Industry Keynote: Vulnerability Management and Compliance (P11a)
Certified products do not contain known vulnerabilities is a common theme for many regulatory frameworks including Common Criteria. As new vulnerabilities pop up all the time, it makes evaluations of complex software products challenging. The question to raise is: Do all vulnerabilities pose the same risk? Some vulnerabilities simply don’t matter. Shouldn’t we focus on really harmful and known exploitable vulnerabilities? Instead of patching everything, shouldn’t we invest in preventing these serious vulnerabilities and elevate the overall security of certified products? This talk will cover what kinds of vulnerabilities pose risks and other areas that deserve our focus to actually reduce risk to national security systems and prevent the deceleration of innovation.