| Track: | CISO |
|---|---|
| When: | Thu DS-3 |
| Where: | |
| Organizers | Sherif Mansour Sherif Mansour , Steve Springett Steve Springett , Orid Ahmed Orid Ahmed |
Call Details:
Join from PC, Mac, Linux, iOS or Android: https://zoom.us/j/291298605
Or iPhone one-tap : US: +16699006833,291298605# or +16468769923,,291298605# Or Telephone: Dial(for higher quality, dial a number based on your current location): US: +1 669 900 6833 or +1 646 876 9923 Singapore: +65 3158 7288 United Kingdom: +44 (0) 20 3695 0088 or +44 20 3051 2874 Meeting ID: 291 298 605 International numbers available: https://zoom.us/u/ekps90NHw
And it is 4:00 pm
WHY
Sources of vulnerability intelligence, such as the National Vulnerability Database, are used throughout the industry and are an essential datasource for many commercial and open-source projects. From a software security perspective, the data available is often not adequate to identify A9 - Using Components with Known Vulnerabilities.
This is a working session between OWASP leaders and representatives of MITRE, NIST, and other agencies to discuss the current state of vulnerability intelligence, gaps in various areas, and ideas for future improvement.
What
Advances in bill-of-material formats, such as CycloneDX have taken a security-first approach, and efforts to combat vastly different ways to identify a component and its place in its respective ecosystem have resulted in the PackageURL specification. These specifications are used throughout OWASP Dependency-Track.
Similarly, efforts to promote the Software Identification (SWID) specification is gaining momentum after an update in 2015. In addition, the OVAL specification has moved from MITRE to CIS.
Short presentations will be given that cover the various areas to “level-set” the working group and provide a common base of understanding in which to work from.
Outcomes
This session seeks to achieve collaboration between the various parties and produce ideas for future improvement and innovation.
References
- https://github.com/CycloneDX/specification
- https://github.com/package-url/purl-spec
- https://docs.dependencytrack.org/datasources/routing/
- https://webstore.ansi.org/RecordDetail.aspx?sku=ISO%2fIEC+19770-2%3a2015
- https://csrc.nist.gov/projects/Software-Identification-SWID
- https://oval.cisecurity.org/
Register as participant
To register as participant add Vulnerability Intelligence Working Group to either:
- the
sessionsmetadata field from your participant's page (find your participant page and look for the edit link). - or the
participantsmetadata field from this git session page
Back to list of all Working Sessions