Alec Summers (The MITRE Corporation, US), Chris Levendis (The MITRE Corporation, US), Deana O'Meara (NVIDIA, US), Erin Alexander (CISA, US)
Alec Summers is a principal cybersecurity engineer at the MITRE Corporation with diverse experience leading cybersecurity teams in software assurance, vulnerability management, attack surface analysis, and supply chain risk management. He is the day-to-day manager of the Common Weakness Enumeration (CWE) project team, overseeing content development, research, and engagement with its stakeholder community.
Deana O’Meara is a passionate product security professional with ten years of experience in vulnerability management, response, disclosure, and threat intelligence. She began her career at Carnegie Mellon’s Software Engineering Institute (SEI), working across the U.S. Department of Defense, Department of Homeland Security, and Law Enforcement on the nation’s toughest cybersecurity challenges. After leaving the SEI, Deana led the Product Security Incident Response Team (PSIRT) at Rockwell Automation, focusing on Industrial Control System (ICS) vulnerabilities and intersections with traditional IT systems. Deana led Rockwell’s involvement in the first-ever “Pwn2Own” for ICS competition hosted at the S4 conference. Most recently, Deana joined NVIDIA from the Intel Corporation, where she managed Intel PSIRT’s vulnerability communications and infrastructure team. She led several high-profile product security initiatives for Intel, including security automation, developing and implementing data visualization, bootstrapping a team to engage in emerging standards and regulations, and the infamous “Log4Shell” response.
Erin Alexander serves as the Section Chief for Ecosystem Advancement, a section under Vulnerability Management at the Cybersecurity and Infrastructure Security Agency (CISA). In this role, she is responsible for a leading a team that combines products, services, data, and analysis to drive progress in and transformation of the global vulnerability ecosystem. Prior to joining CISA in 2015, Ms. Alexander worked for the Department of Homeland Security’s Fusion Centers sharing threat-related intelligence between State, Local, Tribal and Territorial (SLTT), federal and private sector partners for the purpose of prevention and response within the homeland security enterprise.
---
Root cause maping is the identification of the underlying cause of a vulnerability. This is best done by correlating CVE records with CWE entries. Root cause mapping is not done accurately at scale by the vulnerability management ecosystem.
Root cause mapping is valuable because it directly illuminates where investments, policy, and practices can address the root causes responsible for vulnerabilities so that they can be eliminated. This applies to both industry and government decision makers. Additionally, it enables trend analysis (e.g., how big of a problem is memory safety compared to other problems like injection) as well as a valuable feedback lip into an SDLC or architecture design planning.
The Root Cause Mapping Working Group (RCM WG) was established by CVE® and CWE™ community stakeholders with the purpose of determining how to improve and scale accurate root cause mapping. Specifically, the working group is exploring the feasibility of an effective decentralized root cause mapping ecosystem to enable trend analysis and risk management.
The proposal is for a moderated panel discussion with members of the RCM WG to cover the value, challenge, and potential for accurate and decentralized root cause mapping at scale.
16 июл 2024
