State of Attack Surface Elimination in a World Plagued by Vulnerable Software
CVE/FIRST VulnCon 2025 · Main Stage
In an era defined by an exponentially expanding threat landscape, the talk "State of Attack Surface Elimination in a World Plagued by Vulnerable Software" delivered by Mayur and Goro at VulnCon presents a critical examination of current vulnerability management paradigms and introduces a groundbreaking approach to effectively identify and mitigate security weaknesses. Mayur, leading both detection and mitigation teams at Qualys, and Goro, a key member of the mitigation team, bring a wealth of practical experience to address the systemic challenges organizations face in securing their digital assets.
AI review
Mayur and Goro present Veda, a binary analysis system from Qualys that uses feature extraction and fine-tuned LLMs to detect vulnerabilities independent of version metadata. The core idea is legitimate and the problem statement is well-articulated — version-agnostic binary vulnerability detection is a real gap, EOL software is a genuine pain point, and the Log4j/XZ examples are apt illustrations. But the talk lands closer to 'promising internal R&D demo' than 'here's a system you can evaluate, reproduce, or pressure-test.' The demos show Shellshock detection at 100% confidence on a…