Art Manion (ANALYGENCE Labs, US), Deana O'Meara (NVIDIA, US), Madison Oliver (GitHub, US), Christopher Robinson (Intel, US)
Art Manion is the Deputy Director of ANALYGENCE Labs where he and his team perform in-depth vulnerability analysis and coordinated vulnerability disclosure. Art has lead and contributed to a variety of vulnerability-related efforts in ISO/IEC JTC 1/SC 27, the CVE Program (Board member), the Forum of Incident Response and Security Teams (FIRST), and the (US) National Telecommunications and Information Administration (NTIA). Art works closely with the (US) Cybersecurity and Infrastructure Security Agency (CISA) and previously managed vulnerability analysis at the CERT Coordination Center (CERT/CC).
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security. With 25 years of Enterprise-class engineering, architectural, operational and leadership experience, Chris has worked at several Fortune 500 companies with experience in the Financial, Medical, Legal, and Manufacturing verticals, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. CRob has been a featured speaker at Gartner's Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups. CRob is one of the hosts of The Security Unhappy Hour podcast that seeks to education Product and Computer Incident Response teams. He enjoys hats, herding cats, and moonlit walks on the beach.
Deana O’Meara is a passionate product security professional with ten years of experience in vulnerability management, response, disclosure, and threat intelligence. She began her career at Carnegie Mellon’s Software Engineering Institute (SEI), working across the U.S. Department of Defense, Department of Homeland Security, and Law Enforcement on the nation’s toughest cybersecurity challenges. After leaving the SEI, Deana led the Product Security Incident Response Team (PSIRT) at Rockwell Automation, focusing on Industrial Control System (ICS) vulnerabilities and intersections with traditional IT systems. Deana led Rockwell’s involvement in the first-ever “Pwn2Own” for ICS competition hosted at the S4 conference.
Madison Oliver is a vulnerability transparency advocate and Senior Security Manager at GitHub, leading the Advisory Database Curation team. She is passionate about vulnerability reporting, response, and disclosure, and her views are enriched by her prior experience as a product incident response analyst at GitHub and as a vulnerability coordinator at the CERT Coordination Center (CERT/CC) at the Software Engineering Institute at Carnegie Mellon University (CMU).
---
Coordinated Vulnerability Disclosure (CVD) is the standard with how commercial vendors, coordinators, and actors like Information Sharing and Analysis Centers (ISAC) communicate and prepare end-consumers as new vulnerabilities are discovered, reported, and fixed. Depending on the scope of the vulnerability’s impact and the maturity and experience of the parties participating in the coordination, consumers' actual experiences may greatly differ. Join this expert panel as they share their experiences on what has been successful in managing industry-impacting vulnerabilities, and hear about a few experiences that were…. less successful. The panel will explore the following CVD topics:
- How CVD differs for various product types? (HW/FW/SW) - What are the typical expectations or industry trends (thinking aloud to have the FW ecosystem talk that sometimes things just…take awhile)
- How is SBOM aiding vulnerability response? (Log4j trauma)
- Where are we automating?
- How are organizations dealing with new Bug Bounty platforms who operate in the gray space?
- Are more coordination bodies coming to the forefront and following the CERT/CC model?
8 май 2024
