Hackfest 2024 - 16-bit Edition

Your locale preferences have been saved. We like to think that we have excellent support for English in pretalx, but if you encounter issues or errors, please contact us!

Guarding the Gates: Crafting a Resilient Vulnerability Management Program
10-12, 11:00–11:20 (America/New_York), Track 2 (206a)
Language: English

Building a resilient vulnerability management program requires more than just tools and processes; it demands a deep integration with the engineering workflows that define your organization's attack surface. In this session, we will explore how the often-overlooked step of building strong relationships with your engineering teams is crucial to the success of your vulnerability management efforts. By understanding their pain points and aligning your security initiatives with their development processes, you can enhance the effectiveness of your tools, prioritize critical issues, and ultimately reduce your risk. Drawing from real-world experiences at Uber and Gitar, this talk will provide you with actionable strategies to ensure that your vulnerability management program is not just reactive but a proactive force in safeguarding your organization.


Vulnerability management is not just about buying the right tools or following a checklist; it’s about understanding and mitigating risk in a way that’s deeply integrated with how your engineering teams work. In this session, we’ll discuss why the traditional steps of vulnerability management—like inventory, scanning, and reporting—can fall short if they’re not rooted in a strong understanding of your organization’s engineering workflows.

We’ll begin by discussing the most often-missed foundation: building relationships with the people who know your attack surface best.

Through examples like Uber’s PolyglotPiranha tool and Gitar’s automated stale code cleanup, I’ll demonstrate how addressing developer pain points can also solve security challenges, making your program more effective and less burdensome. Whether it’s supporting fix-it weeks, optimizing code bases, or simply understanding what your developers need, you’ll walk away with actionable insights to strengthen your vulnerability management program by first strengthening your relationships.


Are you releasing a tool? – no

Sarina Hothi is the Chief of Staff at Gitar, a seed-stage startup focused on automating code maintenance tasks. With over 10 years of experience in the cybersecurity and tech industry, Sarina has played pivotal roles at companies like Uber and DoorDash, where she worked on building and scaling vulnerability management programs. She holds an MS in Organizational Development, which has equipped her with a unique perspective on the intersection of security and organizational processes.