3. What is Vulnerability
• Vulnerability is a measure
of the extent to which a
community, structure,
service or geographical
area is likely to be
damaged or disrupted, on
account of its nature or
location, by the impact of
a particular disaster
hazard [OECD 2015]
4. What is Vulnerability
• A weakness of an asset or
group of assets that can be
exploited by one or more
threats [ISO/IEC 13335-
1:2004]
• Or anything attackers find
that they can exploit
5. Vulnerability Management
• The identification of
vulnerabilities that can be
exploited within a system
– Vulnerability Assessment
– Penetration Testing
• The remediation / risk
management of
vulnerabilities
6. Types of Testing
• SAST
• DAST
– Web Layer
– Host / Infrastructure
– Database
• Manual validation
• ITS NOT A PEN TEST
10. Business Context
• Business drivers and
objectives
• Understand your assets
• We want to be Secure but
we DO NOT WANT Security
– John Callas PGP, Apple,
Entrust & Silent Circle
• System 1 & System 2
thinking
11. Environmental Context
• Understand your assets
• Understand the operating
environment
• Deep knowledge of
compensating controls
• Tool selection
13. Get Message Right
• Less blah blah blah
• Use business context
examples
• Negative to positive
• Do not belittle people
– Israel Barrack ex-Israeli
Defence Force Red Team
Lead
19. Useful Links / Feeds
RSS Feeds
https://isc.sans.edu/rssfeed.xml
rhttp://feeds.feedburner.com/sucuri/blog
http://seclists.org/rss/fulldisclosure.rss
http://www.intelligentexploit.com/feed/
https://community.rapid7.com/Rapid7_ViewAll?tag=Metasploit&type=blog
Podcasts
http://securityweekly.com/podcast/psw.xml
https://isc.sans.edu/dailypodcast.xml
http://leo.am/podcasts/sn
All Round Defence / WestThor Ltd take no responsibility for the content of these sites / podcasts