Trace to Triage: How to Connect Product Vulnerabilities to Security Paths
Ben Stav
BSidesSF 2025 — Here Be Dragons · Day 1 · Main
Application security teams sit on a goldmine of runtime context that could transform how they triage findings — and most of them don't know it exists. Ben Stav from MIGO makes the case that observability tools built for DevOps, specifically profiling and distributed tracing, can answer the critical questions that define whether a finding is a P0 or a backlog item, while also providing the forensic trail needed after an incident. ---
AI review
Stav identified a real, underexploited data source for AppSec triage — OpenTelemetry profiling and distributed tracing — and demonstrated it with a live RCE. The call stack showing `getPersonalizedAd` → `ScriptEngineEval` → `ProcessBuilder.start` as real-time forensic evidence of server-side template injection is exactly the kind of concrete artifact that wins over a skeptical engineering team.