CloudNativeSecurityCon North America 2023

In October, the OpenSSL team found a critical vulnerability in an open source library used by millions. They warned that they would disclose the bug and release patch a week later. Their early warning and quick resolution were commendable, but in the intervening days a flurry of speculation and concern set the blogosphere ablaze and Twitter atalking. On release day, some websites promising to report details of the vulnerability struggled to keep up with the traffic as herds of security specialists, developers, and sysadmins-turned-devops-turned-platform-engineers refreshed the page in anticipation.  When details became available, many of us started to threat model the bug, evaluating how it might be used to harm our sytems. And most of us came to the same conclusion: it couldn't. The panic subsided, and the distraction arguably cost more than an exploit could have.  In this talk, Shane will summarize the vulnerability and some of his team's efforts to prepare for and respond to it, then consider lessons learned from the experience. Attendees will hear suggestions for implementing strong security programs that allow rapid evaluation and response to supply chain threats so they can be prepared for the next vulnerability, whether it turns out to be a major risk or none at all.