Security Information Overload

What’s important?

• Is my component exploitable?.

• Is my component an authentic copy?.

  • Do I understand why my component is modified?.

Security information is scattered everywhere

• Multiple sources of security advisories.

  • 80,000+ CVEs in the National Vulnerbility Database.

  • Node Security Project, Metasploit, VulnDB, Snyk, …​

  • Thousands of website security advisories, blogs, tweets, …​

• 600,000 GitHub events generated daily.

  • 700 GitHub security related events.

  • Release notes, change logs, code comments, …​

Summary

• It is not reasonable to expect a developer to continually research each component.

• Developers are not security experts; they already have a day job.