SecurityConference50min
From Vulnerability to Victory: Mastering the CVE Lifecycle for Java Developers
This session provides Java developers with a comprehensive understanding of the CVE lifecycle, including how vulnerabilities are discovered, scored, and disclosed. It covers key vulnerability databases and the security tools that use them, offers practical strategies for remediation and automated dependency management, addresses resolving transitive dependency conflicts in build tools like Maven and Gradle, and discusses approaches to framework end-of-life scenarios. The goal is to empower developers and technical leads to manage security effectively and turn it into a competitive advantage.
Anthony DahanneHeroDevs
talkDetail.whenAndWhere
Wednesday, October 8, 16:40-17:30
Room 7
This session demystifies the CVE lifecycle for Java developers.
We'll explore how vulnerabilities are discovered, scored via CVSS, and disclosed through responsible processes.
You'll learn about major vulnerability databases (NVD, GitHub Advisory, OSS Index), their differences, and which security tools rely on each source.
The practical half equips you with remediation strategies using automated tools like Dependabot, Renovate, and IDE integrations.
We'll tackle the challenge of transitive dependencies in Maven and Gradle with hands-on techniques for resolving conflicts.
Finally, we'll discuss framework (Spring, Quarkus, etc) End-of-Life situations with the different options available.
Walk away understanding the entire vulnerability ecosystem, implementing automated dependency updates in CI/CD pipelines, handling dependency conflict resolution, and developing pragmatic approaches to framework EOL scenarios.
This talk transforms security from a burden to a competitive advantage for intermediate developers, DevOps engineers, and technical leads working with Java applications.
We'll explore how vulnerabilities are discovered, scored via CVSS, and disclosed through responsible processes.
You'll learn about major vulnerability databases (NVD, GitHub Advisory, OSS Index), their differences, and which security tools rely on each source.
The practical half equips you with remediation strategies using automated tools like Dependabot, Renovate, and IDE integrations.
We'll tackle the challenge of transitive dependencies in Maven and Gradle with hands-on techniques for resolving conflicts.
Finally, we'll discuss framework (Spring, Quarkus, etc) End-of-Life situations with the different options available.
Walk away understanding the entire vulnerability ecosystem, implementing automated dependency updates in CI/CD pipelines, handling dependency conflict resolution, and developing pragmatic approaches to framework EOL scenarios.
This talk transforms security from a burden to a competitive advantage for intermediate developers, DevOps engineers, and technical leads working with Java applications.
Anthony Dahanne
Software Developer for 15+ years, my favorite topics are containerization (Docker and Kubernetes), building tools, Continuous Integration and, of course, core Java development.
Having recently joined HeroDevs, I work on patching and releasing EOL OSS Java and Spring projects.
I'm also a maintainer of the Paketo Java buildpacks.
In my spare time, I work on various open source projects : from Mastodon bots written in NodeJS or Go, to Android apps!
Having recently joined HeroDevs, I work on patching and releasing EOL OSS Java and Spring projects.
I'm also a maintainer of the Paketo Java buildpacks.
In my spare time, I work on various open source projects : from Mastodon bots written in NodeJS or Go, to Android apps!
talkDetail.transcript.loginToSeeTakeaways
talkDetail.transcript.loginToSeeInsights
comments.speakerNotEnabledComments