Panel Discussion: It is a Tale as Old as Time…. a CNA, the NVD, and a CVE Consumer Walk Into a Bar. Hilarity Ensues, Right?
Christopher Robinson (Intel, US), Andrew Pollock (Google Open Source Security Team, AU), Madison Oliver (GitHub, US), Tanya Brewer (NIST, US)
Andrew Pollock is a Senior Software Engineer on Google’s Open Source Security Team, working on OSV.dev. He recently worked on converting CVEs in the National Vulnerability Database relating to Open Source software vulnerabilities into the OSV schema. As a result, he discovered a hitherto unknown passion for data quality in CVE records."
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Madison Oliver is a vulnerability transparency advocate and Senior Security Manager at GitHub, leading the Advisory Database Curation team. She is passionate about vulnerability reporting, response, and disclosure, and her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CMU).
Tanya Brewer is a Cybersecurity Program Manager at the National Institutes of Standards and Technology. She manages the National Vulnerability Database (NVD) Program, so folks around the world can know more about publicly disclosed vulnerabilities. She has worked on technical standards and program management in the areas of cybersecurity and privacy for smart grids, electric vehicles, identity management, biometrics, and industrial control systems; cybersecurity education, and workforce training. She has done so with experts from NIST, ITU-T, OECD, SAE, privacy watchdogs, power companies and co-ops, the Department of State, and the U.S. Senate. She blends her background in public policy and cybersecurity to scale complex, multi-stakeholder programs while keeping them approachable to people of all backgrounds. When not managing her team and thousands of vulnerabilities, she is crafting beautiful miniatures or using a stick to turn string into soft and warm beauty.
---
Napkin-drawings aside, This panel seeks to talk through this classic “What If?” scenario by assembling a diverse team of industry and government professionals to talk about the current state of vulnerability identifiers, vulnerability databases, and how consumers interact with them. These building blocks establish the foundation for communicating and addressing vulnerabilities as they are discovered, reported, and disclosed, but the journey has not always been without challenges. Join us as we learn about the road that got us here, talk about the opportunities we continue to collaborate on, and hear about some potential future actions that could improve the ecosystem for all participants and officially start “Happy Hour”!
We discuss these and other topics in our time together:
- Challenges with scale
- Challenges with the ecosystem in its current form
- Challenges with data quality that cause challenges with automating analysis
- Challenges with OSS repo release management practices
- And MUCH MUCH more!
8 май 2024
