Speaker Details


Fred Blaise

Cloudbees

https://gist.github.com/madchap/7d582d9890697a8de846676dbcc5e709

One does not simply fix a vulnerability as a bug

Conference
Security

One may think that handling a security vulnerability is just about the fix, but do not be fooled. The journey stretches from explaining how to properly submit findings through the entire correction process, down to providing a security release/patch and extending to post-release follow-up.

Scenario: You receive what looks like a serious vulnerability report. That vulnerability highlights the fact your whole application has an architectural flaw. Moreover, it is bound to a 30-days disclosure deadline. Welcome to reality. Adding a tad of fatality, you think that you may just be a step away from having a 0-day on Twitter. 

Building on our experience managing the security of a popular open source project (Jenkins) as well as the internal security processes of all our commercial portfolio, we will present challenges we encountered and solutions that let us sleep.

Scheduled on Tuesday from 15:10 to 15:55 in Room 8

Processes
Vulnerabilities
Security Best Practices