Vulnerability Inbox Zero

You have a vulnerability problem. You run a scanner. Now you have two problems - vulnerabilities and a mess of scanner results to process.

Keeping up with vulnerability scanners is a struggle. Modern software services can have vulnerabilities in each of their layers. Scanners at each of these layers can produce results that require time to understand and process. False positives and overblown risk ratings can exhaust engineering team capacities.

Vulnerability management pipelines help us trend away from chaos. At LaunchDarkly, we built a vulnerability management system to support our organizational objectives. It incorporates our requirements for FedRAMP and uses a variety of serverless AWS Cloud Services to reduce operational overhead. We combine AWS Inspector, AWS Security Hub, AWS Lambdas, and other tooling to support a vulnerability management pipeline where all of our cloud production workloads are scanned at each layer. Vulnerabilities from a variety of sources can be not only combined, but processed by code. This allows us to define exceptions as configuration in code and keep our vulnerability alert actionable.

This talk will discuss the lessons learned creating our vulnerability management pipeline, where we’re headed in the future, and design considerations for other teams facing similar challenges.


Speaker

Alex Smolen

Director of Security @LaunchDarkly

Alex Smolen is an engineering leader with over a decade of experience on security-focused engineering teams. He is currently Director of Security for LaunchDarkly, the industry-leading feature management service.

Previously, he was the Engineering Manager for Security and Infrastructure teams at Clever, an SSO platform used by over 50% of US K-12 schools. He was an engineer on the original Twitter security team, and a technical lead for features like two-factor and suspicious login detection. He was a security consultant at Foundstone, where he helped a wide range of software teams write secure code. He received his BS in Electrical Engineering and Computer Science from UC Berkeley, and his Masters from the School of Information at UC Berkeley.

Read more

Date

Monday Dec 5 / 11:20AM PST ( 50 minutes )

Topics

Security Vulnerability Vulnerability Management System Pipelines

Share

From the same track

Session Security

A Big Dashboard of Problems

Monday Dec 5 / 09:00AM PST

We have all heard "an ounce of prevention is worth a pound of cure" in medicine, but the security industry isn't so sure. This talk explores the forefront of simple and effective preventative strategies.

Speaker image - Travis McPeak

Travis McPeak

Founder and CEO @ResourcelyInc

Session Security

Scaling Defenses Amidst Evolving Threat Landscape

Monday Dec 5 / 10:10AM PST

Security services that defend against malicious or fraudulent traffic operate in an unpredictable and constantly evolving threat landscape. The dynamic nature of attack traffic means that as attacks evolve, our defenses must evolve too.

Speaker image - Aditi Gupta

Aditi Gupta

Staff Security Software Engineer @Netflix

Session Security

Privacy-First Re-Architecture

Monday Dec 5 / 12:30PM PST

The tech industry grew organically the last few decades. We built new innovations on top of old. We evolved systems and technologies to meet new challenges. Decisions of the past became assumptions of today.

Speaker image - Nimisha Asthagiri

Nimisha Asthagiri

Principal Consultant @Thoughtworks