Next Wednesday at 10:45AM EDT, I’ll be participating in a webinar with the above title, which is part of the Autumn Online Summit of Infosecurity Magazine. Here’s the official description of the webinar:
Software vulnerabilities are one of the biggest cyber-threats
to organizations, with a record number of vulnerability disclosures in 2023.
Zero days are being actively exploited by sophisticated threat groups, as
demonstrated by the Ivanti vulnerabilities that were discovered earlier this
year.
The continuous process of applying fixes to vulnerabilities
across all software stacks is an overwhelming task for many organizations. A
new strategy is needed to make vulnerability management a sustainable and
effective process.
A panel of experts will discuss best practice approaches for
a modern vulnerability management program, tailored to business risk and
prioritization.
Sign
up (for free) to hear:
·
How threat actors target software
vulnerabilities, and why this tactic is often so damaging
·
Vulnerability management challenges across an
increasingly complex tech stack
·
How to create a sustainable software patch
management program, tailored to business needs.
One of the other two panel members is Lindsey Cerkovnik, Branch
Chief, Vulnerability Response and Coordination, CISA. In our prep meeting last
week, I brought up the fact that the NVD now has a huge
backlog of CVEs lacking a CPE software identifier. Since a CVE report without
a CPE name is currently useless for purposes of automated vulnerability
management, this means any organization searching the NVD for vulnerabilities applicable
to the software products it uses will see only a tiny percentage (less than 1%)
of vulnerabilities that might apply to those products, if those vulnerabilities
were identified after early February.
Lindsey pointed out that CVE reports can now include purl
identifiers for software, so the lack of CPEs today
might become a non-issue soon. However, I noted that at the moment, there are a
number of roadblocks to including purls in CVE reports. These include the fact
that there’s no agreed-upon method for creating a purl for a proprietary software
product – although I also noted that the SBOM Forum has two good ideas for how
to overcome this problem.
It should be an interesting webinar! If you can’t make it, a
recording will be available for anybody to access.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
I lead the OWASP SBOM Forum and its Vulnerability Database Working Group. These two
groups work to understand and address issues like what’s discussed in this
post; please email me to learn more about what we do or to join us. You can
also support our work through easy directed donations to OWASP, a 501(c)(3)
nonprofit, which are passed through to the SBOM Forum. Please email me to
discuss that.
My book "Introduction to SBOM and VEX"
is available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.
No comments:
Post a Comment