Program Overview

• Coordinated Disclosure Around High-Impact Cross-Industry Issues (Birds of a Feather)

  Chris Robinson, Red Hat and Lisa Bradley, Nvidia

  A session focused on talking about how to improve communication and collaboration across the industry when dealing with high-impact security events. A recent flaw will be used as a jumping off point to highlight what works well and what areas still need a lot of improvement.

  February 28, 2018 12:45-13:45

• Coordinated Vulnerability Disclosure - Today's Challenge

  Laurie Tyzenhaus, CERT/CC

  Coordinated Vulnerability Disclosure (CVD) is an ongoing challenge. We are discussing CVD in vendor forums and in-house to identify the problems and sensitivities associated with changes to the process. Our experience indicates that once more than 5 vendors are involved, our current CVD process struggles with tracking the data and communications associated with these reports. We see these types of reports about 4 times a year and expect it to increase. There are no COTS solutions that can manage the multi-vendor problem.

  Specific questions include: Can vendors work in a collaborative environment (like GitHub)? Is encryption helping or hindering discussions? How can we continue to encourage coordinated disclosure by reporters?

  We expect other CERTs already have, or soon will have to solve this problem. We hope to encourage a "coordinating" solution!

  February 28, 2018 13:45-14:45

  Tyzenhaus-PSIRT-Feb-2018.pdf

  MD5: 614322896ca48e39c38c054dea4ab03b

  Format: application/pdf

  Last Update: March 9th, 2018

  Size: 875.1 Kb

• Don’t cause the Spectre of a Meltdown: Lessons learned from one of the largest software release engines in the world

  Mechele Gruhn, Microsoft

  We all know that patching is hard. Let’s make it easier. Or at least predictable. A successful security update release starts long before the day of the patch. This session will dive into the murky waters of the security release life-cycle. Notable mistakes and successes of the past will be our guide as we look at practical best practices and guidance to help increase our mastery of the Release stage of the SDL. Creating a security update is only part of the answer. To secure our customers we need to create the tools, mechanisms and processes to enable repeatable, consistent and predictable experiences for our customers by partnering closely with security researchers, engineering teams, customer support, legal, crisis and communications teams all while following principles of coordinated vulnerability disclosure.

  This session will be targeted at companies of all sizes who have overtaxed security teams and will share content and best practices to help these teams’ product security incident response practice. Attendees will be provided with templates and actionable recommendations based on successful best practices.

  February 28, 2018 09:00-10:00

• How Mature is your PSIRT and what can you do get better?

  The PSIRT Maturity WG Panel (To be Recorded)

  The PSIRT Framework is a great tool for new and old product security teams to look at their work from a common industry-perspective. A cross-industry team of security friends helped share their years of experience so the whole PSIRT community can benefit. The Framework has been out for almost a year now, and some of you may be asking "what's next?" Join the Working Group trying to describe how PSIRTs can gauge how mature they are and steps they might consider to enhance their capabilities.

  February 27, 2018 10:30-11:30

• Lessons Learned from 24 Years of Coordinated Vulnerability Disclosure (CVD)

  Allen Householder, CERT/CC

  The CERT/CC has been coordinating vulnerability disclosures since our inception in 1988. In the past year we have been analyzing our own case tracking data going back to 1993, with a focus on the distribution of case workloads over time. In this talk I'll share our findings from that analysis, showing how over time the workload is dominated by a relatively small number of cases -- and why as a result CVD participants shouldn't rely exclusively on traditional measures such as case counts or averages when assessing the impact of their CVD efforts. The talk will also relate these findings to the CVD advice we included in the CERT Guide to Coordinated Vulnerability Disclosure.

  February 28, 2018 15:00-16:00

  20180227-Analyzing-24-Years-of-CVD-Allen-Householder-FIRST-PSIRT-TC.pdf

  MD5: 56b4eb6fa560d5ecbc08b387e4a8ea2d

  Format: application/pdf

  Last Update: March 8th, 2018

  Size: 4.64 Mb

• Mature PSIRTs Need Mature Tools (Part 1)

  Beverly Finch, Lenovo

  Handling large amounts of information across numerous vulnerabilities and communicating with everyone who needs the information can be tricky! In this talk, I will take the audience through how Lenovo has matured over the course of 3 years from tracking a few vulnerabilities in spreadsheets to Jira ticketing and then most recently to Jira + database integration.

  This presentation is needed at FIRST based on many conversations I've had with industry peers and the PSIRT community. Many PSIRTs have multiple brands with many products which have hundreds of components. Each component has hundreds (or thousands) of 3rd party source code/open source code with vulnerabilities reported every day. Exactly how does a PSIRT document, assign and track all this complexity?

  After 3 years, Lenovo has solved this problem and would like to share with other PSIRTs/CERTs who encounter similar tracking nightmares.

  I plan to document, in presentation format, lessons learned, what information to track, SLA integration/ metrics and what information we used to load the integrated database.

  February 27, 2018 11:30-12:00

  FIRST-TC-PSIRT-Tools-v1.pdf

  MD5: db2703a76b14adc296ee7915cda04b10

  Format: application/pdf

  Last Update: March 8th, 2018

  Size: 896.83 Kb

• Mature PSIRTs Need Mature Tools (Part 2)

  Tania Ward, Dell EMC

  Handling large amounts of information across numerous vulnerabilities and communicating with everyone who needs the information can be tricky! In this talk, I will take the audience through how Lenovo has matured over the course of 3 years from tracking a few vulnerabilities in spreadsheets to Jira ticketing and then most recently to Jira + database integration.

  This presentation is needed at FIRST based on many conversations I've had with industry peers and the PSIRT community. Many PSIRTs have multiple brands with many products which have hundreds of components. Each component has hundreds (or thousands) of 3rd party source code/open source code with vulnerabilities reported every day. Exactly how does a PSIRT document, assign and track all this complexity?

  After 3 years, Lenovo has solved this problem and would like to share with other PSIRTs/CERTs who encounter similar tracking nightmares.

  I plan to document, in presentation format, lessons learned, what information to track, SLA integration/ metrics and what information we used to load the integrated database.

  February 28, 2018 10:00-10:30

  Mature-PSIRTs-need-mature-Tools_TCAtlanta.pdf

  MD5: f596f6077be4e4e1f42fef5a32136589

  Format: application/pdf

  Last Update: March 8th, 2018

  Size: 2.26 Mb

• Practical Tabletop Drills for PSIRTs (Part 1)

  Ken van Wyk, KRvW and Derrick Scholl, Juniper

  You’ve built your PSIRT and planned for every conceivable situation, right? How do you know they’ll succeed when pushed to the breaking point? In a prior PSIRT FIRST TC in Raleigh, Ken van Wyk presented a practical session on how to design and deliver tabletop drills to test your incident response capabilities. In this hands-on lab session, together with Juniper’s Derrick Scholl, we’ll take that training further and run a fictional tabletop drill that has been tailored to a highly realistic PSIRT-specific nightmare scenario. The session will begin with a quick re-hash of tabletop essentials from Ken’s session in Raleigh. We will then will enroll several audience volunteers to play key PSIRT roles during the drill. The team will include key stakeholders in the fictional PSIRT’s general counsel, human resources, media communications, and executive decision team. With that audience PSIRT in place, we will then run through a realistic scenario. The remaining audience will then critique the PSIRT’s performance. Attendees will gain practical guidance on how to deliver a meaningful tabletop drill that tests their PSIRT’s capabilities under fire.

  February 27, 2018 14:00-15:00

• Practical Tabletop Drills for PSIRTs (Part 2)

  Ken van Wyk, KRvW and Derrick Scholl, Juniper

  You’ve built your PSIRT and planned for every conceivable situation, right? How do you know they’ll succeed when pushed to the breaking point? In a prior PSIRT FIRST TC in Raleigh, Ken van Wyk presented a practical session on how to design and deliver tabletop drills to test your incident response capabilities. In this hands-on lab session, together with Juniper’s Derrick Scholl, we’ll take that training further and run a fictional tabletop drill that has been tailored to a highly realistic PSIRT-specific nightmare scenario. The session will begin with a quick re-hash of tabletop essentials from Ken’s session in Raleigh. We will then will enroll several audience volunteers to play key PSIRT roles during the drill. The team will include key stakeholders in the fictional PSIRT’s general counsel, human resources, media communications, and executive decision team. With that audience PSIRT in place, we will then run through a realistic scenario. The remaining audience will then critique the PSIRT’s performance. Attendees will gain practical guidance on how to deliver a meaningful tabletop drill that tests their PSIRT’s capabilities under fire.

  February 27, 2018 15:15-16:15

  FIRST-Symposium-2018-02-Atlanta-PSIRT-TC-Tabletops-with-Derrick.pdf

  MD5: 34f4c61602370bf9bfbe3981e566d522

  Format: application/pdf

  Last Update: March 8th, 2018

  Size: 22.48 Mb

• PSIRT Framework Update

  Peter Allor, Honeywell

  February 27, 2018 09:15-10:15

  Intro-PSIRT-Framework-Overview-2018-02-26.pdf

  MD5: bb31195f4661a96f4c09a78993969504

  Format: application/pdf

  Last Update: March 8th, 2018

  Size: 4.56 Mb

• Sailing the Seas of Open Source - a year in the life of OSS security

  Chris Robinson, Red Hat

  Avast ye scurvy dogs! Set sail to ADVENTURE with a recap of the year's Open Source security as shared by Red Hat Product Security. Don't walk the plank of jumping into OSS without understanding what ye'er in for!

  February 28, 2018 10:45-11:45

  Sailing-the-Seas-of-OpenSource.pdf

  MD5: 5cadda7c5b82fead5f1f8b4ae9579d47

  Format: application/pdf

  Last Update: March 8th, 2018

  Size: 8.81 Mb

• Social

  The Barrelhouse

  The Social Event will take place at The Barrelhouse, www.barrelhouseatl.com - 22 5th St NW, Atlanta, GA 30308 from 5:30-7:30pm.

  February 27, 2018 17:30-19:30

• Standards Updates

  Art Manion, CERT/CC

  Refresh the current work on FIRST SIGs - Vuln Disclosure, CVSS, VRDX; OASIS Standards for CSAF and STIX; ISO Disclosure and Handling; IETF; CVE; NIST CSF; GFCE (we are narrowing how to cover all these and allow a discussion).

  February 27, 2018 16:15-17:15

  Atlanta_PSIRT_TC_2018_VulStandards.pdf

  MD5: 2c80d36e2e62c045dc79d650b1613daf

  Format: application/pdf

  Last Update: March 30th, 2018

  Size: 4.09 Mb

• PSIRT TC 2018
  • Call for Speakers
  • Program Overview