Christopher Robinson (Intel, US), Madison Oliver (GitHub, US)
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Madison Oliver is a vulnerability transparency advocate and Senior Security Manager at GitHub, leading the Advisory Database Curation team. She is passionate about vulnerability reporting, response, and disclosure, and her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CMU).
---
Downstream consumers of open source software can face many challenges when it comes to addressing security vulnerabilities. Upstream open source projects are in constant motion, and they do not operate like a commercial vendor. The incentives and motivations of upstream developers are not always in alignment with the much larger potential pool of downstream consumers. Many times consumers may not even know of the free and open source code and libraries that got baked into a commercial tool they paid for. Oftentimes the only time a consumer discovers they are affected by some vulnerable open source software is during some high-profile media event, which can complicate managing their risk and remediating any known issues.
In this talk we will talk about how upstream OSS developers and maintainers work, are informed about bugs, and how they address those issues. Downstream consumers can benefit from a better understanding of how the upstream communities that create the software they use to operate, where they communicate, and ultimately how downstream can stay informed to react when the next vulnerability is publicly disclosed.
8 май 2024
