Risk Prioritization With SAST/DAST Symbolic Execution
Susan Farrell
S4x24 - ICS Security Conference · Day 2 · Stage 3
In an era of unprecedented cyber threats, organizations grapple with an overwhelming volume of newly discovered vulnerabilities, making effective patch prioritization a critical challenge. Susan Farrell's talk at S4 addresses this pervasive problem, highlighting the sheer scale of the issue – with over 26,000 vulnerabilities discovered in 2023 alone, leading to extensive backlogs of unpatched systems. The conventional approach of linking asset inventories to published CVEs often falls short in providing the certainty needed to prioritize high-risk vulnerabilities effectively.
AI review
This talk presents a groundbreaking, DARPA-funded approach to vulnerability risk prioritization using hybrid static-to-dynamic symbolic execution on binary firmware. It directly addresses the critical challenge of securing embedded devices and COTS products without source code, offering a path to identify and verify zero-day vulnerabilities with a high degree of certainty. This is a game-changer for defenders in critical infrastructure.