Imagine you find a vulnerability in your code. A vulnerability that looks nasty and challenging to fix. What do you do?
Most developers in this situation will reach out to someone with a better security understanding for help. At first they’ll say “Oh, this does look nasty.” They’ll do some basic internet searches to learn a bit, read your code, and research the vulnerability. The more time they invest and the more data they provide back to you, the more you’ll trust their answer when they ultimately say: “Yes, you have to fix this.”
The process happens the same way when hundreds or thousands of vulnerabilities need to be addressed. With better data available, we can make better decisions better. In the world of open source vulnerabilities, the vulnerability database you chose to use empowers your solution and enables your decision making. And the better that database is, the better your security decisions are.
In this talk we will look at the characteristics of a high quality vulnerability database and how it helps the results of an appsec program, specifically looking at:
- The evolution of database generations
- What it takes to enable sophisticated security decisions at scale
- Examples of advanced metadata and its potential usage
TakeawaysIn this session, Shani Gal, Product Lead for Snyk Intel Vulnerability Database, will share insights on the evolution of open source vulnerability databases.
For development teams building applications we’ll look at:
- What should you expect from a vulnerability database, to make sure your time is well spent?
For security teams / development teams owning fixing vulnerabilities
- How might you use vulnerability data to make better decisions on what should be done?
- Data you should consider when building your future system
