Vulnerability Intelligence Working Group

Track: CISO
When: Thu DS-3
Organizers Sherif Mansour Sherif Mansour , Steve Springett Steve Springett , Orid Ahmed Orid Ahmed

Call Details:

Join from PC, Mac, Linux, iOS or Android:

Or iPhone one-tap : US: +16699006833,291298605# or +16468769923,,291298605# Or Telephone: Dial(for higher quality, dial a number based on your current location): US: +1 669 900 6833 or +1 646 876 9923 Singapore: +65 3158 7288 United Kingdom: +44 (0) 20 3695 0088 or +44 20 3051 2874 Meeting ID: 291 298 605 International numbers available:

And it is 4:00 pm


Sources of vulnerability intelligence, such as the National Vulnerability Database, are used throughout the industry and are an essential datasource for many commercial and open-source projects. From a software security perspective, the data available is often not adequate to identify A9 - Using Components with Known Vulnerabilities.

This is a working session between OWASP leaders and representatives of MITRE, NIST, and other agencies to discuss the current state of vulnerability intelligence, gaps in various areas, and ideas for future improvement.


Advances in bill-of-material formats, such as CycloneDX have taken a security-first approach, and efforts to combat vastly different ways to identify a component and its place in its respective ecosystem have resulted in the PackageURL specification. These specifications are used throughout OWASP Dependency-Track.

Similarly, efforts to promote the Software Identification (SWID) specification is gaining momentum after an update in 2015. In addition, the OVAL specification has moved from MITRE to CIS.

Short presentations will be given that cover the various areas to “level-set” the working group and provide a common base of understanding in which to work from.


This session seeks to achieve collaboration between the various parties and produce ideas for future improvement and innovation.


Register as participant

To register as participant add Vulnerability Intelligence Working Group to either:

  1. the sessions metadata field from your participant's page (find your participant page and look for the edit link).
  2. or the participants metadata field from this git session page

Back to list of all Working Sessions