you expected, and you should be aware of it.
A live demo where I show, what happen with plaintext data, that was stored on the disk before full disk encryption got activated.
Michael Hamm has worked for more than 10 years as Ingénieur-Sécurité in the field of classical Computer and Network Security (Firewall, VPN, AntiVirus) at the research center “CRP Henri Tudor” in Luxembourg. Since 2010, he has been working as an operator and analyst at CIRCL – Computer Incident Response Center Luxembourg where he is working on forensic examinations and incident response.
dfir-kickstart.pdf
MD5: b7a09d5d9dfe2147dcbd9f2183d9fdac
Format: application/pdf
Last Update: January 7th, 2025
Size: 177.47 Kb
Luks.pdf
MD5: 3afa308a3b9a7a3280b3919c3e1d5cff
Format: application/pdf
Last Update: January 7th, 2025
Size: 251.51 Kb
- GB USTLP:CLEAR
Madness of Vulnerability Management in Modern Cloud, Container, How to Win the Battle Practitioners View
Francesco Cipollone
Nate SandersFrancesco Cipollone (Phoenix Security , GB), Nate Sanders (Bazaarvoice , US)
Abstract: Navigating the Challenges of Risk-Based Vulnerability Management in a Cloud-Native World
Since 2015, the advent of containerized environments and modern software development practices has transformed how we build and secure applications. These advancements have redefined the cybersecurity landscape, introducing unprecedented challenges in vulnerability management related to scale, complexity, and data consistency. This panel discussion brings together two leading experts to explore how a risk-based approach can address these challenges, offering actionable insights and methodologies.
Key Topics:
-
The Inconsistency of Data: Fragmented and siloed security data often hampers efforts to prioritize vulnerabilities effectively. The panel explores strategies to consolidate and normalize data from disparate tools and environments, enabling a unified view that supports informed decision-making.
-
Vulnerability Management at Scale: Managing vulnerabilities in sprawling, dynamic infrastructures demands innovative approaches. The speakers share insights into automating prioritization and remediation workflows, addressing the unique challenges of containerized and serverless architectures.
-
Reachability Analysis: Identifying exploitable vulnerabilities through reachability analysis has emerged as a game-changer. The panel discusses how contextualizing vulnerabilities within the software supply chain and runtime environments can help organizations focus their resources on the most critical risks.
Learning Objectives:
Attendees will gain a deeper understanding of:
- How to overcome the barriers posed by inconsistent data in vulnerability management workflows.
- Best practices for managing vulnerabilities across diverse and rapidly scaling environments.
- The value of incorporating reachability analysis into risk-based prioritization to reduce noise and focus on actionable threats.
This panel discussion explores the challenges of risk-based vulnerability management in a cloud-native world, focusing on overcoming data inconsistency, managing vulnerabilities at scale, and leveraging reachability analysis. As organizations navigate complex, dynamic infrastructures, fragmented security data and the sheer volume of vulnerabilities pose significant hurdles. The session highlights strategies for consolidating data, automating prioritization, and contextualizing vulnerabilities within their runtime and supply chain environments. Designed for security leaders, the talk provides practical insights, real-world use cases, and actionable methods to scale and modernize vulnerability management in an interconnected, containerized ecosystem.
Francesco Cipollone is a renowned entrepreneur and CISO, founder of Phoenix Security, an ASPM platform offering actionable, contextual code-to-runtime insights. A multi-award-winning podcast host, author, and global speaker, Francesco is known for his visionary contributions to cybersecurity. He serves on the UK&I Cloud Security Alliance Chapter board and is a faculty member at IANS on application and cloud security. His insights have appeared in Forbes, Helpnet Security, and Hacker Noon, and he has been featured in prominent podcasts like Application Security Weekly and Cloud Security Podcast. Francesco has keynoted at major conferences such as AppSec Cali and Cyber Security & Cloud Expo, and previously led application and cloud security at HSBC and served as Senior Security Consultant at AWS. An avid marathon runner, snowboarder, and whiskey enthusiast, Francesco balances his professional accomplishments with a passion for adventure and fine spirits.
Nate Sanders, also known as mauvehed, has traversed a long and winding career path through hacking, system and network administration, computer security, and leadership. Now leading people across security engineering and security operations, he takes great pride in building teams, developing individuals, and solving business challenges. With expertise spanning vulnerability management, application security, and the ever growing cloud, he combines technical acumen with strong leadership and collaboration skills to drive impactful results. Outside of his professional exploits, Nate is a vocal advocate for mental health, frequently speaking on topics such as ADHD, Autism, CBT/DBT, and EMDR, with a mission to normalize mental health conversations in the workplace and society.
- ROTLP:CLEAR
Managing Vulnerabilities through SSDLC
Luci Stanescu (Canonical , RO)
Canonical has recently implemented a company wide Secure Software Development Lifecycle (SSDLC), that aims to systematically address security concerns, and manage vulnerabilities throughout the companies entire portfolio.
In this talk I will share how these policies allow us to prevent and respond to vulnerabilities, and how this can be achieved with very minimal security team. The lessons learned through this process will be shared, to allow others to better manage their company-wide vulnerability posture, and maximise the results they can achieve.
Luci Stanescu is Security Engineering Manager at Canonical, part of the team responsible for the security maintenance of Ubuntu and the Canonical PSIRT. With almost 20 years of professional experience, he is passionate about making information security matter and an advocate for not treating cybersecurity regulations and standards as a tick-box exercise.
- JETLP:GREEN
Never mind the Pollocks: Aligning Incident Response with Emergency Response Using JESIP
James McLarenJames McLaren (Jersey Cyber Security Centre, JE)
“We should be learning from the way emergency services operate, not reinventing the wheel”. Staff at JCSC who heard this at TRANSITS 1 last April had an almost immediate chance to do this after being invited to JESIP training. This session explains some of the principles behind JESIP, looks at how we might use it for alignment in our context, and seeks to open up a conversation about how it might go elsewhere.
James McLaren, the Senior Analyst at the Jersey Cyber Security Centre, still has no programming chops to speak of after spending 19 years with the UK Civil Service (where he designed and delivered an early Internet security training course in 2001) and eight with a managed security service provider in Jersey - but he is really quite good at acquiring and analysing information, and no slouch at writing about it either. He’s #ActuallyAutistic, makes a mean Hungarian gulyas, and still speaks Russian just about well enough to tell Putin where to stick it.
NMTP-CLEAR-version.pdf
MD5: fdb582a4d19497aeb347d2f04282e2e5
Format: application/pdf
Last Update: January 28th, 2025
Size: 1.07 Mb
- USTLP:CLEAR
No Action Required: CVE for Software as a Service
Art ManionArt Manion (ANALYGENCE Labs, US), Lisa Olson (Microsoft, US), Don Bailey (AWS, US), Michael Coté (Google , US)
Fixing or otherwise mitigating a vulnerability requires action. By someone. For user- or customer-controlled software, this “someone” is the user or customer who performs actions such as update, upgrade, patch, make a change configuration, rebuild, or fetch new dependencies. For software as a service, this “someone” is the service provider, while the user or customer may not need to take any material action. A browser refresh, session timeout, or a new API call uses the fixed software. What does it mean to assign CVE IDs to no-user-action” vulnerabilities? What are the costs and benefits? Is there danger of decreasing the CVE signal-to-noise ratio? How do changes in the CNA Operational Rules apply? A panel of major cloud service CNAs will discuss these questions and more.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Lisa Olson is a Principal Security Program Manager at Microsoft, has a lot to do with patch Tuesdays, and a CVE Board member since 2018.
Don "Beetle" Bailey Senior Principal Security Engineer at AWS, previously MITRE, previously U.S. Army.
Michael Coté is a veteran with 82nd Airborne. Lead for Google Cloud VRP and Vulnerability Response which includes publishing CVEs for critical vulnerabilities within Cloud.
- FRTLP:GREEN
Post-Incident Remediation at ANSSI: A Full Scale Effort
Christophe RenardChristophe Renard (Agence Nationale de la Sécurité des Systèmes d'Information, FR)
As the French national cyber-security authority, ANSSI, and more specifically CERT-FR has been handling major cyber-incidents since its inception in 2009. It has also faced the rise of destructive cybercriminal attacks when sensitive services were concerned. As such, we see post-incident impact often lasting years after the initial events. To mitigate this, we have launched a multipronged effort to formalize what is post-incident remediation, improve victims support, and encourage private sector offer. This presentation summarize what we have been doing in the last 3 years on the subject and what we plan to do next.
Christophe Renard has been working in multiple roles in IT for 25+ years, in computer security for 13 years, in incident response for 8 years.
At CERT-FR he heads a team dedicated to assist in victims in regaining control and restoring their information systems after cyber-incidents.
- DETLP:CLEAR
Quantum Computers: Should We Worry?
Morton SwimmerMorton Swimmer (Trend Micro, Inc, DE)
The potential threat of quantum computers to computer security first emerged in the mid-1990s with Shor's discovery of an exponentially faster algorithm for integer factorization. This threat has become more tangible with the development of real quantum computers over the past decade. Although the immediate risk has not materialized, it continues to pose a significant challenge to forward secrecy. In this talk, I will explore the fundamental differences between quantum and classical computers and explain how Shor's algorithm undermines cryptographic systems. Additionally, I will provide an overview of the current state of quantum machine learning, which, despite significant advancements, remains limited in its practical applications. Although quantum computers are not yet ready for purposes beyond research, I will discuss the key challenges that need to be addressed to bring them into practical use and highlight important aspects to consider. This presentation aims to offer a balanced perspective on this complex and often misunderstood field, where expectations frequently surpass current achievements.
Dr. Morton Swimmer is a researcher in the Forward-Looking Threat Research (FTR) team in Trend Micro Research. His focus is on future threats, especially Web3, machine learning and quantum computing.
His experience in computer security stretches back past 35 years with the founding of the first European malware research lab (VTC) at the University of Hamburg, Germany in 1988 and he has been involved in most of the innovations in security, first at university, later IBM Research and now Trend Micro. Early activities included malware analysis and computer forensics for which he built an early Malware sandbox system in 1992. This led to the development of the Digital Immune System at IBM Research, a fully automated virus analysis and signature generation system. More recently, he has been researching machine learning techniques, probabilistic reasoning and CTI ontologies to automate detection, hunting and mitigation of threats. New research topics also include the nascent Web3 technology stack and quantum computing’s effect on security issues, both positive and negative. He currently organizes the BSidesMunich and Elbsides security conferences.
Morton, a native of New York City, has a Computer Science PhD degree from the University of Hamburg, and currently resides in the Hamburg, Germany area.
- USTLP:CLEAR
Resolution Revolution: Turbocharging Security Ticketing Timelines
Joseph Seasly (Adobe, US), Shruti Datta Gupta (Adobe, US)
Explore how to streamline the resolution of security tickets, including those from PSIRTs and bug bounty programs, by effectively gathering and integrating
knowledge from company, product, and expert insights. This session will highlight the role and limitations of AI in the ticket resolution process, enabling more efficient and informed outcomes. Discover how to build a comprehensive system that incorporates continuous feedback loops, driving iterative improvements and ensuring your team is well-prepared to address the complexities of modern security challenges.
Joseph Seasly is currently on the Security AI & Data Engineering team at Adobe. In his former life, he spent 13 years in the U.S. Intelligence Community working in a variety of agencies, technical roles, and missions.
Shruti Datta Gupta is a Product Security Engineer at Adobe where she works in Security AI & Data Engineering. Her current role involves building AI-powered tools to automate security processes and reduce engineering toil. She is passionate about applying AI to solve challenging problems in security and has worked on projects ranging from draining car batteries to predicting attacker behavior in a network, all using AI.“
Resolution-Revolution.pdf
MD5: 5f3a6d64b687b4f026227c96c0bc5ed9
Format: application/pdf
Last Update: April 14th, 2025
Size: 1.21 Mb
- BETLP:GREEN
Scaling Vulnerability Management: A Scale-Up's Journey to Enterprise-Grade Security
Niels HofmansNiels Hofmans (Intigriti, BE)
Rapid growth presents unique security challenges for scale-ups. Limited resources necessitate efficient vulnerability management practices to meet stringent security requirements. This presentation details a pragmatic approach to scaling vulnerability management, emphasizing the crucial role of metadata. We will share our journey of building a custom vulnerability management pipeline in Go, integrated with our SIEM system, and demonstrate how enriching vulnerability data with threat intelligence and business context drives effective prioritization. Attendees will gain practical insights into
leveraging vulnerability metadata for actionable security decisions. Our approach centers on a custom-built Go pipeline that seamlessly integrates various vulnerability data sources, enriching them with threat intelligence and business impact
assessments. We'll showcase how this data-driven approach informs prioritization and empowers stakeholders through
self-service portals and SIEM dashboards, providing clear visibility into vulnerability trends and remediation progress. This presentation offers valuable takeaways for organizations seeking to optimize their vulnerability management processes and maximize their security posture with limited resources.
Niels Hofmans is the Head of Security at Intigriti, Europe's largest bug bounty platform which connects 125,000+ security researchers worldwide to customers' assets. He manages cloud security, SoC, threat intelligence, application security, compliance, detection & response, infrastructure, incident response & more. When not with his head in the trenches, he spends time writing experimental security tooling or consulting for customers to make the world a safer place.
- USTLP:CLEAR
Streamlining Vulnerability Management: The Power of VEX Inheritance in Container Ecosystems
Jessica Butler (NVIDIA, US), Kaajol Dhana (NVIDIA , US)
This talk introduces an innovative approach to parent image detection and management that leverages Vulnerability Exploitability eXchange (VEX) inheritance. The presentation addresses the critical challenges of maintaining secure and compliant container ecosystems in large-scale environments
by exploring a system designed to track approved parent images, their associated VEX statements, and perform in-pipeline detection and compliance checks.
This groundbreaking method enhances container security by ensuring the use of approved base images while streamlining vulnerability management through VEX inheritance. By automatically suggesting VEX information from parent images to child images, the system significantly reduces false
positives and focuses attention on truly exploitable vulnerabilities. DevOps teams, security professionals, and incident responders will gain valuable insights into automating parent image tracking, inheriting VEX statements across image layers, and conducting more accurate vulnerability assessments throughout the container lifecycle, ultimately transforming container security postures and accelerating vulnerability triage processes.
Jessica Butler is an engineering manager for NVIDIA’s Product Security Tools team. Her passion is providing an easy button for security tools by designing and implementing internal enterprise applications with a focus on developer integration and support. Jessica has over 18 years of experience and earned her MS in Computer Engineering from Washington University in St Louis. In her free time Jessica enjoys gardening and traveling with her family.
Kaajol Dhana is a software engineer for NVIDIA’s Product Security Tools team. She is interested in container security and providing actionable and insightful reports for teams to be able to remediate security risks. Kaajol has over 5 years of experience and earned her BS in Computer Engineering from the University of Texas at Austin. Outside of work, Kaajol enjoys playing tennis, trying out new restaurants, and traveling with her husband.
Power-of-VEX-Inheritance.pptx
MD5: 1a29cc1e6a572a8d01b2689cfbd9e34b
Format: application/vnd.openxmlformats-officedocument.presentationml.presentation
Last Update: April 14th, 2025
Size: 6.51 Mb
- USTLP:AMBER
The Human Factor: Psychological Safety in Cybersecurity Frontlines
Cristiana Brafman KittnerCristiana Brafman Kittner (Google Cloud, US)
Cybersecurity isn't just about technology; it’s fundamentally about people. Cybersecurity's human element is undeniable. Recognizing the link between psychology and psychological safety in cybersecurity frontlines, particularly within incident response, is crucial. Research emphasizes the importance of a blame-free culture where individuals can take risks, share ideas, and learn from mistakes, fostering consistent success.
Cultivating psychological safety can be challenging, especially in high-stakes environments like cybersecurity incident response. Strategies to address this include prioritizing people over technology, integrating psychological safety into onboarding, and fostering a culture of trust and transparency. By prioritizing psychological safety, organizations can unlock the full potential of their cybersecurity teams and bolster their defenses against cyber threats. This approach aligns with global perspectives on effective cybersecurity practices, ensuring a resilient and adaptive defense in the face of evolving cyber risks.
Cristiana Brafman Kittner has over two decades of experience in military strategy, weapons analysis, and strategic defense with a focus on cyber threat intelligence. Currently, Cris is the Chief Analyst at Google Cloud's Product Security Engineering and provides enterprise customers across various industries as well as senior executives and government officials with cutting-edge cyber threat intelligence and risk management solutions. She is a subject matter expert in cyber threat intelligence with a focus on Chinese military strategy, particularly on the development of the People's Republic of China's cyber threat landscape and ecosystem. Cris is a board member of The Diana Initiative and Torchlight. In her spare time, Cris is also engaged as a mentor and coach with Girl Security, The Women's Society for Cyberjutsu, and the Executive Women's Forum.
FIRST-HumanFactor_2025.pdf
MD5: ce83e7a49714b9dc0194a99fbbec205d
Format: application/pdf
Last Update: January 15th, 2025
Size: 3.55 Mb
- USTLP:CLEAR
Towards a Minimum Viable Enumeration of Vulnerabilities
Art Manion
Jay JacobsArt Manion (ANALYGENCE Labs, US), Jay Jacobs (Empirical Security , US)
Vulnerability databases come in all shapes and sizes and contain a variety of information elements. Some elements overlap across databases, other elements do not and database records can vary in size depending for example on how many references are included or how much software status (“affected”) is provided. These databases and their elements are intended to support vulnerability management which we organize into four phases: discovery, prioritization, mitigation, and feedback. Which data elements contribute to these phases? More importantly, which are required to enable the first essential phase of discovery? A Minimum Viable Vulnerability Enumeration (MVVE) is the smallest possible number of information elements required to discover (identify and disambiguate) a vulnerability. Without an MVVE element, discovery, and therefore vulnerability management in its entirety, are not possible. This talk will define phases of vulnerability management and how information elements support those phases, with a strong focus on the MVVE necessary for the essential first discovery phase. We map the MVVE to a few well-known vulnerability databases, including CVE.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Jay Jacobs is a Co-founder and Chief Data Scientist at Empirical Security and Chief Data Scientist Emeritus at Cyentia Institute. Jay is also the lead data scientist for the Exploit Prediction Scoring System (EPSS) and is co-chair of the EPSS special interest group at FIRST. He is also a co-founder of the Society for Information Risk Analysts (SIRA), a not-for-profit association dedicated to advancing risk management practices where he served on the board of directors for several years. Finally, Jay is a co-author of “Data-Driven Security”, a book covering data analysis and visualizations for information security professionals.
MVVE_VulnCon2025.pdf
MD5: db71e705e10aa4571d203f9011932fd0
Format: application/pdf
Last Update: April 11th, 2025
Size: 1.43 Mb
- USTLP:CLEAR
UC2 Risk Ruler for CVSS 4.0: Visualizing Vulnerability Severity and Data Confidence (Virtual)
Rob Arnold (Acorn Pass, US)
The UC2 Risk Ruler enhances the Common Vulnerability Scoring System (CVSS) version 4.0 by integrating confidence levels into vulnerability scores, offering a visual representation that aligns numeric scores with qualitative severity labels and data reliability. While CVSS 4.0 offers standardized quantitative scores mapped to qualitative labels, it lacks a built-in mechanism for representing confidence in the underlying data quality, impacting decision accuracy. The UC2 Risk Ruler addresses this gap by aligning CVSS scores with distinct confidence levels—High, Medium, Low, and Unknown—enabling stakeholders to assess the reliability of vulnerability scores in addition to severity. This framework assists decision-makers by reducing "false precision" in low-confidence data, promoting transparency, and facilitating clear communication across technical and non-technical teams. Practical applications include aiding leadership in determining adequate certainty levels for defensible decisions and allowing teams to gauge model sensitivity to confidence adjustments, ultimately refining vulnerability management and supporting robust cybersecurity strategies.
Rob Arnold is a retired Senior Advisor for Cybersecurity and Risk Management at the National Risk Management Center, part of CISA under the U.S. Department of Homeland Security (DHS). He led the creation of the first National Critical Functions Risk Register to help federal leaders prioritize risk management.
Previously, Arnold was CEO of Threat Sketch, specializing in large-scale cyber risk management. He holds a graduate degree in information security from East Carolina University and is CRISC-certified by ISACA.
He authored Cybersecurity: A Business Solution, a guide for small business risk management, and has represented small organizations before Congress. He was a founding member of the ICT Supply Chain Task Force Executive Council, the first chairman of the North Carolina Center for Cybersecurity, and served on advisory boards for multiple universities.
- USTLP:CLEAR
Updates from the CVSS SIG
Nick LealiNick Leali (Cisco and CVSS SIG Chair, US)
During this talk, Nick will present the recent past, present, and near future business of the FIRST CVSS SIG. Topics include the updates from the CVSS SIG over the past year; results from the CVSS SIG survey; and the progress of CVSS v4.0 adoption.
Please bring your questions and requests for examples to discuss.
Nick Leali is a current CVSS SIG co-chair, currently working on improving the adoption of CVSS v4.0 to make transition to the new version of the standard easier for vendors and consumers.
Nick works for Cisco as a PSIRT incident manager.
CVSS-SIG-VulnCon-2025.pdf
MD5: 1e8e3ef166dabacada90cc5ee66e5fba
Format: application/pdf
Last Update: April 14th, 2025
Size: 1.19 Mb
- AUTLP:CLEAR
Vulnerability Data Analysis with Google Spreadsheets and Apps Script for Fun and Profit
Andrew PollockAndrew Pollock (Google Open Source Security Team, AU)
Andrew will share tips and tricks on how to use Google Sheets, Apps Script and the various JSON APIs available from the CVE List, the NVD and OSV.dev to slice and dice vulnerability metadata, based on his experiences in Spreadsheet Engineering
Andrew Pollock has most recently been a Senior Software Engineer on Google’s Open Source Security Team (GOSST), working on OSV.dev. He is passionate about consistent high quality, machine readable vulnerability metadata for detecting and remediating vulnerabilities in open source
software. He is based in Brisbane, Australia.
- USTLP:CLEAR
Vulnrichment: Year One (In-Person & Virtual)
Art Manion
Lindsey CerkovnikArt Manion (ANALYGENCE Labs, US), Lindsey Cerkovnik (CISA, US)
Vulnrichment is CISA's effort to fill in the gaps on vulnerability data—namely, gauging impact and risk of vulnerabilities as they are published by CVE. Our approach on tackling the daily dozens to hundreds of vulnerabilities on behalf of the federal government embraces radical transparency, and this talk by Lindsey and Art will go over the requirements for Vulnrichment, the realized and expected outcomes, and the federal government's use of an open forum like GitHub Issues to deal with errors, omissions, and discrepancies.
Art Manion spends a lot of time working on various aspects of cybersecurity vulnerabilities including coordinated disclosure, measurement, response prioritization, and public policy. Art has led and contributed to vulnerability-related efforts the Forum of Incident Response and Security Teams (FIRST), the CVE Program, ISO/IEC JTC 1/SC 27, and the (US) National Telecommunications and Information Administration (NTIA). Art is the is the Deputy Director of ANALYGENCE Labs where he works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA). Art previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Lindsey Cerkovnik is the Chief of CISA’s Vulnerability Response & Coordination (VRC) Branch. Her team is responsible for CISA’s Coordinated Vulnerability Disclosure (CVD) process, the Known Exploited Vulnerabilities (KEV) catalog, and CISA’s Stakeholder Specific Vulnerability Categorization (SSVC) process. Lindsey and her team help to maintain, support, and advance the global vulnerability ecosystem by funding and overseeing the CVE and CVE Numbering Authority (CNA) programs, leading the production and dissemination of machine-readable vulnerability enrichment information, and engaging in valuable technical collaboration with the vulnerability research community.
- CATLP:CLEAR
Where Do We Aim? A Look at the State of Vulnerable Software Identification and Its Future (Virtual)
Andrew Suter (BlackBerry Ltd , CA)
How can application, package and library producers help their consumers to stay safe? CPE and PURL are the major contenders for mapping vulnerabilities to impacted software. But which is best? The answer may actually be to use both. Each have strengths and weaknesses, and both have opportunities where they may be able to improve.
Additionally we’ll explore the responsibility of software producers to provide the metadata needed for informed decision making and how organizations like Mitre and NIST can help push us towards a more informed future.
Andrew Suter is the Senior Manager of BlackBerry PSIRT. He has spent the past 10 years reviewing 3rd party vulnerability metadata to efficiently triage and prioritize actions for product engineering teams. Member of OWASP, FIRST PSIRT and CVSS SIGs.
