Vulnerable Dependencies — It's Not About Discovery

We are all already familiar with the risk of vulnerable dependencies. We've all heard at least one talk about why it is an issue, and have likely seen at least one demo of hacking using a vulnerable dependency. This talk is going to be different.

Instead of focusing on tools, or rehashing the issue, this talk will focus on how to actually mitigate these vulnerable dependencies. There are many tools out there for finding them. But this is just the first step.

The real question is — how do we start remediating these vulnerabilities once we find them? How do we get developers and product managers to care about them and prioritize fixing them? Should we fix all of them? How can we automate this process?

Join me to hear about some of the pains I had over the last few years while trying to answer some of these questions. I'll share some of the things that worked for me, and hopefully may be applicable for you as well. This talk will be vendor-neutral as it will focus more on culture and processes, instead of specific tooling.


Omer Levi Hevroni

DevSecOps developer and advocate at Snyk, OWASP member, Kamus contributor More...