The term "shift left" has been around for a long time, but there are few cases where it is actually being put into practice. One of the reasons for this is that there are too many vulnerabilities detected, and even if security champions are assigned, they cannot be easily addressed. In addition, the CVSS severity output by many scanners does not provide a risk assessment by itself, and it is also pointed out that it is difficult to focus on vulnerabilities that actually need to be addressed. In this session, we will explain risk-based vulnerability triage and LeanSeeks, which realizes its automation, with a demonstration.

Dealing with the ever-increasing number of vulnerabilities these days has reached a level where even having a security champion on the development team won't cut it. We often hear that new vulnerabilities are detected every day even in systems that are in operation, and that it takes time to consider the need for countermeasures, which hinders the original work. While it is difficult to deal with all vulnerabilities, triage work to narrow down which vulnerabilities to deal with is a very important point. In some cases, the severity of the CVSS (Common Vulnerability Scoring System) is used for judgment, but it has also been confirmed that vulnerabilities with relatively low severity are used in attacks, and the criteria for determining how triage should be carried out. There are many scenes where you get lost. In this session, we will explain the concept of risk-based vulnerability triage and introduce a solution that automates the work.