Description
Vulnerability databases play a crucial role in modern software security, serving as the backbone for Application Security (AppSec) and Software Composition Analysis (SCA) tools. However, the accuracy and reliability of these databases vary significantly, often leading to misinformed security decisions. This talk explores the challenges associated with vulnerability databases, including incomplete data, inconsistent reporting, and the rapid evolution of software ecosystems.
While tools like SBOM (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange) aim to improve vulnerability management, their effectiveness is heavily dependent on the quality of the underlying vulnerability data. Real-world examples from the Java/Maven ecosystem will illustrate how flaws in vulnerability databases can propagate through AppSec and SCA solutions, leading to false positives, missed vulnerabilities, and inefficient remediation efforts.
This presentation will provide insights into the limitations of current vulnerability databases and offer guidance on how consumers of AppSec and SCA tools can better evaluate and mitigate these risks.
Next sessions
-
Should I trust or should I go? A deep dive into the (not so reliable) web PKI trust model
Speaker : Romain Laborde - University of Toulouse
The padlock shown in the URL bar of our favorite web browser indicates that we are connected using a secure HTTPS connection and providing some sense of security. Unfortunately, the reality is slightly more complex. The trust model of the underlying Web PKI is invalid, making TLS a colossus with feet of clay. In this talk, we will dive into the trust model of the web PKI ecosystem to understand[…]-
SoSysec
-
Protocols
-
Network
-