2025-05-01 –, Ballroom (track sponsored by Checkmarx)
Tired of endlessly patching vulnerabilities? It’s time to rethink the game. This talk challenges the reactive approach to vulnerability management and offers actionable strategies for developers to prevent first-party vulnerabilities altogether. By focusing on cultural changes, targeting entire classes of vulnerabilities (like XSS and SQL injection), adopting threat modeling, and rethinking patch cycles for third-party dependencies, you can shift from firefighting to building resilient systems. We’ll even explore modern techniques like ephemeral infrastructure and burn-and-replace methodologies to reduce reliance on traditional patching.
In today’s fast-paced development environments, vulnerability management often feels like a reactive game of whack-a-mole. Developers spend countless hours patching flaws as they emerge, but this approach only treats the symptoms of a deeper issue. In this talk, we’ll explore how to break the cycle by focusing on prevention rather than endless remediation. Instead of chasing down individual vulnerabilities, we’ll discuss how to eliminate entire classes of vulnerabilities, such as cross-site scripting (XSS) and SQL injection, through secure-by-default frameworks, libraries, and targeted development practices.
Cultural shifts are at the heart of this transformation. We’ll talk about how to empower developers to take ownership of security by integrating lightweight threat modeling into their workflows and fostering a mindset that prioritizes prevention. This isn’t about adding more steps to your process—it’s about making security an intrinsic part of how you build software.
Finally, we’ll examine practical strategies for managing third-party vulnerabilities, including smart patching cycles and automation, and introduce modern approaches like ephemeral infrastructure. By adopting a "burn-and-replace" mindset for containers and serverless functions, you can minimize your reliance on traditional patching altogether. If you’re ready to move beyond the reactive and start building secure systems by design, this talk is for you.
Nate Sanders, Senior Manager of Security Engineering & Operations, has spent over 20 years in IT, with more than a decade in Information Security, specializing in infrastructure and application security, as well as vulnerability management. Known in the hacker world as "mauvehed," he’s been gleefully breaking things since the late 1980s, from disassembling his sister’s electronics to uncovering hidden features in software. A self-proclaimed shenanigator and proudly neurodivergent (AuDHD) thinker, Nate blends technical expertise with playful curiosity, proving that breaking things is just another way of learning how they work while pushing boundaries, sharing lessons, and leading with a mischievous streak.