1. InfoconDB
  2. ShellCon
  3. ShellCon 2018
  4. How NOT to suck at Vulnerability Management

How NOT to suck at Vulnerability Management

Presented at ShellCon 2018, Sept. 22, 2018, 9 a.m. (50 minutes)

In the current cyber landscape several vulnerabilities are discovered every day. The volume and multiple sources from which to consume this information creates interesting challenges for any security team. Poor vulnerability management has become a serious fundamental problem and a common factor in most data breaches in the past months.

Vulnerability management is often disregarded, improperly staffed, and rarely discussed in some circles of the infosec community. Badly implemented programs are the source of nightmares for blue teams and the joy of red teams, pentesters, and bad guys alike. Under these circumstances, are you prepared to deal with vulnerabilities accordingly?

In this talk, we'll share our experiences building a program to address and deal with vulnerabilities at scale. What works, what does not and why. More importantly, what actions you should consider to improve or build your Vulnerability program. In addition, we'll be releasing a vulnerability management tool and show how it can be use in your own program. Whether you are a seasoned infosec professional or new to the field, there is something for you to take away.


Presenters:

  • Chris Halbersma
    Chris is currently a Sr. Security Engineer at Verizon Digital Media Services (formerly EdgeCast). He started working with computers in High School, and having older slower computers quickly made the move to Linux and BSD's to improve performance. From then on he's worked with *nix systems almost exclusively, and a couple of years ago made the switch from being a Systems Administrator to working exclusively in Security. When not working, Chris enjoys crypto-currencies, his dogs, and putting wacky stuff on various Raspberry Pis. Twitter: @ChrisHalbersma
  • Plug
    Plug is currently a Paranoids FIRE member at Oath. He started his journey in computer security back in 1996 when he discovered a 2600 magazine that eventually lead him to his first LA2600 meeting in 1998. From that point forward he has been involved in computer security. He has worked as Systems Administrator, Security Analyst and Security Engineer in the Finance and Telecom sector. In his free time he enjoys building Legos and playing with synthesizers and modular systems. When possible he volunteers his time to computer security events. Twitter: @plugxor

Links:

Similar Presentations: