[BreachExchange] Risk-Based Vulnerability Management and Coordination – The Right Security
Destry Winant
destry at riskbasedsecurity.com
Thu Jan 14 10:54:42 EST 2021
https://www.riskbasedsecurity.com/2021/01/11/risk-based-vulnerability-management-and-coordination-the-right-security/
Deana Shick, PSIRT Engineer at Intel Corporation, joins Jake Kouns, CEO and
CISO at RBS to talk about how Risk Based Vulnerability Management and
Vulnerability Coordination works in the “real world.”
Deana specializes in vulnerability management, vulnerability response &
threat intelligence. Prior to her role she was PSIRT Lead at Rockwell
Automation and was a member of the technical staff at the CERT Division at
the Software Engineering Institute. She has also coordinated and developed
responses to Information Security standards such as CVE and CVSS.
Deana has been involved in a number of important projects including:
Department of Defense Vulnerability Disclosure Program (VDP)
The Coordinated Vulnerability Disclosure guide for DOD
Check out this episode of The Right Security
<https://www.youtube.com/playlist?list=PLkV2qhiMyRKspi14k6qALEGirECTVRHp9>
for key insights of how vulnerabilities work in the real world.
Show Notes
0:00 – Welcome and speaker introduction
2:25 – Vulnerability disclosures in 2021 & year-end 2020 quick-view
3:08 – CVSS v2 vs. CVSS and use for vulnerability prioritization
5:10 – CVSS awareness amongst enterprise security teams
10:16 – Real risk-based vulnerability management
11:43 – CVSS v4 involvement
13:04 – SSVC use in a PSIRT role
18:00 – CVD and its value in vulnerability coordination
21:17 – Learnings from work on Coordinated Vulnerability Disclosure guide
23:40 – Researcher frustration with vulnerability coordination
26:08 – Difference between VDP and CVD
29:40 – Vendors piggybacking on MS patch Tuesday
33:26 – Recommendations for continuing virtual learning in cybersecurity
37:00 – Figuring out what area of cybersecurity to get into
FURTHER READING
2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide
<https://insights.sei.cmu.edu/cert/2019/12/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization.html>
Prioritizing Vulnerability Response with a Stakeholder-Specific
Vulnerability Categorization
<https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/>
Vulnerability Prioritization and Disclosure, with Art Manion | The Right
Security <https://www.youtube.com/watch?v=o58wvnBqAyE>
RVASec 2019 Deana Shick Intro to Infosec and Overview of the 101 Track
<https://www.youtube.com/watch?v=BUuNbqhn-18>z
The Right Security
This is the latest in our video series The Right Security, in which we talk
with leaders and veterans in the security industry, tackling the biggest
issues impacting organizations today.
Check out The Right Security series on YouTube, and subscribe to the Risk
Based Security channel to see new episodes in your feed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210114/194beec4/attachment.html>
More information about the BreachExchange
mailing list