Dissect a 0-Day Supply Chain Vulnerability & 3 Metrics DevSecOps Programs Need
Details
Watch link for tonight: https://www.youtube.com/watch?v=eJoSnS5ToX4&ab_channel=DevSecOps-LondonGathering
Agenda:
It's December and we're back online this time - with not just one but two brilliant speakers! Stay warm indoors and join us for a discussion on 0-day discoveries and the three metrics all DevSecOps programs really nee
RSVP and you'll be sent a joining link
18:00 - Welcomes and intros
18:15 - First talk - Larry Maccherone
18:45 - Second talk - Moshe Zioni
Followed by an online chat with the speakers
First talk abstract:
The 3 Metrics Every DevSecOps Program Should Be Tracking
You may be using % of applications being scanned or maybe mean time to remediate to track the effectiveness of your application security program but both of those metrics drive unintended behaviors. This talk will explain why those are bad and provide two alternatives that avoid the pitfalls of those metrics as well as introduce a third metric that is even more important for the success of your DevSecOps cultural transformation.
Speaker bio:
Larry Maccherone
Larry Maccherone is a thought leader on DevSecOps, Agile, and Analytics. At Comcast, Larry launched and scaled the DevSecOps Transformation program over five years. In his DevSecOps Transformation role at Contrast, he's now looking to apply what he learned to guide organizations with a framework for safely empowering development teams to take ownership of the security of their products. Larry was a founding Director at Carnegie Mellon's CyLab, researching cybersecurity and software engineering. While there, he co-led the launch of the DHS-funded Build-Security-In initiative. Larry has also served as Principal Investigator for the NSA's Code Assessment Methodology Project which wrote the book on how to evaluate application security tools, and received the Department of Energy's Los Alamos National Labs Fellow award. Contact Larry on his LinkedIn page: https://www.linkedin.com/in/LarryMaccherone
Second talk abstract:
Dissecting the Discover of the 0-Day Supply Chain Vulnerability in ArgoCD
We will walk through the details of the vulnerability that was found in ArgoCD CVE-2022-24348, and the process that led to the finding. The discussion will include a deep-dive into:
- Trace-through the historical evolution of Argo CD's manifest-handling mechanisms and its eventual pitfall
- How an attacker could circumvent Argo CD’s defenses to exploit the vulnerability and steal sensitive information
- Remediation steps and why the vulnerability matters to the ecosystem
Speaker bio:
Moshe Zioni
Listed in “27 influential penetration testers in 2020” by Peerlyst. Moshe has been researching security for over 20 years in multiple industries, specialising in penetration testing, detection algorithms and incident response; a constant contributor to the hacking community and has been co-founder of the Shabbatcon security conference for the past 6 years. Expresses views and presents research on stages and at conferences worldwide and always enjoys healthy conversations on revolving security aspects and believing in tutoring as a key to shifting security mindsets.