Article

The Big Fix 24 Hour Livestream Recap

March 6, 2023

About a week ago, there was a great 24-hour The Big Fix livestream, and I have decided to recapitulate the sessions and talks because they were so great. It was like a 24-hour marathon of insightful presentations and inspiring speakers. I have stayed up for the whole session and then crashed for the longest nap I have ever had.

The Big Fix

Let’s first introduce The Big Fix itself. The Big Fix is an online event where all the security minded people combine their strengths in order to fix vulnerabilities in open (and closed) software. Over the past three weeks, we have fixed nearly 250 000 vulnerabilities, which is amazing!

The Big Fix runs from the February 14th to March 14th

24 hour livestream

The day was filled with fun segments and amazing speakers that inspired us all on our fixing journey. The schedule was split into three parts: “Good morning APJ” , “Hello, EMEA” and “Howdy AMER”. These are the links for the recap of each and every session. All the times are in CET.

TimeSessionSpeaker
01:00 AMWelcome to the Big FixVandana Verma Sehgal
01:15 AMCyclone DXSteve Springett
01:50 AMLearnings from Code VigilantAnant Shrivastava
02:20 AMEssential ingredients for an effective security program: A recipe for successMichael Natkin (Torq)
02:50 AMFull-stack software engineer and CTO at DivXYuya Tajima
03:30 AMToolbox Turmoil – Getting More Value From AppSec ScannersJosh Grossman (Bounce Security)
04:15 AMOWASP ZAPSimon Bennetts
05:30 AMServiceNow Security with KarlKarl Klaessig
06:00 AMSecurity with SoumenSoumen Mukherjee
06:30 AMShift Left Isn’t What You ExpectedChen Gour Arie (Enso)
07:10 AMVulnerability Reporting and Re-validationAditya Shende
07:30 AMSecure Code Review for HackersKayla Underkoffler
08:00 AMStreamline Security With Shift Left – A Cloud ApproachAvinash Jain
08:35 AMDevSecOps in CloudAshish Rajan
09:10 AMThe Big Fix Livestream Sun Rises in EUBrian Vermeer & Sonya Moisset
09:30 AMDeveloper Education: the lack of security educationMichael Biocchi
10:20 AMThis Week in Vuln DB: The Big Fix EditionBrian Vermeer & Sonya Moisset
11:05 AMTools to help keep your dependencies up to dateMarit van Dijk (JetBrains)
11:50 AMImproving DevSecOps CollaborationRobin Wyss (Dynatrace)
00:25 PMNGINX RCE 0-dayTimo Stark (f5)
01:30 PMImage security hardeningRachid Zarouali (Sevensphere)
02:15 PMDevOps, Security, and Open Source SoftwareDavid A. Wheeler (Linux Foundation)
02:50 PMBuilding Secure HTTPS Gateways for Java ApplicationsAna-Maria Mihalceanu (Oracle)
03:35 PMHow Vulnerability Management Scales from SMB to MM to EnterpriseVania Xu and Rob Picard
04:00 PMPath Traversal attacksLiran Tal
04:40 PMCrypto-jacking vs Cryptomining: Detecting the Indicators of Compromise in KubernetesNigel Douglas (Sysdig)
05:05 PMGood Morning AMERBrian Clark & Eric Smalling
05:15 PMOvercoming AppSec Testing Challenges: What to Focus OnVitaly Unic (BrightSec)
06:00 PMAvoiding footguns in your payments stackPaul Asjes (Stripe)
06:30 PMPolicy Enforcement of Kubernetes Best PracticesCarlos Santana & Doruk Ozturk (AWS EKS)
07:15 PMNetworking as Code: From Metal to Mesh, and everything in-betweenMarino Wijay (Solo.io)
07:45 PMExploring processes via procfsJoshua Rosso (Arctir)
08:15 PMTips and tricks to prioritize Snyk Open-Source findings so developers can focus on what matters mostChris Walz (Atlassian)
08:40 PMHow not to build an AppSec ProgramDeclan O’Donovan (Morgan Stanley)
10:00 PMPolicy and StandardsKC Thomas
10:30 PMHow to Scale Security + Increase Developer ProductivityKrishna Patel (Slack) & Randall Degges
11:00 PMSecuring Microservices in a Service Mesh Environment: A Zero Trust ApproachViktor Gamov (Kong)
11:30 PMDude That’s Not My Car! Putting out a BOLO on BOLAScott Gerlach
12:00 AMThe Big Fix-athon Wrap UpRandall Degges

Welcome to the Big Fix

Vandana Verma

There is no one better to kick off the livestream than Vandana Verma. Vandana is the Security Solutions leader at Snyk, an Indian OWASP member, and a seasoned information security professional with 16+ years of experience. She frequently hosts the DevSecOps community livestreams, and it’s thanks to her that the community is as great as it is.

CycloneDX

Steve Springett

Steve educates teams on the strategy and specifics of developing secure software. Steve’s passionate about helping organizations identify and reduce risk from the use of third-party and open source components. In his talk, Steve introduced us to the CycloneDX which is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.

Learnings from Code Vigilant

Anant Shrivastava

Anant Shrivastava is the founder of Cyfinoid, and he has been doing a lot of work in the DevSecOps area. His talk about developers and security was quite insightful, and what I really enjoyed was the fact that he spoke from his own experience in the industry.

Essential ingredients for an effective security program: A recipe for success

Michael Natkin

Michael Natkin, a Senior Security Architect at Torq, has more than 30 years of experience supporting organizations ranging from telco to big pharma. His talk about creating an effective security program was just a delight to listen to. He has a captivating voice that can turn a regular presentation into a magical one.

Full-stack software engineer and CTO at DivX

Yuya Tajima

Yuya Tajima is one of my fellow Snyk Ambassadors. He is a full-stack software engineer and the CTO of DivX, Inc. and he is on the mission to support the improvement of security for all developers!

Toolbox Turmoil – Getting More Value From AppSec Scanners

Josh Grossman

Josh Grossman has been a developer and security specialist, and now he is the CTO for Bounce Security. He is also one of the chapter leaders for OWASP. In his talk about AppSec scanners, he has highlighted all the aspects one should consider when choosing a scanner.

OWASP ZAP

Simon Bennetts

Simon Bennetts is the OWASP ZAP project lead. ZAP is an open source tool for finding vulnerabilities in web applications. It can be used as a manual pen testing tool or it can be automated. In his talk, Simon introduced us to the tool, and if you are a web developer, add this session to your “must watch” list.

ServiceNow Security with Karl

Karl Klaessig

Karl Klaessig is the director of product marketing for Security Operations at ServiceNow. He has more than 15 years of experience in the product positioning and marketing of enterprise security platforms, including SIEM, SOAR, and endpoint technologies. In his talk, he talked about his opinion on SIEM and SOAR. As a person who is currently learning more about these topics, I value his talk as quite valuable.

Security with Soumen

Soumen Mukherjee

Soumen Mukherjee is one of my fellow Snyk Ambassadors. He is a Senior Cloud Security Architect at Barco. In his free time, he enhances his security awareness by reading books, in addition to helping others on Stack Overflow. There is a reason why I accidentally called him “Showman” instead of “Soumen” once. He really can turn almost every talk into a show. In his talk, he has summed up a lot of content about The Big Fix!

Shift Left Isn’t What You Expected

Chen Gour Arie

Chen Gour Arie is the Chief Product Officer and Co-Founder of Enso Security. With over 15 years of hands-on experience in cybersecurity and software development, Chen demonstrably bolstered the software security of dozens of global enterprise organizations across multiple industry verticals. In his talk, he has talked about what you can do to shift left and some of the success stories, as well as some of the obstacles one can encounter when trying to adopt the “shift left”.

Vulnerability Reporting and Re-validation

Aditya Shende

Aditya Shande, also known as “Kongsec,” is a bug bounty hunter and trainer. He is mostly into offensive cybersecurity and bug hunting. He has walked us through his story and shared some insights on what bug bounty hunters actually do. Because we are currently reading “Bug Bounty Bootcamp” in our DevSecOps Book Club, this session was quite insightful for me.

Secure Code Review for Hackers

Kayla Underkoffler

Kayla is a Senior Security Technologist with HackerOne and is currently the team lead for the open-source bug bounty program the Internet Bug Bounty. Her prior experience includes 4 years as a United States Marine in the Quantico Marine Corps Band, where she then left active duty to pursue a career in Cybersecurity and has spent the rest of her career serving as a vulnerability management, and policy and strategy lead. In her talk, she introduced us to the bug bounty program run by HackerOne. I like that she mentioned the fact that we need more developers who can put on the hacker hat from time to time.

Streamline Security With Shift Left – A Cloud Approach

Avinash Jain

Avinash Jain, also known as “logicbomb,” is a Security Engineer working at Microsoft. He has an extensive history of building security into startups, and he is a regular speaker at various events. In his talk, he showed us how to use cloud native tools in order to shift left in the CI/CD pipeline.

DevSecOps in Cloud

Ashish Rajan

Ashish Rajan is a host of the wildly popular Cloud Security Podcast, a CISO, a cyber security influencer, and a SANS trainer. In his talk, he has explained the term DevSecOps and put it in the context of the “Cloud Security Life Cycle”. He has also highlighted some of the best practices. I would recommend his presentation to everyone who wants to step into this field.

The Big Fix Livestream Sun Rises in EU

Brian Vermeer
Sonya Moisset

With the sun rising in EU, Brian and Sonya (and Patch) took over the stream! Brian is a Developer Advocate for Snyk, Java Champion, and Software Engineer with over a decade of hands-on experience in creating and maintaining (web)applications. Sonya is a Senior Security Advocate at Snyk, a GitHub Star, a Women in Tech/Cyber Mentor and is considered a Top 30 Women of Influence in Cyber.

Developer Education: the lack of security education

Michael Biocchi

Michael has been in academia for a long time, and about a year ago he joined Snyk and the Snyk Learn team. He and his co-workers released the amazing Snyk Learn materials, which are great for educating developers about security. In his talk, he brought up the lack of cybersecurity in most academic programs. It was one of the most insightful talks I have listened to in the past couple of days.

This Week in Vuln DB: The Big Fix Edition

Brian Vermeer
Sonya Moisset

Sonya and Brian showed us couple of vulnerabilities in the Snyk Vulnerability Database with the live hacking/pentesting session.

Tools to help keep your dependencies up to date

Marit van Dijk

Marit van Dijk is a Developer Advocate at JetBrains. She is a software developer with 20 years of experience in different roles and companies. In her talk, she has describe some of her experience working with tools that can help you keep up your dependencies up to date.

Improving DevSecOps Collaboration

Robin Wyss

Robin Wyss is a Lead Solutions Engineer at Dynatrace. In his talk, he has emphacised the need for collaboration between parties in the DevSecOps SDLC.

NGINX RCE 0-day

Timo Stark

Timo Stark works as a Principal Technical Product Manager in f5. He has been a computer and web enthusiast for more than 15 years. He has shared with us the last year’s NGINX zero-day vulnerability as well as explained what the term “zero-day” means.

Image security hardening

Rachid Zarouali

Rachid is my fellow Snyk Ambassador, and he is a freelance Cloud Architect passionate about cybersecurity and everything related to cloud architecture. He founded SevenSphere, which is a company offering training and consulting. In his talk, he has shown us how to harden our computerized images. A very practical presentation that was a delight to listen to.

DevOps, Security, and Open Source Software

David A. Wheeler

David A. Wheeler is a Director of Open Source Supply Chain Security at the Linux Foundation. He is an experienced practitioner and researcher skilled in SCRM. In his talk, he talked about the security associated with open source software and introduced us to a concise guide for developing more secure software.

Building Secure HTTPS Gateways for Java Applications

Ana-Maria Mihalceanu

Ana works for Oracle as a senior developer advocate. She is a Java Champion and a co-founder of the Bucharest Software Craftsmanship Community. In her talk, she gave us a hands-on experience on how to build secure HTTPS gateways in Java applications. The session is full of insightful conversations between her and Brian, who is also a veteran in the Java area.

How Vulnerability Management Scales from SMB to MM to Enterprise

Vania Xu
Rob Picard

Vania Xu is a Senior Product Manager at Vanta. Rob is a Security Lead at Vanta. Vanta helps companies scale their security practices and automate compliance with the industry’s most sought-after standards. In their talk, you will learn how vulnerability management can scale pretty quickly.

Path Traversal attacks

Liran Tal

Liran Tal is a Director of Developer Advocacy at Snyk and a GitHub star. He has been passionate about open-source software, and he has written multiple security books. In his session, he walked us through a path traversal attack with hands-on example.

Crypto-jacking vs Cryptomining: Detecting the Indicators of Compromise in Kubernetes

Nigel Douglas

Nigel Douglas is a Technical Marketing Manager at Sysdig. In his talk, he has introduced us into the interesting world of crypto-jacking and cryptomining.

Good Morning AMER

Brian Clark
Eric Smalling

Another 8 hour shift is over, and Brian and Eric took over. Brian and Eric are both Senior Developer Advocates at Snyk.

Overcoming AppSec Testing Challenges: What to Focus On

Vitaly Unic

Vitaly is a Head of AppSec Research at Bright Security. In his talk, he talked about all the obstacles and difficulties one might encounter when performing security testing. I quite enjoyed his storytelling approach.

Avoiding footguns in your payments stack

Paul Asjes

Paul Asjes is a Developer Advocate at Stripe. In his talk, he has highlighted several footguns you should be aware of when your application is dealing with payments.

Policy Enforcement of Kubernetes Best Practices

Carlos Santana
Doruk Ozturk

Carlos is a world wide container specialist at AWS. Doruk is a passionate solutions architect at AWS. They are both passionate about Kubernetes and shared some of the best practices for k8s.

Networking as Code: From Metal to Mesh, and everything in-between

Marino Wijay

Marino is a Developer and Platform Advocate at Solo.io. He is an Ambassador at EddiHub and he runs the project 70DaysOfServiceMesh. In his talk, he has introduced us to the concept of networking as code. I quite like his way of explaining the problematic aspects.

Exploring processes via procfs

Joshua Rosso

Josh Rosso is a Co-Founder of Arctir. In his talk he has introduced us to the procfs with some hands-on experience.

Tips and tricks to prioritize Snyk Open-Source findings so developers can focus on what matters most

Chris Walz

Chris is a Senior Security Engineer at Atlassian. He has shared with us how Atlassian included Snyk into their Product Security.

How not to build an AppSec Program

Declan O’Donovan

Declan O’Donovan leads the Security Architecture, Identity and Access Management at E*TRADE. In his talk he has shared some of the anti-patterns he encountered while build AppSec programs.

Policy and Standards

KC Thomas

KC is my fellow Snyk Ambassador. She drives security-focused, proactive organizational change while managing upwards and collaborates with developmen teams. Her general interests include security operations, cloud security, DevSecOps, threat hunting and penetration testing. In her session, she has discussed everything around a policies and a standards. The session was more of a discussion rather than presentation which I personally enjoyed more.

How to Scale Security + Increase Developer Productivity

Krishna Patel
Randall Degges

Krishna Patel is a Partner Engineer at Slack. Randall leads the DevRel and Community team at Snyk. Randall talked about how to scale security with Snyk while Krishna explained how to increase developer productivity. Both of them talked about their experience which was quite insightful.

Securing Microservices in a Service Mesh Environment: A Zero Trust Approach

Viktor Gamov

Viktor Gamov is a Developer Advocate at Kong Inc. He often speaks at conferences, he is an author and a Java Champion. In his presentation, he showed us how to secure microservices in a service mesh.

Dude That’s Not My Car! Putting out a BOLO on BOLA

Scott Gerlach

Scott Gerlach is a Co-Founder and CSO at StackHawk. His presentation about finding broken object level authorization had the best title! He has spoken about things that you can not find easily with SAST/DAST tools such as HTTP headers.

The Big Fix-athon Wrap Up

Randall Degges

My boy Randall has wrapped up the whole stream with a live demo of how to fix a vulnerability in an open source project. Thanks a lot to everyone who has participated in this great 24-hour livestream!

If you have read so far, you might want to follow me here on Hashnode. Feel free to connect with me over at LinkedIn or Mastodon.

Tags:

You may also like...