Varun Badhwar -- The Developer Productivity Tax

21 snips

Oct 10, 2023

Varun Badhwar, a luminary in the cyber security industry, joins Chris and Robert to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The integration of SBOM plus VEX aims to streamline the vulnerability management process, ensuring that only relevant and critical threats are addressed. They also emphasize the importance of 'Scanning with Context' to avoid false positives and irrelevant findings.

Ask episode

Chapters

Transcript

Episode notes

Introduction

00:00 • 2min

The Developer Productivity Tax in Application Security

01:32 • 7min

The Value of CVSS in the Modern World of Application Security

08:39 • 3min

Reachability in Software Applications and the Introduction of VEX

11:51 • 7min

Automating the Generation of VEX Files for Issue Assessment

19:13 • 2min

The Speaker Bill of Materials (SBOM): Benefits and Limitations

21:06 • 18min

Varun Badhwar is a three-time founder, a luminary in the cyber security industry, and a clear communicator. He joins Chris and Robert on the Application Security Podcast to discuss scanning with context, SBOM plus VEX, and the developer productivity tax. The concept of a "Developer Productivity Tax" acknowledges the challenges developers face when bombarded with a plethora of vulnerabilities. This "tax" represents the drain on developers' time and resources as they navigate through a myriad of potential threats, many of which lack actionable context. The inefficiencies arising from this process can lead to significant delays in software development, emphasizing the need for more refined tools and techniques.

A key solution Varun offers is the integration of SBOM plus VEX (Software Bill of Materials with Vulnerability Exploitability eXchange). While SBOM offers transparency by detailing all software components and dependencies, it can be overwhelming due to the sheer volume of potential vulnerabilities it flags. VEX, designed as a companion to SBOM, provides the much-needed context, detailing the applicability, reachability, and availability of fixes for vulnerabilities. This combination aims to streamline the vulnerability management process, ensuring that only relevant and critical threats are addressed.

Lastly, the importance of "Scanning with Context" was emphasized. Traditional vulnerability scanning can often result in a multitude of false positives or irrelevant findings due to the lack of context. The podcast delved into the two primary approaches to contextual scanning: static analysis and runtime analysis. While both methods have their merits, the discussion leaned towards static analysis for its scalability and efficiency. The episode concluded by stressing the need for further research and development in vulnerability annotation to specific code functions, ensuring a more precise and actionable vulnerability management process.

Important Links:

Endor Labs - https://www.endorlabs.com/

Recommended books:

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @AppSecPodcast
➜LinkedIn: The Application Security Podcast
➜YouTube: https://www.youtube.com/@ApplicationSecurityPodcast

Thanks for Listening!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~