Towards Effective & Scalable Vulnerability Management

Presented at BSidesLV 2023, Aug. 8, 2023, 10:30 a.m. (20 minutes)

While the security landscape is constantly changing, our approach toward vulnerability management hasn't changed much over the last couple of decades. The increasing reliance on third-party code, the growing number of vulnerabilities being discovered, as well as the increased visibility into our software stack in the advent of Log4Shell and the adoption of SBOM, make a more effective and scalable vulnerability management paradigm a necessity. What would such a paradigm look like? Join me in this interactive discussion as we'll explore the challenges of vulnerability management and highlight potential solutions. We'll discuss current frameworks and standards that can help address this issue, such as CSAF and VEX, and demonstrate how once adopted, they can be used towards automating many aspects of vulnerability management which today are manual and extremely time-consuming. We'll explore how to use exploitability as a strong signal for prioritization, and how automation can play a crucial role in making vulnerability management more effective and scalable. By the end of this talk, you'll have a deeper understanding of vulnerability management and practical insights on how to improve your organization's security posture. Let's explore the future of vulnerability management together!

Presenters:

• Yotam Perkal
  Yotam leads the vulnerability research team at Rezilion, focusing on research around vulnerability validation, mitigation, and remediation. He is passionate about Cyber Security and Machine Learning and is especially intrigued by the intersection between the domains, whether it be using ML in order to help solve Cyber Security challenges or exploring the challenges in securing ML applications. Prior to Rezilion, Yotam filled several roles at PayPal Security organization, dealing with vulnerability management, threat intelligence, and Insider threat. Additionally, Yotam is also a member of the PyCon Israel organization committee and takes part in several OpenSSF working groups around open-source security as well as several CISA workstreams around SBOM and VEX.

Links:

• https://www.bsideslv.org/talks#BUC7QH

Similar Presentations:

• GrrCON 2013 / Enterprise Vulnerability Management
• ShellCon 2018 / How NOT to suck at Vulnerability Management
• BSides Austin 2016 / Enterprise Vulnerability Management - Back to Basics