Description
Vulnerability databases play a crucial role in modern software security, serving as the backbone for Application Security (AppSec) and Software Composition Analysis (SCA) tools. However, the accuracy and reliability of these databases vary significantly, often leading to misinformed security decisions. This talk explores the challenges associated with vulnerability databases, including incomplete data, inconsistent reporting, and the rapid evolution of software ecosystems.
While tools like SBOM (Software Bill of Materials) and VEX (Vulnerability Exploitability eXchange) aim to improve vulnerability management, their effectiveness is heavily dependent on the quality of the underlying vulnerability data. Real-world examples from the Java/Maven ecosystem will illustrate how flaws in vulnerability databases can propagate through AppSec and SCA solutions, leading to false positives, missed vulnerabilities, and inefficient remediation efforts.
This presentation will provide insights into the limitations of current vulnerability databases and offer guidance on how consumers of AppSec and SCA tools can better evaluate and mitigate these risks.
Infos pratiques
Prochains exposés
-
CHERIoT RTOS: An OS for Fine-Grained Memory-Safe Compartments on Low-Cost Embedded Devices
Orateur : Hugo Lefeuvre - The University of British Columbia
Embedded systems do not benefit from strong memory protection, because they are designed to minimize cost. At the same time, there is increasing pressure to connect embedded devices to the internet, where their vulnerable nature makes them routinely subject to compromise. This fundamental tension leads to the current status-quo where exploitable devices put individuals and critical infrastructure[…]-
SoSysec
-
Compartmentalization
-
Operating system and virtualization
-
Hardware/software co-design
-
Hardware architecture
-