Explore the challenges and solutions in managing open source vulnerabilities through this 24-minute conference talk by Andrew Pollock from Google. Dive into the world of OSV (Open Source Vulnerabilities) and learn how it addresses the complexities of vulnerability management throughout the software development life cycle. Discover the OSV Schema, its adoption across various open source ecosystems, and its role in creating a comprehensive, distributed vulnerability database. Examine real-world implementations of the OSV Schema and its application in solving challenges related to C/C++ library vulnerabilities. Follow the journey of a typical software development life cycle, focusing on vulnerability remediation and the integration of OSV. Gain insights into reducing false positives, auto-generating VEX statements, and implementing a "guided remediation" workflow to efficiently address known vulnerabilities in dependency graphs.
Overview
Syllabus
OSV and the Life of an Open Source Vulnerability - Andrew Pollock, Google
Taught by
OpenSSF
Related Courses
-
VEXing Open Source Security - Vulnerability Data for Everything
-
Trials and Tribulations of Updating Dependencies for Vulnerability Remediation
-
Security Posture Assessment and Improvements for Open Source Projects
-
Open Source Vulnerability Management for Software Development and Cloud Environments
-
Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities
-
Breaking Free from Vulnerability Scanning Noise - Automated VEX Aggregation for Accuracy
