BreachExchange mailing list archives
Risk-Based Vulnerability Management and Coordination – The Right Security
From: Destry Winant <destry () riskbasedsecurity com>
Date: Thu, 14 Jan 2021 09:54:42 -0600
https://www.riskbasedsecurity.com/2021/01/11/risk-based-vulnerability-management-and-coordination-the-right-security/ Deana Shick, PSIRT Engineer at Intel Corporation, joins Jake Kouns, CEO and CISO at RBS to talk about how Risk Based Vulnerability Management and Vulnerability Coordination works in the “real world.” Deana specializes in vulnerability management, vulnerability response & threat intelligence. Prior to her role she was PSIRT Lead at Rockwell Automation and was a member of the technical staff at the CERT Division at the Software Engineering Institute. She has also coordinated and developed responses to Information Security standards such as CVE and CVSS. Deana has been involved in a number of important projects including: Department of Defense Vulnerability Disclosure Program (VDP) The Coordinated Vulnerability Disclosure guide for DOD Check out this episode of The Right Security <https://www.youtube.com/playlist?list=PLkV2qhiMyRKspi14k6qALEGirECTVRHp9> for key insights of how vulnerabilities work in the real world. Show Notes 0:00 – Welcome and speaker introduction 2:25 – Vulnerability disclosures in 2021 & year-end 2020 quick-view 3:08 – CVSS v2 vs. CVSS and use for vulnerability prioritization 5:10 – CVSS awareness amongst enterprise security teams 10:16 – Real risk-based vulnerability management 11:43 – CVSS v4 involvement 13:04 – SSVC use in a PSIRT role 18:00 – CVD and its value in vulnerability coordination 21:17 – Learnings from work on Coordinated Vulnerability Disclosure guide 23:40 – Researcher frustration with vulnerability coordination 26:08 – Difference between VDP and CVD 29:40 – Vendors piggybacking on MS patch Tuesday 33:26 – Recommendations for continuing virtual learning in cybersecurity 37:00 – Figuring out what area of cybersecurity to get into FURTHER READING 2020: The Vulnerability Fujiwhara Effect – Oracle and Microsoft Collide <https://insights.sei.cmu.edu/cert/2019/12/prioritizing-vulnerability-response-with-a-stakeholder-specific-vulnerability-categorization.html> Prioritizing Vulnerability Response with a Stakeholder-Specific Vulnerability Categorization <https://www.riskbasedsecurity.com/2020/01/08/2020-the-vulnerability-fujiwhara-effect-oracle-and-microsoft-collide/> Vulnerability Prioritization and Disclosure, with Art Manion | The Right Security <https://www.youtube.com/watch?v=o58wvnBqAyE> RVASec 2019 Deana Shick Intro to Infosec and Overview of the 101 Track <https://www.youtube.com/watch?v=BUuNbqhn-18>z The Right Security This is the latest in our video series The Right Security, in which we talk with leaders and veterans in the security industry, tackling the biggest issues impacting organizations today. Check out The Right Security series on YouTube, and subscribe to the Risk Based Security channel to see new episodes in your feed.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Risk-Based Vulnerability Management and Coordination – The Right Security Destry Winant (Jan 15)