2025-11-17 –, Westin - Munich
The global vulnerability disclosure ecosystem is in a state of flux. With the US-centric CVE program facing funding challenges and the NVD grappling with persistent backlogs, traditional intelligence sources are under immense strain. This talk will dissect these critical issues and their direct impact on AppSec professionals, who are increasingly challenged by the need for accurate prioritization and timely responses. We will then pivot to explore the rising influence of global players, such as ENISA, and other alternative vulnerability databases, analyzing their strengths, weaknesses, and the implications of this fragmented landscape. Attendees will leave with actionable strategies to diversify their intelligence sources, prioritize effectively beyond raw scores, and leverage new tools to build more resilient AppSec programs in this evolving environment.
The vulnerability landscape is undergoing a significant transformation, creating urgent challenges for cybersecurity professionals, particularly those in AppSec. This session, "Navigating the Volatile Vulnerability Landscape: Strategies for AppSec Resilience," provides a critical and timely examination of these shifts.
We begin by dissecting the current state of the US-centric vulnerability intelligence infrastructure. This includes a deep dive into the CVE program's recent funding crisis and its observable consequences, such as challenges with vulnerability volume, assignment consistency, and timeliness. We will also explore the persistent backlogs and analysis delays within the National Vulnerability Database (NVD) and how CISA is adapting its role to navigate these gaps. The direct impact on AppSec professionals—increased workload, uncertainty in risk assessment, and struggles with effective prioritization—will be a central focus.
The talk then broadens its scope to the global stage, highlighting the growing influence of ENISA (EU Agency for Cybersecurity) and its strategic importance in Europe. We will compare ENISA's approach to US models and discuss its relevance for European organizations. Furthermore, we'll examine the proliferation of alternative vulnerability databases, including commercial offerings (e.g., Vulners, Recorded Future), open-source initiatives (e.g., OSV.dev, GitHub Advisories), and national CSIRTs. A critical analysis of the strengths and weaknesses of these alternatives will illuminate the implications of a fragmenting vulnerability intelligence landscape.
Finally, the session will empower attendees with concrete, actionable strategies for building resilience. This includes practical advice on diversifying intelligence sources, prioritizing vulnerabilities beyond traditional CVSS scores by leveraging context and exploitability data (like CISA KEV and EPSS), and exploring tools for data aggregation and correlation (e.g., VEX, SBOM integration). We will conclude by looking ahead to the future of vulnerability disclosure, discussing potential reforms, the increasing role of automation and AI, and the emergence of new collaborative models. This talk is essential for any AppSec professional seeking to navigate the complexities of modern vulnerability management and ensure their programs remain robust and effective.
Vulnerability Management, CVE, Threat Intelligence, Risk Management
Jerry Gamblin is a Principal Engineer in the Threat Detection & Response business group at Cisco Security, where he leads research and data science initiatives to enhance Cisco Security products. He is actively involved in the CVE community, participating in various working groups and serving as a member of the EPPS SIG. He regularly speaks on vulnerabilities and vulnerability management at international conferences and manages a CVE data collection site at CVE.ICU.