Explore a deep dive into vulnerability and exploit trends through this BSidesLV 2013 conference talk. Analyze data fundamentals, misleading statements, and the framework of security vulnerabilities. Examine vulnerability definitions, density, and remediation strategies. Investigate the Common Vulnerability Scoring System (CVS) and its impact on prioritizing fixes. Learn about the "Security Mendoza Line" concept and why patching everything isn't always feasible. Delve into the economics of security, including costs and success probabilities. Study real-world examples like PHP vulnerabilities, age of breach vulnerabilities, and exploit kits. Gain valuable insights to improve your understanding of cybersecurity trends and data-driven decision-making in vulnerability management.
Overview
Syllabus
Intro
Finding the data
Data Fundamentalism
Misleading Statements
The Framework
What do they do
Whats actually happening
Sports analogy
What does security look like
Vulnerability definitions
Data
Status Quo
One Scanner
Duplication
Vulnerability Density
Remediation
Data Analysis
Whats Missing
CVS and Remediation
Precision
CVS
The Security Mendoza Line
Which Vulnerability To Fix
Why Not Patch Everything
Money Slide
Its more than patching
Its also expensive
Rapid7 web page
Success probabilities
Selection bias
PHP vulnerabilities
Age of breach vulnerabilities
Exploit kits
Vulnerability percentage
Outro
