The *Vulnerability* Response Program – Responding to attacks that haven’t even happened yet
No ratings
Presented at NYMJCSC 2016 by
You probably have an incident response program in place, but do you have a *vulnerability* response program? Organizations are swimming in application vulnerabilities and getting hit with new ones all the time. Some come from developers as they develop new code. Others are in libraries included in projects as part of the software supply chain. Still more are novel flaws discovered by talented security researchers. Each of these vulnerabilities represents risk to your organization and each demands a unique structured response across your portfolio built from various options, each with strengths and challenges: • Fix the code - now or later • Upgrade to the latest library version • Defend at HTTP level with WAF or filter • Defend at code level with RASP • Defend with CVE shields • Prevent flaw architecturally • Enhance tools to detect throughout portfolio • Enhance detection to detect attempts to exploit • Put it in a risk or vulnerability management tool and forget it • Accept the risk • A combined approach How do you choose the right approach for responding to a vulnerability? How do you set policies for vulnerabilities in general? When should the response happen? Do you have an SLA around vulnerability response? Who needs to be involved in this decision? How can you minimize the cost of emergency code re-engineering to solve vulnerabilities? In this talk, Jeff will describe best practices for building an efficient, safe vulnerability response programs including threat