Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022 / 28 Oct 2022
Cloud Native Computing Foundation / Cloud Native SecurityCon NA 2022 / 28 Oct 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Keynote: Vulnerability Data is Not Enough: The Case for an Actionable UI - Kara Yimoyines, VMware

Description

Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io​. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.

Keynote: Vulnerability Data is Not Enough: The Case for an Actionable UI - Kara Yimoyines, Sr. Engineering Manager, VMware Tanzu

Data without the ability to act on CVEs adds little value to platform hygiene and productivity. As we recognize what we need to secure our software supply chain we understand that vulnerability data is not enough. Vulnerability data with inventory data - the form of a software bill of materials, is also not enough. Without the ability to automate remediation, understanding blast radius of your CVEs, while maintaining up-time and a golden path to production data is not helpful. Security analysts and platform engineers need a complete view that is tailored for their concerns so they can make sure remediation is done at the right level.

In this talk we’ll discuss considerations for a user interface that presents the right data to the right teams, empowers them to address any bugs or CVEs quickly, and a software bill of materials so they can make sure all the affected components and dependencies are remediated.

A

All right, good morning, uh I'm going to be doing a fair amount of reading from my notes, uh but just as I said on my wedding day, it's not that I mean the words any less I just didn't memorize them.

A

um My name is Cara I'm, a senior engineering manager from VMware and 10 years ago, I was a UI engineer at a startup called Dynamic Ops and then VMware bought us and our product became V, realize automation, which is now Aria automation, a SAS version of our infrastructure management tool.

A

We created a world-class user experience for creating Cloud templates for the provisioning and management of VMS back then we were solving for VMS. What we're now solving for containers and in the cloud native space I see similar challenges in presenting multi-faceted Concepts and I'm passionate about building API, first accessible guise that help us understand them.

A

There are few spaces more difficult than the security space and I'd like to take a look at the pain points of cves that you, your colleagues, your customers, no doubt are living with, and what we can do to alleviate them with a GUI.

A

So right now, platform operators are struggling to triage thousands and, depending on the size of your company and the sprawl of the software you're building and securing tens of thousands of instances of cves, they see a wall of critical cves in front of them and as far as they're concerned, the house is on fire and they're, not wrong.

A

The risks are incalculable, got exfiltration brand tarnishing customer data compromise. The list goes on. You wouldn't be at securitycon. If it were worth talking about the things that keep you up at night, what can we do to build an agui that will help you? Sleep I, want to take you through a couple of levels of guise to address the needs.

A

At some companies after a platform operator identifies those cves they want dealt with. They send them to developers to analyze the risk. So this might look familiar to a bunch of you. The developers run the analysis determined that they're at low risk for a given cve, but then the security analysts update the cve from perhaps pi to critical risk and platform operators, throw it back to developers and have them do another analysis of a cve that they've already done.

A

In addition, security folks are under pressure to generate reports on their compliance with slas, escalating risk and they're playing catch-up. That's pressure that pressure is sometimes passed along to the devs as well, and the tension is palpable, can only have their cortisol levels escalated for so long before they just stop caring.

A

So what's the risk of cve fatigue right now, you're, looking through horizontally scaled logs, exponentially increasing trying to find patterns in the noise, your risk is increasing, maximizing the chance that you're going to miss something critical.

A

A GUI can help prioritize work so that critical cves don't get dropped alert when things go sideways highlight hot spots. This would be your dashboard GUI, so something that's read-only give me the highlights show me something that I can take to my manager.

A

Now a GUI for cves and s-bombs is going to run into the same problem instead of CLI seim tool, because, fundamentally it's a problem of scale. The problem is so big, so deep so tall, while machines do some things particularly well. Humans have a different set of skills that are essential when it comes to assessing these vulnerabilities.

A

We're good at communication, empathy and deciding what's relevant and they're going to be some judgment, calls that you and your teams are going to have to make. We need the empathy to understand the developer experience and to respond to their exhaustion with representation of the right data at the right level.

A

The vulnerability could be in your binaries, but that binary is sitting inside a highly secure environment. So it's not going to matter or put your business at any risk.

A

uh Whoops. Apologies!

A

Oh for goodness, sakes.

A

I can't get over my notes.

A

uh Let's see uh or there's a critical vulnerability in an upstream package and it's overdue there's no fix Upstream, you can Fork it and fix it, but what's the cost of the business to mitigate a GUI that allows us to weigh the potential harm and the risk to the business? Would let me annotate the cves.

A

Oh I'm really sorry.

A

But let me annotate the cves, and so this is where I need a a Right View. That right view would allow me to do things like um uh do the shades of risk and I believe it was John Holland yesterday and his talk from City, where he talked about being able to weigh the pros and cons and put in that human factor that we couldn't do that not just having a yes and no but those areas of Gray.

A

So once you've done the analysis, you've identified the risk you've surfaced the change status to the cve. You might even have a workable plan for how to deploy it to production. Raise your hand if you've ever found your fix in the middle of the night and then at 8 am the next day. You've needed to explain it to someone to that Moment of clarity disappear.

A

Anybody lost their Moment of clarity. How are you going to share this critical information with your non-security immersed colleagues they're, the ones who have to decide if they need to pull the alarm? We need something that helps. You tell the story that GUI becomes the central location to collaborate.

A

So that communication, but that that place where cross-functional teams can come together, it's one of the reasons we incorporated backstage into our platform. uh It's it was built to enable a unified interface. This should be the space where I began, to build out a picture of The Logical architecture and what tiers are impacted by a given vulnerability. It's where I'll show the service, that's at risk and its lead times change so that when I make that change, I know the sort of impact I'll be imposing on the timeline.

A

And for whatever reason, I can't get to the rest of my notes.

A

That's really unfortunate.

A

Something about the presentation mode is making it really difficult.

A

I'm not sure what's happening there.

A

All right, so uh in any case, I will just use them from here. So ideally, I want that GUI to play nicely with other guis and with well-developed seamless handoffs between their apis. This will not be the one rule to ring them all, so the rule one ring to rule them all, but it should be both extensible and interoperable with other tools. Solving adjacent problems, so I can put them in my common sphere of understanding.

A

If you haven't yet considered a GUI tool. Now is the time there are over 2 million npm modules, npm packages and a million go modules and half a million Maven artifacts. We as a community should be building tools that don't require you to be exclusively in the terminal, building that mental model and then having been having to be the ones that carry the burden of explaining it to act on vulnerabilities reliably. We need to ensure that we surface them with empathy in a way that is accessible and actionable.

A

Thank you very much.