Security Lorax, Open Source Cat Herder
Christopher Robinson (aka CRob) is the Director of Security Communications at Intel Product Assurance and Security and a community leader within the Open Source Security Foundation (OpenSSF). CRob is a 42nd level Dungeon Master and a 25th level Securityologist. He has worked at several Fortune 500 companies with experience in the Financial, Insurance, Legal, Manufacturing, and Medical verticals. CRob has been involved in upstream open source security for a decade, and spent 6 years helping lead the Red Hat Product Security team as their Program Architect. He is a leader within several Open Source Security Foundation (OpenSSF) efforts and is a frequent speaker on cyber, application, and open source security.
CRob has been a featured speaker at Gartner’s Identity and Access Management Summit, RSA, BlackHat, DefCon, Derbycon, the (ISC)2 World Congress, and was named a "Top Presenter" for the 2017 and 2018 Red Hat Summits. CRob was the President of the Cleveland (ISC)2 Chapter, and is also a children's Cybersecurity Educator with the (ISC)2 Safe-and-Secure program. He holds a Certified Information Systems Security Professional (CISSP) certification, Certified Secure Software Lifecycle Professional (CSSLP) certification, and The Open Group Architecture Framework (TOGAF) certification. He is heavily involved in the Forum for Incident Response and Security Teams (FIRST) PSIRT SIG, collaborating in writing the FIRST PSIRT Services Framework, as well as the PSIRT Maturity Assessment framework. CRob is also the lead/facilitator of the Open Source Security Foundation (OpenSSF) Vulnerability Disclosures and OSS Developer Best Practices working groups as well as a Technical Advisory Committee (TAC) chairperson.
He enjoys hats, herding cats, and moonlit walks on the beach.
Lazy guide to open source software risk assessment
Open source software is pervasive throughout the world. Most commercial software leverages it in some capacity, but many consumers don't understand this nor how to effectively review and react to changes from their upstream providers.
This session will explore some simple techniques and tools consumers can implement to better understand what is inside the software they use everyday and steps they can take to ensure they are effectively managing their risk from this use of open source software.
Topics covered:
- The basics of implementing risk management
- Deep dive into potential open source supply chain attack
- Review of common open source supply chain risk management mistakes and how to mitigate them
- Survey of risk management tools that can assist in evaluation of third party software, such as CVE, CVSS, VEX, OSV, and others
Time:
9:45 AM
Room:
Clones (Live 4, Simul 5, 6, 7, 8, 9)