James Scott
Endor Labs, Product
Actions
Jamie Scott, CISSP, CCSP is a recovering cybersecurity practitioner turned product manager building the next generation of dependency management solutions at Endor Labs. Previously Jamie was Product Manager at Redis and StackRox (Acquired by Red Hat in Feb 2021) where he was an open source contributor and leader for both projects. Jamie remains an active contributor to the cybersecurity community as co-author and contributor to several benchmarks as a volunteer consultant for the Center for Internet Security.
Fix is the real F-word: Why Finding Is Easy But Fixing Is Hard
Open-source vulnerabilities are a constant challenge, but fixing them isn’t as simple as just applying an update. In reality, security patches often introduce breaking changes, trigger dependency conflicts, or disrupt legacy systems in ways that teams don’t anticipate. We’ll discuss strategies to manage these challenges so that the fix doesn’t become a source of frustration—the "F-word" that no one wants to say.
In this talk, we’ll explore why vulnerability remediation is harder than it looks, breaking down real-world examples of how upgrades go wrong. From API deprecations to misleading semantic versioning, we’ll highlight common pitfalls that make security fixes riskier than expected. We’ll also dive into transitive dependencies—one of the biggest hidden pain points in modern software development—and how they complicate even straightforward updates.
But fixing vulnerabilities doesn’t have to be a nightmare. We’ll discuss practical strategies for tackling remediation more effectively, including when to backport patches, how to handle dependency overrides, and ways to document unresolved risks without creating panic. We’ll also cover frameworks for prioritizing fixes, improving security-development collaboration, and leveraging testing as a safety net.
Attendees will leave with a better understanding of why fixing security issues is so difficult—and, more importantly, how to make the process smoother, reducing friction and wasted effort along the way.
How to sell your soul, err, your security program
Security has a branding problem. We're the "department of no," a cost center, the team leadership side-eyes when budgets get tight. But it doesn't have to be this way. Want to sell your security program more effectively? Learn from marketing. It's time to steal a page from their playbook and start selling security like it's the hottest product.
Marketers sell the business by deeply understanding their buyers – their hopes and woes – and designing programs that appeal to their needs. They also demonstrate that marketing is a valuable investment. This session will show you how to use marketing skills to change perceptions of your security program, get more buy-in, challenge assumptions, and prioritize effectively.
Great marketers get inside buyers' heads, craft resonant messages, and prove ROI. Security teams need to do the same. If you want leadership to take security seriously, stop selling fear and start selling value.
You'll learn how to:
- Understand your stakeholders like a marketer. Want a DLP control? Figure out what keeps Sales up at night. Pushing AppSec? Understand how developers ship code.
- Craft messages that make people care. Security wins aren't just about reducing risk—they're about accelerating the business. Learn how to frame security to get execs nodding.
- Align security with the metrics that matter. Leadership cares about shipping faster, reducing costs, and staying out of the headlines. Speak their language, and you'll get budget.
Security's value depends on buy-in. Sell it right, and you won't just keep your budget—you might even grow it.
The SCA Balancing Act
Software Composition Analysis (SCA) is among the most foundational approaches to application security. Understanding the known vulnerabilities, leading and lagging indicators of risk are among the most widely leveraged security controls in industry. There are three major types of SCA: Runtime SCA, Manifest scanning SCA and Build/Install-time SCA with and without program analysis. Each approach comes with hidden costs and pros and cons along the way. This session will explore not only the hidden costs, pros and cons but explain why they exist. We will round out with effective practices, classes of vulnerabilities that are covered and things to avoid with each approach. Everyone has heard that there is a panacea for managing risk in software composition analysis. You see this in marketing every day. This nirvana is a lie. But there could be a nirvana for you in your context. This talk explores the spectrum of trade offs that exist.
The Risks of Reuse: OWASP Top 10 Risks for Open Source Software
While known vulnerabilities and out-of-date components seem like apparent risks, OSS has several other key risks that should be considered as well.
In this talk, we will cover the Top 10 OSS Risks. This includes common considerations such as known vulnerabilities and unmaintained or outdated software but also other key risks such as the compromise of a legitimate package, license risks, and excessive use of dependencies.
This talk will feature the Top 10 OSS Risks https://owasp.org/www-project-
open-source-software-top-10/ and include examples and case studies of notable OSS incidents tied to the risks discussed. It will also provide actionable takeaways for security and technology leaders to equip them to securely consume and utilize OSS in their enterprise environments and software/products while mitigating some of the most relevant risks associated with OSS
The Fixers Dilemma: Since Finding Vulnerabilities is the Easy Part
Why does a “simple upgrade” often take so long and is so hard to get development teams to do? Here’s a tip: It's not always your company's process that is the problem. Security practitioners often understand what needs to be fixed but struggle to appreciate why fixing it can derail timelines and burn developer hours. This beginner-to-intermediate workshop is your chance to step into a developer’s shoes and gain firsthand experience in remediating known vulnerabilities in open source software so that you can better partner with your dev teams and help your org address more issues, faster.
Participants will face real-world scenarios across Java and Python ecosystems, gaining first-hand experience of the obstacles developers tackle regularly.
Through live demonstrations, interactive discussions, and guided exercises, we’ll simulate project-based challenges—walking into unfamiliar, legacy codebases and working through realistic constraints to remediate vulnerabilities.
The Dark Side of Open Source Productivity
There is a dark side to productivity with open source. In modern applications, the majority of code on which an application is built isn’t code written by your team. Modern applications are built on the backs of volunteer communities and open-source software. These volunteers and their software delivery practices all become potential attack vectors. The truth is that most organizations do not factor open-source supply chain attacks into their organization’s threat models today. Security incidents such as the CodeCov bash uploader script, the npm colors, and faker intentionally introduced malicious commits, and the recent PyPi backdoors targeting AWS credentials highlight the impact of supply chain attacks as a scalable attack pattern. To spread awareness on supply chain attacks so that organizations can scalably handle them we propose baking supply chain attacks into existing threat modeling procedures and software development culture so that organizations can champion supply chain management of open source in the places where they are most impactful, at development time. We will present a comprehensive, comprehensible, and technology-agnostic taxonomy of attack vectors, created on the basis of hundreds of real-world incidents and validated by experts in the domain. Following, we will discuss the types of defenses you can put in place to detect and respond to such modern day attacks and how you can work these defenses in based on your program’s maturity.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top