2. THERESA MAMMARELLA
• Software Engineer @ IBM
• Eclipse OpenJ9 JVM
• Open source developer, community
member, and speaker
@t_mammarella
linkedin.com/in/tmammarella
3. $8 TRILLION
In 2023, the global annual cost of cyber crime is
predicted to top
Source: Security Intelligence
4. IF CYBERCRIME WAS A
COUNTRY (BY GDP)
China: $14.72 Tr.
Cybercrime: $8.0 Tr.
Japan: $5.06 Tr.
Germany: $3.85 Tr.
United States: $20.89 Tr.
Canada: $1.64 Tr.
Italy: $1.89 Tr.
France: $2.63 Tr.
India: $2.66 Tr.
United Kingdom: $2.67 Tr.
Source: globalpeoservices.com/top-15-countries-by-gdp-in-2022
5.
6. INSIDER THREAT
The potential for an insider to use their authorized access or understand of an
organization to harm that organization
• When an engineer is compromised by outside influence or dissatisfaction
• When an engineer is poorly trained
• When engineers put backdoors into a product
• When remote development systems are not secured or when protections are
removed
• When accounts and credentials for terminated or inactive personnel remain
available.
Source: media.defense.gov/2022/Sep/01/2003068942/-1/-1/0/ESF_SECURING_THE_SOFTWARE_SUPPLY_CHAIN_DEVELOPERS.PDF
22. The Zero Day Window is Closing
Source: Adapted from IBM X-Force / Analysis by Gartner Research (September 2016)
Year of Date Reported
2006 2007 2008 2009 2010 2011 2012 2013 2104 2015
10
20
30
40
50
0
Average
Days
from
Public
Disclosure
to
Exploit
Average
45
15
2017 2019 2021
Struts2
27. MOST OF THESE STORIES
ARE UNTOLD
Jeremy Long, founder of the
OWASP Dependency Check
project speculates that "only
25% of organizations report
vulnerabilities to users, and
only 10% of vulnerabilities are
reported as Common
Vulnerabilities exposure (CVE)."
Sonatype State of the Software Supply Chain Report 2019
29. HOW DO I DISCLOSE A VULNERABILITY IN A
RESPONSIBLE WAY?
• Company website
• Security files on servers
• SECURITY.md
• Github private vulnerability reporting
36. RECAP
• Vulnerability x Threat = Risk
• CVE’s, CVSS, disclosure process
• The Mantra/OWASP Top 10
• Dependency management
• Release speed
• Security champion programs
37.
38. THANK YOU
Longhorn PHP!
• Linux Foundation free course
Developing Secure Software
https://training.linuxfoundation.org/training/devel
oping-secure-software-lfd121/
• OWASP’s list of Free for Open Source
Application Security Tools
https://owasp.org/www-
community/Free_for_Open_Source_Application_S
ecurity_Tools
@t_mammarella
linkedin.com/in/tmammarella
KEEP IN TOUCH: