1 / 11

Vulnerability Management Lifecycle

Vulnerability Management Lifecycle. Panel Discussion. Panelists. Carole Fennelly - Tenable Network Security Chris Wysopal - Veracode Steven Christey - MITRE Bob Martin - MITRE HD Moore - Rapid7 Jonathan Klein - Broadridge Financial Solutions

jason
Download Presentation

Vulnerability Management Lifecycle

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Vulnerability Management Lifecycle Panel Discussion

  2. Panelists Carole Fennelly - Tenable Network Security Chris Wysopal - Veracode Steven Christey - MITRE Bob Martin - MITRE HD Moore - Rapid7 Jonathan Klein - Broadridge Financial Solutions Kelly Todd - OSVDB

  3. Overview • Vulnerability Discovery • Private Vulnerability Sharing • Public Disclosure • Vulnerability Database Management • Vulnerability Monitoring/Testing • Remediation

  4. Lifecycle Players

  5. Vulnerability Discovery • Monitoring for Anomalies/ 0-Day • Monitoring Local Applications • Initial Discovery of Vulnerability • Development of Exploit • Posting to security lists

  6. Private Vulnerability Sharing • Passing around on underground lists • Additional research • Expanded impact • 0-day exploits • “Oops, I broke the Internet…”

  7. Public Disclosure • Determine when to disclose • Coordination between vendor and researcher • What to disclose • Public reaction/ working with media • FUD

  8. Vulnerability Database Management • Monitoring of sources • Validation • Summarization • Classification • Determine/develop remediation measures

  9. Vulnerability Monitoring/Testing • Vulnerabilities discovered during a penetration test • Vulnerabilities discovered by security software (IDS, Logs, Scanners) • Vulnerabilities discovered from external source

  10. Remediation • Analysis of organizational impact • Prioritization • Determine/test remediation measures

  11. Questions? cfennelly@tenablesecurity.com coley@mitre.org ramartin@mitre.org cwysopal@gmail.com jonathan.klein@broadridge.com hdm@metasploit.com lyger@attrition.org

More Related