"I am just going to ignore these tickets until they go away"
"These security tickets are ruining my product roadmap"
"This is the most obscure corner case of security, this can never happen in real life"
"Yes, I'll fix this in……...2022"

We have all heard these things from engineering teams, when it comes to vulnerability management (or mismanagement). And on the other hand, the security teams continually feel that engineers don't listen to them or don't care about security.

How do we get away from this adversarial relationship and collaborate on vulnerabilities to make real progress?
How do we drive a sense of urgency and ownership of security so it becomes everyone's responsibility?
How do we bring a great customer experience to everyone involved in the vulnerability management process?

This talk is our story of how we transformed our vulnerability management process from a nuisance or an invisible process to a collaborative process that drives accountability and transparency.

To shift the mindset of how vulnerability management was perceived, we sought to engage with the people who interact with the program the most. In the initial investigation we conducted interviews with Security Champions, Engineering Teams, Release Management, Engineering Leadership, Security Engineers and Compliance. It was important to understand our users' perspective so that we could change the conversation around vulnerability management towards a more decentralized model. From the moment a vulnerability is opened (whether from an automated tool or a human), there are a lot of decisions to be made. In this talk, we will discuss the parameters we put in place to set up every hand-off of a bug's life. Whether it's using CVSS V3 scoring to help prioritize vulns, recommending due dates, allowing engineers to scope the work and propose a due date, or how tickets are even acknowledged, you will learn the best practices that we have found successful in building out a strong, yet ever maturing vulnerability management program. Furthermore, we will share screenshots and demo the life of a vulnerability managed in our Jira Kanban boards from both the security team and engineering team's perspective that support a self-service type model. When you decentralize and empower engineers to make decisions in the workflow, you have now enabled them to take ownership of security.

With all the decision-making authority, also comes accountability. This is one area that we were really passionate about to ensure there is accountability of decisions made and visibility across the management chain. We defined key metrics that the leadership cares about and are also important to the success of security strategy. While the metrics showed long term trends, we figured out effective ways of tactically managing escalations and driving ownership through real time dashboards. In the talk, we will share the specific metrics / charts that we reported on and also the various forums (meetings) that we setup with stakeholders up and down the hierarchy, that helped us drive day to day execution on vulnerability remediation.

To summarize, in this talk we will discuss the pain points that most organizations face in getting traction to vulnerability remediation, how we decided to tackle the challenge, the solution we built and how we drove accountability to improve metrics. We will talk about the key decisions we made that the audience can relate to and improve their own vulnerability management program. Finally, we will show templates of our Jira boards, metrics and charts that helped in measuring success of the program.


Alexandra Nassar
Senior Technical Program Manager, Medallia
Alexandra works at Medallia - a customer experience management software company - as a Sr. Technical Program Manager supporting the security organization. She started her career as a project coordinator in the Dietary Supplement industry and made a big jump to software development.

Harshil Parikh
Director of Security, Medallia
Harshil Parikh leads the security team at Medallia, Inc. He is currently helping democratize security within Medallia for functions like Secure Product Development Lifecycle, DevSecOps, Monitoring & IR.


-

Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...