Loading…
This event has ended. Visit the official site or create your own event on Sched.
Back To Schedule
Wednesday, October 27 • 10:00am - 10:30am
Why the NVD Stinks: Using AI, NLP, and SBOMs to Discover Hidden Vulnerabilities

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Most IT and OT practitioners assume that by searching the National Vulnerability Database (NVD), one will find all the vulnerabilities associated with a software product or device. Sadly this is not the case: the NVD is far from a complete set of vulnerabilities, with some sources claiming that 76% of all ICS vulnerabilities are missing from the NVD*. Furthermore, the NVD rarely maps vulnerabilities in software components back to the packages that contain those components, leaving ICS users no means of determining that the software they are deploying is at risk. Finally, mergers and acquisitions mean that the vendor name on the product in use often doesn't match the vendor name seen in the NVD disclosure details or the Common Platform Enumeration (CPE) listing.

This talk will discuss how a variety of Artificial Intelligence (AI) techniques can be used to discover vulnerability associations. Specifically, we will discuss how the combination of Natural Language Processing (NLP), extraction of Merger and Acquisition (M&A) product histories, and Software Bill of Materials (SBOM) analysis can alert both asset owners and suppliers to vulnerabilities hidden deep inside legacy products.

Learning Objectives
  • Understand the scope of the problem trying to associate component vulnerabilities with products and why AI is necessary.
  • Learn the different SBOM formats approved by NTIA and how they can be generated for both current and legacy software (when source code is unavailable).
  • Learn how to monitor your software supply chain for components and vendors that are problematic.

Speakers
avatar for Eric Byres

Eric Byres

Chief Technology Officer, aDolus Technology Inc.
Eric Byres is widely recognized as one of the world’s leading experts in the field of industrial control system (ICS) and Industrial Internet of Things (IIoT) cybersecurity. He is the inventor of the Tofino Security technology – the most widely deployed ICS-specific firewall in... Read More →


Wednesday October 27, 2021 10:00am - 10:30am EDT