Vulnerability Inbox Zero

You have a vulnerability problem. You run a scanner. Now you have two problems - vulnerabilities and a mess of scanner results to process.

Keeping up with vulnerability scanners is a struggle. Modern software services can have vulnerabilities in each of their layers. Scanners at each of these layers can produce results that require time to understand and process. False positives and overblown risk ratings can exhaust engineering team capacities.

Vulnerability management pipelines help us trend away from chaos. At LaunchDarkly, we built a vulnerability management system to support our organizational objectives. It incorporates our requirements for FedRAMP and uses a variety of serverless AWS Cloud Services to reduce operational overhead. We combine AWS Inspector, AWS Security Hub, AWS Lambdas, and other tooling to support a vulnerability management pipeline where all of our cloud production workloads are scanned at each layer. Vulnerabilities from a variety of sources can be not only combined, but processed by code. This allows us to define exceptions as configuration in code and keep our vulnerability alert actionable.

This talk will discuss the lessons learned creating our vulnerability management pipeline, where we’re headed in the future, and design considerations for other teams facing similar challenges.

 


Speaker

Alex Smolen

Director of Security @LaunchDarkly

Alex Smolen is an engineering leader with over a decade of experience on security-focused engineering teams. He is currently Director of Security for LaunchDarkly, the industry-leading feature management service.

Previously, he was the Engineering Manager for Security and Infrastructure teams at Clever, an SSO platform used by over 50% of US K-12 schools. He was an engineer on the original Twitter security team, and a technical lead for features like two-factor and suspicious login detection. He was a security consultant at Foundstone, where he helped a wide range of software teams write secure code. He received his BS in Electrical Engineering and Computer Science from UC Berkeley, and his Masters from the School of Information at UC Berkeley.

Read more

Date

Wednesday Oct 26 / 01:40PM PDT ( 50 minutes )

Share

From the same track

Session

A Big Dashboard of Problems

Wednesday Oct 26 / 10:35AM PDT

We have all heard "an ounce of prevention is worth a pound of cure" in medicine, but the security industry isn't so sure. This talk explores the forefront of simple and effective preventative strategies.

Travis McPeak

Founder and CEO @ResourcelyInc

Session

Scaling Defenses Amidst Evolving Threat Landscape

Wednesday Oct 26 / 11:50AM PDT

Security services that defend against malicious or fraudulent traffic operate in an unpredictable and constantly evolving threat landscape. The dynamic nature of attack traffic means that as attacks evolve, our defenses must evolve too.

Aditi Gupta

Staff Security Software Engineer @Netflix

Session

Privacy-First Re-Architecture

Wednesday Oct 26 / 04:10PM PDT

The tech industry grew organically the last few decades. We built new innovations on top of old. We evolved systems and technologies to meet new challenges. Decisions of the past became assumptions of today.

Nimisha Asthagiri

Principal Consultant @Thoughtworks

Session

Practical Security Panel

Wednesday Oct 26 / 02:55PM PDT

Details coming soon.