VulnCon Day 1 Recap

This week the Reveald team are attending the FIRST/CVE Vulncon event, which also is notably the inaugural event of this series – and the first (that we are aware of) conference focused exclusively on vulnerability and exposure management.

Day 1 started with introductory remarks from Peter Allor of Red Hat, thoughts on supply chain security and in particular memory-safe languages, SDLC and testing tools within the Office of the National Cyber Director from Andrew Pasternak and changes in the global regulatory climate for cybersecurity and vulnerability treatment by Tan Seung Lee of the Korean Internet & Security Agency.

Art Manion (Analygence Labs) spoke on revising CVE/CNA operational rules, Andrew Pollock (Google) discussed convergence of CVEs to OSV and Yotam Perkal (Rezillion) discussed collaboration and coherence between the many different vulnerability prioritization standards.

The afternoon covered many heavy topics including:

• upstream vulnerability management by Madison Oliver (Github)
• Software Bill Of Materials (SBOM) management by Cassie Crossley (Schneider Electric)
• CVSS4 scoring by Nick Leali (CISCO)
• OSS Security Lifecycle by Lisa Bradley (Dell) and Sara Evans (Dell)
• Red Hat’s SBOM transparency program by Prezemyslaw Roguski (Red Hat)
• GitHubs advisory database by Jon Moroney (GitHub)
• a panel including Alec Summers (MITRE), Chris Levendis (Mitre), Dena O’Meara (NVIDA), Erin Alexander (CISA) on Root Cause Mapping at Scale
• Jay Jacobs (Cyentia) EPSS and vuln exploitation.

The first day of this new conference was a great success – the attendees were overwhelmingly complementary about the speakers, the event ran smoothly and on schedule, and conversation flowed during the breaks and networking sessions. Looking forward to day two!