Chaos in User Land - When the Feature is the Vulnerability - Rafal Los

It's happened hundreds of times over the last 20 years. A panic sets over the security community about some major vulnerability - but when investigated we realize that this was a design features. It happened in Log4j, it's happened in the one-click-buy Amazon had many years ago, and it'll happen again. The classic problem of usability (features) versus security (restrictions) is a battle security professionals have found themselves losing at over and over again. Why? How do we get 'there', and are there any ways to avoid these types of issues? Or is this something that we in security simply need to learn to work with? I'll address this very real problem with 20+ years of experience in my pocket, to provide strategies to identify, address, and triage these situations before they become the next catastrophic vulnerability we can't do anything about.