Vulnerability Management Systems Flawed - Leaving your Enterprise at High Risk

Presented at BSides Austin 2016, April 1, 2016, 1 p.m. (60 minutes)

Today's Enterprise organizations are being misled with regard to their security risk exposure, and are in serious danger of becoming victims of security breach events. The automated vulnerability management (VM) solutions and products that are central to every Enterprise information security program, and which are essential in gauging network security information risk, contain a serious "hidden" flaw which is now beginning to come to light. This software flaw is interleaved within pattern matching-like algorithms located deep within the foundational core of the most prevalent and widely used automated VM system products and solutions on the market today. As a direct consequence of this flaw, even though these products report a certain level of network security risk, the metric upon which their calculations are based is skewed, resulting in an unintentional gap between the products' intended information risk measurement and the erroneous measurement actually reported. This session covers the technical details of the referred to hidden flaw, its consequences and what you can do to limit your exposure.


  • Gordon MacKay
    Gordon MacKay, CISSP, serves as CTO for Digital Defense, Inc. He applies mathematical modeling and engineering principles in investigating solutions to many of the challenges within the information security space. His solution to matching network discovered hosts within independent vulnerability assessments across time resulted in achieving patent-pending status for the company's scanning technology. MacKay has presented at numerous security related conferences, including RSA, and has been featured by top media outlets such as FOX Business, Softpedia, IT World Canada and others. He holds a Bachelor's in Computer Engineering from McGill University. He is a Distinguished Ponemon Institute Fellow.