Francesco CipolloneAbout this session
Posture and Data don’t lie - risk and fact-driven approach on posture management with deep dive into exploitability, reliability and the likelihood of exploitation.
Abstract
Posture is the art of representing complex problems in simple risk-based visualization. Risk posture had a lot of hidden measurements and data and was treated like esoteric art. In this talk, we explore various concepts like Exploitation, the likelihood of exploitability, Context and location of an asset and how it influences the exploitability, business impact and how to involve business with risk-based driven metrics. The talk focus on data-driven research and visualisation techniques analysing what’s more exploitable from different data sources. We will explore the difference between a vulnerability base approach and resolution first vs a risk-based approach and success from real case scenarios. Find your path in this modern, challenging. Writeup on exploitability data: https://phoenix.security/exploitability-data-visualization/ Writeup on CISA KEV: https://phoenix.security/cisa-kev-visualization/
Audience
application security Vulnerability management head of application security product security security engineers CISO GRC
Take away:
Learning how to start measuring a posture management program in application security and vulnerability management leveraging risk metrics for an application security program how to create a narrative around security with product security how to involve management/business on the heartbeat of application security Understand the concept of the product. Understand and apply how to involve the business and insert business criticality. Understanding the concept of prioritization and the data behind it Understand and leverage exploitability, probability of exploitation, and likelihood of exploitation. Understand and apply contextual elements to application security and vulnerability management. Understand which Threat feed is actually valid and how to automate CTI.