 All right. Good morning. I'm going to be doing a fair amount of reading from my notes But just as I said on my wedding day, it's not that I mean the words any less. I just didn't memorize them My name is Kara. I'm a senior engineering manager from VMware and 10 years ago I was a UI engineer at a startup called dynamic ops and then VMware bought us and Our product became v realized automation, which is now aria automation a SAS version of our infrastructure management tool We created a world-class user experience For creating cloud templates for the provisioning and management of VMs back then we were solving for VMs But we're now solving for containers and in the cloud native space I see similar challenges in presenting multi faceted concepts and I'm passionate about building API first Accessible GUIs that help us understand them. There are few spaces more difficult than the security space And I'd like to take a look at the pain points of CVE's that you your colleagues your customers No doubt are living with and what we can do to alleviate them with a GUI So right now platform operators are struggling to triage thousands and depending on the size of your company and The sprawl of the software you're building and securing tens the thousands of instances of CVE's they see a wall of critical CVE's in front of them and As far as they're concerned the house is on fire and they're not wrong The risks are incalculable Exfiltration brand tarnishing Customer data compromise the list goes on you wouldn't be at security con if it weren't worth talking about the things that keep you up at night What can we do to build in a GUI that will help you sleep? I want to take you through a couple of levels of GUIs to address the needs at some companies After a platform operator identifies those CVE's they want dealt with they send them to developers to analyze the risk So this might look familiar to a bunch of you The developers run the analysis Determined that they're at low risk for a given CVE But then the security analysts update the CVE from perhaps high to critical risk and platform operators throw it back to developers and have them do another analysis of a CVE that they've already done in addition Security folks are under pressure to generate reports on their compliance with SLAs Escalating risk and they're playing catch up That's pressure that pressure is sometimes passed along to the devs as well and the tension is palpable People can only have their cortisol levels escalated for so long before they just stop caring So what's the risk of CVE fatigue? Right now you're looking through horizontally scaled logs Exponentially increasing trying to find patterns in the noise Your risk is increasing maximizing the chance that you're going to miss something critical a GUI can help prioritize work so that critical CVE's don't get dropped Alert when things go sideways highlight hotspots. This would be your dashboard GUI so something that's Read only give me the highlights show me something that I can take to my manager Now a GUI for CVE's and S-bombs is going to run into the same problems that a CLI SEIM tool because fundamentally it's a problem of scale The problem is so big so deep so tall While machines do some things particularly well humans have a different set of skills that are essential when it comes to assessing these vulnerabilities We're good at communication Empathy and deciding what's relevant and There are going to be some judgment calls that you and your teams are going to have to make We need the empathy to understand the developer experience and To respond to their exhaustion with representation of the right data at the right level The vulnerability could be in your binaries, but that binary is sitting inside a highly secure environment So it's not going to matter or put your business at any risk Whoops Apologies Oh for goodness sakes. Can't get over my notes. Let's see Or there's a critical vulnerability in an upstream package and it's overdue There's no fixed upstream you could fork it and fix it But what's the cost of the business to mitigate a GUI that allows us to weigh the potential harm and the risk to the Business would let me annotate the CVE's. I'm really sorry Would let me annotate the CVE's and so this is where I need a Right view that right view would allow me to do things like Do the shades of risk and I believe it was John Holland yesterday in his talk from city Where he talked about being able to weigh the pros and cons And put in that human factor that we couldn't do that Not just having a yes and no, but those areas of gray So once you've done the analysis you've identified the risk you've surfaced the change staffs of the CVE You might even have a workable plan for how to deploy it to production Raise your hand if you've ever found your fix in the middle of the night and then at 8 a.m The next day you've needed to explain it to someone to that moment of clarity disappear Anybody lost their moment of clarity How are you going to share this critical information with your non-security immersed colleagues? They're the ones who have to decide if they need to pull the alarm We need something that helps you tell the story that gooey becomes the central location to collaborate So that communication bit that that place where cross-functional teams can come together It's one of the reasons we incorporated backstage into our platform It's it was built to enable a unified interface This should be the space where I begin to build out a picture of the logical architecture and what tears are impacted by a given vulnerability It's where I'll show the service that's at risk and it's lead time to change so that when I make that change I know the sort of impact I'll be imposing on the timeline and for whatever reason I can't get to the rest of my notes That's really unfortunate Something about the presentation mode is making it really difficult. I'm not sure what's happening there so In any case, I will just use them from here so ideally I want that gooey to play nicely with other gooey's and With well-developed seamless handoffs between their APIs This will not be the one rule to ring them all to the rule one ring to rule them all But it should be both extensible and interoperable with other tools solving adjacent problems So I can put them in my common sphere of understanding If you haven't yet considered a gooey tool now is the time there are over two million npm modules npm packages and a million go modules and Half a million maven artifacts we as a community should be building tools that don't require you to be exclusively in the terminal building that mental model And then having been having to be the ones that carry the burden of explaining it to act on vulnerabilities Reliably we need to ensure that we surface them with empathy in a way that is accessible and actionable. Thank you very much