Presented at
DEF CON 19 (2011),
Aug. 5, 2011, 6 p.m.
(50 minutes).
Vulnerability Databases (VDBs) have provided information about security vulnerabilities for over 10 years. This has put VDBs in a unique position to understand and analyze vulnerability trends and changes in the security industry. This panel presentation will examine vulnerability information over the past several years with an emphasis on understanding security researchers, quality of research, vendors, disclosure trends and the value of security vulnerabilities. The emotional debate surrounding Full Disclosure has raged on for decades. This panel will use grounded data to discuss salient points of the debate to hopefully determine trends that may influence the debate. Maybe even in a positive fashion!
Presenters:
-
Panel
-
Jake Kouns
- Open Security Foundation
Jake Kouns is the co-founder, CEO, and CFO of the Open Security Foundation (OSF), a non-profit organization that oversees the operations of the Open Source Vulnerability Database (OSVDB.org) and Cloutage.org DataLossDB. All projects are independent and open source databases that provide detailed and unbiased technical information on security vulnerabilities, cloud security and data loss incidents world-wide. Mr. Kouns has presented at many well-known security conferences including RSA, CISO Executive Summit, EntNet IEEE GlobeCom, CanSecWest and SyScan. He is the co-author of the book Security in an IPv6 Environment, Francis and Taylor, 2009, and Information Technology Risk Management in Enterprise Environments, Wiley, 2010. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.
-
Brian Martin
- Project Lead at OSVDB
Brian Martin has been maintaining or contributing to vulnerability databases since 1993. As the content manager for the Open Source Vulnerability Database (OSVDB), he is constantly exposed to new challenges in vulnerability management. A long-time advocate of vulnerability database evolution, he has helped push VDBs forward and challenged them to become more useful and more thorough. No degree or certifications; just 18 years working with vulnerabilities as part of the day job and hobbies. He remains a champion of small misunderstood creatures.
-
Steve Christey
- Principal Information Security Engineer at MITRE / CVE
Steve Christey is a Principal Information Security Engineer in the Security and Information Operations Division at The MITRE Corporation. He is the editor of the Common Vulnerabilities and Exposures (CVE) list, Chair of the CVE Editorial Board, and technical lead for the Common Weakness Enumeration (CWE), CWSS, and the CWE/SANS Top 25 Software Most Dangerous Software Errors. He has been an active contributor to other efforts including NIST's Static Analysis Tool Exposition (SATE), the Common Vulnerability Scoring System (CVSS), the SANS Secure Programming exams, and a co-author of the influential "Responsible Vulnerability Disclosure Process" IETF draft with Chris Wysopal in 2002. His current interests include secure software development and testing, consumer-friendly software security metrics, the theoretical underpinnings of vulnerabilities, and vulnerability research. He holds a B.S. in Computer Science from Hobart College.
-
Carsten Eiram
- Chief Security Specialist at Secunia
Carsten Eiram comes from a esrever engineering background and is a vulnerability connoisseur during the day with extensive experience in the fields of vulnerability research and Vulnerability Intelligence. At night, he's a binary ninja having successfully stalked, found, and killed many critical vulnerabilities in popular software from major software vendors. Carsten is currently the Chief Security Specialist at Secunia and holds the dual responsibility of developing and managing the Secunia Research unit as well as maintaining close dialogue with software vendors and the security community, thereby ensuring both the quality and integrity of Secunia's work. He is often referred to as the Security Beast, but has yet to manage getting that title on to his business cards. Carsten is a key contributor to the high technical quality and accurateness of the Secunia's Vulnerability Intelligence solutions and one of his responsibilities is to ensure that Secunia continues to be the most respected and trustworthy provider of Vulnerability Intelligence and most active research house. Based on his and his team's research efforts, Frost & Sullivan has presented awards to Secunia in both 2010 and 2011. Carsten is also a regular contributor to the "Threat of the Month" column in SC Magazine, a credited contributor for the "CWE/SANS Top 25 Most Dangerous Software Errors" list, and member of the CVE Editorial Board.
-
Art Manion
- CERT
Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI). He has studied vulnerabilities and coordinated responsible disclosure efforts since joining CERT in 2001. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.
-
Dan Holden
- HP TippingPoint
Dan Holden is the director of security research for HP TippingPoint, where he leads one of the most well respected security research groups in the industry. His teams oversee product security testing, the Zero Day Initiative, the Digital Vaccine services, new security technologies, and vulnerability and malware research. Prior to HP TippingPoint, Dan was a founding member of IBM/ISS X-Force. Dan helped build and define X-Force over the course of 12 years in various capacities ranging from development to product management. Dan has been in the security industry for over 17 years specializing in vulnerability analysis, security research and IPS technology. Dan is a frequent speaker at major industry conferences and has been quoted and featured in many top publications.
-
Alex Hutton
- Verizon
Alex Hutton is a big fan of trying to understand security and risk through metrics and models. Currently, Alex is a principal for Research & Intelligence with the Verizon Business RISK Team. The Verizon RISK Team builds and hones the risk models for Cybertrust services, produces the Verizon Data Breach Investigation, the Verizon's PCI Compliance report, and is responsible for the VERIS data collection and analysis efforts. As a member of the RISK team, Alex also writes regularly for the Verizon Security Blog (http://securityblog.verizonbusiness.com). Alex likes risk and security so much, he spends his spare time working on projects and writing about the subject. Some of that work includes contributions to the Cloud Security Alliance documents, the CIS metrics project, the ISM3 security management standard, and work with the Open Group Security Forum. Alex is a founding member of the Society of Information Risk Analysts (http://societyinforisk.org/), and blogs for their website and records a podcast for the membership. He also blogs at the New School of Information Security Blog (http://www.newschoolsecurity.com).
-
Katie Moussouris
- Microsoft
Katie Moussouris leads the Security Community Outreach and Strategy team at Microsoft. Her team's work encompasses Security Ecosystem Strategy programs such as Microsoft's BlueHat conference and worldwide hacker conference engagement, security researcher outreach, and Microsoft's Vulnerability Disclosure Policies. Katie also founded and runs Microsoft Vulnerability Research, which is responsible for Microsoft's research and reporting of vulnerabilities in 3rd party software. Katie recently was voted the editor of a new draft ISO standard on Vulnerability Handling Processes, following her work over the past 4 years as the lead expert in the US National Body on an ISO draft standard on Vulnerability Disclosure. Prior to working for Microsoft, Katie was a penetration tester for several Fortune 500 companies, as a senior security architect for @stake when it was acquired by Symantec. At Symantec, Katie founded and ran Symantec Vulnerability Research.
Links:
Similar Presentations: