Triaging vulnerabilities - the way it ought to be

We all know that shifting security left is the right approach for securing our apps. We also know that it isn't enough - developers also need to be empowered to own security. They require tools that integrate into the way they are already working and they need guidance and assistance from the security team. This is especially true for the most challenging vulnerabilities of all: those that are not so easy to fix, but too important to ignore.

The industry is packed with tools that support shift left and that provide developers with better visibility into the vulnerabilities they (might be) introducing in their code. For the most part, these tools point at prioritization as the holy grail. The ultimate solution to the challenge of endless vulnerability backlogs facing overwhelmed development teams.

While good enough for some organizations, a prioritization-led approach has limitations. It will not help tackle these important, but hard to fix vulnerabilities. It is exactly these types of vulnerabilities that challenge the shift left model. Lucky teams might have an experienced developer on deck able to save the day but in most cases the AppSec team will be called in for the rescue. By the time that happens, the vulnerability is already in production.

A different type of approach is needed. One that doesn't leave the developers alone at that critical stage. One that knows what questions need asking and where to go look for the answers. One that's able to fully understand the application context and assess the risk the vulnerability poses. In this session, we'll dive into this specific challenge and identify the gaps in AppSec programs that exacerbate it. We'll share our approach to execute triage at scale and provide concrete solutions. We'll also play around with a common vulnerability and triage it together.