1. Introduction (5 minutes)

Explain the importance of visibility into what software components exist in your environment. We will discuss a few examples of recent vulnerabilities for which detection of the vulnerable component has proven to be especially challenging.
Explain how vulnerability scanners and SCA operate, and what their limitations are.
Specifically, we will highlight the fact that two separate processes have to take place for an SCA tool or vulnerability scanner to correctly report on existing vulnerabilities:
- Identification of existing components
- Mapping the identified components to vulnerabilities using the relevant security advisories.

Suboptimal performance in any of these stages will result in misidentifications whether false positive or false negative results.
So if you think about it, every scanner/SCA tool is also an SBOM tool. And the quality of its results is highly affected by the quality of the SBOM it is able to generate.

1. Evaluation method (5 minutes)
   In this section, we will explain how the research was conducted and the results were measured. We will explain the concepts of precision, recall, and F1-score that will be used throughout the talk to measure the different scanner's performance.

2. Present and discuss the results (10 minutes)

We will present a performance evaluation of 10 popular open-source and commercial scanners and delve into the huge variability in results across the different environments scanned (20 popular open-source containers and multiple base OS images from various cloud providers). we will explore the root causes we identified for the missidentifications discovered in the research (both false-positive and false negative results). Examples include: packages installed not via package managers, reliance on CPE (common platform enumeration), inaccurate/obsolete security advisory data, package and version identification errors, ignoring environment context, flagging kernel vulnerabilities in a container without taking into account the kernel version running on the host, and more.

1. Hidden vulnerabilities (15 minutes)

In this section, we will deep dive into the concept of hidden vulnerabilities, which are known vulnerabilities that due to the inherent method of operation of vulnerability scanners and SCA tools remain invisible in a vulnerability scan.
We will show how wide this phenomenon is and discuss multiple common real-world scenarios, build and deployment practices that can unknowingly cause blindspots for security tools.

We will then provide examples of critical hidden vulnerabilities we identified in popular open-source applications and demonstrate how they can be exploited while remaining undetected in vulnerability scans.

Present the research outcomes: we have opened dozens of issues and notified the vendors of the different inaccuracies accounting for over 1000 unique CVEs either falsely identified or missed, some of the issues were already addressed.

1. Final Notes (5 minutes)
   In this section, we will review the challenges presented in the talk and offer recommendations for both developers as well as security practitioners as to how to address them.
   We will also call for vendors and maintainers to take these inherent gaps into account and implement logic that will be able to detect such vulnerabilities going forward.

2. open the floor for questions/discussion (5 minutes)