Name: From SBOMs to F-Bombs: Vulnerability Analysis, and False Positives & Negatives
Start: 2024-03-21T18:00:00-04:00
End: 2024-03-21T20:00:00-04:00
Location: Improving

Managing vulnerabilities in third party software has become an important application security activity. Vulnerabilities like Log4Shell and various supply chain attacks such as SolarWinds or CodeCov and numerous others have given many of us haunting nightmares resulting us sleeping with one eye open. Fortunately, Software Composition Analysis (SCA) tools coupled with Software Bill of Materials (SBOMs) have done so much to relieve that anxiety. Or not. This talk explores the vulnerability management process through the eyes of a FOSS security library provider and examines what we can do as AppSec engineers and developers to make the whole process a bit less painful.

Bill Sempf

Kevin W. Wall

David Hunt

OWASP Columbus Chapter (Moving to OWASP.org)

OWASP Foundation 

OWASP Global Strategic Group

40% off of print and 50% off of ebook orders

O'Reilly

Technology

Computer Security

Web Security

OWASP

Information Security

Application Security

Software Security

Ethical Hacking

Cloud Security

Web Application Security

I have been involved in application security for almost the past 20+ years, but I still considers myself a developer first and an AppSec engineer second. During most of those past 20 years, I have specialized in applied cryptography and web AppSec. Before transitioning to AppSec, I spent 17 years at (now Nokia, then AT&T) Bell Labs doing mostly systems programming. I left Bell Labs as a DMTS in 1996 to become an independent consultant in C++ and Java.  I became involved in the OWASP Enterprise Security API (ESAPI) project in early fall of 2009, and after redesigning and rewriting all the symmetric cryptography related classes, I somehow found myself "elected" as co-project lead of ESAPI in 2011. I also spent from 2000- 2007 as an adjunct faculty member on the Franklin University CS staff where I taught Distributed Operating Systems and Computer Security. I recently ended an 8 year stint working on the Wells Fargo Secure Code Review team and have recently left Wells Fargo. I am now working on AppSec at Verisign. When I am not around code, I wax eloquently on 3-4 page TL;DR discourses that I post on various mailing lists or I hang out with other dinosaur friends at local watering holes discussing AppSec, coding, sports, puns, and quantum physics.

Kevin Wall