You have a vulnerability problem. You run a scanner. Now you have two problems - vulnerabilities and a mess of scanner results to process.
Keeping up with vulnerability scanners is a struggle. Modern software services can have vulnerabilities in each of their layers. Scanners at each of these layers can produce results that require time to understand and process. False positives and overblown risk ratings can exhaust engineering team capacities.
Vulnerability management pipelines help us trend away from chaos. At LaunchDarkly, we built a vulnerability management system to support our organizational objectives. It incorporates our requirements for FedRAMP and uses a variety of serverless AWS Cloud Services to reduce operational overhead. We combine AWS Inspector, AWS Security Hub, AWS Lambdas, and other tooling to support a vulnerability management pipeline where all of our cloud production workloads are scanned at each layer. Vulnerabilities from a variety of sources can be not only combined, but processed by code. This allows us to define exceptions as configuration in code and keep our vulnerability alert actionable.
This talk will discuss the lessons learned creating our vulnerability management pipeline, where we’re headed in the future, and design considerations for other teams facing similar challenges.
Director of Security @LaunchDarkly
Alex Smolen is an engineering leader with over a decade of experience on security-focused engineering teams. He is currently Director of Security for LaunchDarkly, the industry-leading feature management service.
Previously, he was the Engineering Manager for Security and Infrastructure teams at Clever, an SSO platform used by over 50% of US K-12 schools. He was an engineer on the original Twitter security team, and a technical lead for features like two-factor and suspicious login detection. He was a security consultant at Foundstone, where he helped a wide range of software teams write secure code. He received his BS in Electrical Engineering and Computer Science from UC Berkeley, and his Masters from the School of Information at UC Berkeley.