2022-07-25 –, Room 1
Vulnerability Management can be a tedious and time consuming job of trying to sift through a never ending stream of new, old or undefined CVEs. It can be challenging to prioritize severity-based SLAs when default assessments are inaccurate: they don’t factor in the criticality of the affected asset, or understand custom infrastructure and existing mitigations and/or gaps. Ultimately, having low confidence in scanning results and reported vulnerabilities leads to alert fatigue and diminishes trust in the security team.
In our talk, we will lay out our team’s approach towards automating vulnerability management for our entirely cloud-based infrastructure and why standard industry approaches were lacking. We will discuss our work of centralizing all vulnerabilities and automating detection, risk assessment, vulnerability reporting, and vulnerability fix verification in a scalable manner. We want to share how we developed internal tooling that allows us to be vendor agnostic, not rely on default risk severities, and reduce operational work as much as possible.
Keziah Plattner is a Senior Software Engineer at Airbnb. After getting her undergraduate and graduate degrees at Stanford University, she joined Airbnb’s Information Security team. She started in Production Infrastructure Security, and after 3 years, moved to Vulnerability Management. She specializes in using a software engineering mindset to tackle security problems, and has worked on everything from cloud infrastructure security, patch management, and the vulnerability management lifecycle. She lives in San Francisco with her partner and two cats and enjoys cooking, video games, and becoming a tarot expert in her free time.
Kadia is currently an Engineering Manager at Airbnb. She started her career in Europe but now calls California home. Kadia has an electrical engineering background and over 10 years of Information Security experience. She has worked with multiple Silicon Valley startups and Fortune 100 companies on reducing security risk. Kadia is now leading an engineering team focusing on vulnerability management, offensive security, and infrastructure hardening.