SlideShare a Scribd company logo

Fix What Matters: BSidesDetroit 2014

Michael Roytman
Michael Roytman

Heartbleed has exposed a weakness in the way we assess risk in information security. We use archaic methods and ignore new data when assessing what to fix, and we rarely go back to see what new data is telling us. In this talk, we explore new, data-driven approaches to vulnerability management.

Internet
1 of 39
Download to read offline
Fix What Matters:
 ! Why CVSS Sucks And How To Do Better
Once Jailbroke an Iphone 3G Michael Roytman Proud Owner of Remote Controlled Airplane Recently a Naive Grad Student Data Scientist, Risk I/O Does Not Wake Up Before 11 CST qualifications:
15x better than CVSS
Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
PART 1: ! YOU SUCK AT YOUR JOB ! (and don’t even know it yet)
Why Are We Here? Empirical Failures of CVSS Proper Remediation Frameworks CVSS SUCKS Analytical Failures of CVSS (+Data Driven Alternatives)
Remove the Threat Remediation Accept the Risk Repair the Vulnerability
C(ommon) V(ulnerability) S(coring) S(ystem) “CVSS is designed to rank information system vulnerabilities” Exploitability/Temporal (Likelihood) Impact/Environmental (Severity) The Good: Open, Standardized Scores
“It is a capital mistake to theorize before one has data. ! ! ! Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
FAIL 1: A Priori Modeling “Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”
F2: Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias http://blog.risk.io/2013/04/data-fundamentalism/ ! Jerico/Sushidude @ BlackHat https://www.blackhat.com/us-13/briefings.html#Martin ! Luca Allodi - CVSS DDOS http://disi.unitn.it/~allodi/allodi-12-badgers.pdf
F2: Data Fundamentalism Since 2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf ! ! The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” http://www.symantec.com/content/en/us/enterprise/other_resources/b- intelligence_report_06-2013.en-us.pdf
F3: Stochastic Ignorance Attackers Change Tactics Daily
F3: Stochastic Ignorance
Empirical Failures of CVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
Repair the Vulnerability
I Love It When You Call Me Big Data 50,000,000 Live Vulnerabilities 1,500,000 Assets 2,000 Organizations
I Love It When You Call Me Big Data 3,000,000 Breaches
Baseline Allthethings Probability (You Will Be Breached On A Particular Open Vulnerability)? =(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities) 2%
Probability A Vuln Having Property X Has Observed Breaches RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0.000 0.010 0.020 0.030 0.040
PART 2: ! FIX WHAT MATTERS
Empirical Failures of CVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
Proper Framework Know which vulnerabilities put you most at risk.
Uh, Sports? Opposing Teams, Specific Players Gameplay Scouting Reports, Gametape Roster, Player Skills Learning from Losing
InfoSec?
Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches
Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE
Alternatives
Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
Be Better Than The Gap
I Love It When You Call Me Big Data ! Spray and Pray => 2% ! CVSS 10 => 4% ! Metasploit + ExploitDB => 30%
Holler! www.risk.io @mroytman

Recommended

M6A1
M6A1M6A1
M6A1Matt Cooper
 
Writ 112 project
Writ 112 projectWrit 112 project
Writ 112 projectmarroquin_a
 
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfully
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfullyIasi code camp 20 april 2013 did-your-mobile-app-crash-successfully
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfullyCodecamp Romania
 
Digital connection
Digital connectionDigital connection
Digital connection16ZimJ
 
Tactics for Implementing Test Automation for Legacy Code
Tactics for Implementing Test Automation for Legacy CodeTactics for Implementing Test Automation for Legacy Code
Tactics for Implementing Test Automation for Legacy CodeJeff Gallimore
 
Anatomy of a web page
Anatomy of a web pageAnatomy of a web page
Anatomy of a web pagedharvey100
 
Making Data Useful
Making Data Useful Making Data Useful
Making Data Useful Jakub Uniejewski
 
Rise presentation for workshop 2011 07-04
Rise presentation for workshop 2011 07-04Rise presentation for workshop 2011 07-04
Rise presentation for workshop 2011 07-04Richard Nurse
 

Recommended

M6A1
M6A1M6A1
M6A1Matt Cooper
 
Writ 112 project
Writ 112 projectWrit 112 project
Writ 112 projectmarroquin_a
 
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfully
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfullyIasi code camp 20 april 2013 did-your-mobile-app-crash-successfully
Iasi code camp 20 april 2013 did-your-mobile-app-crash-successfullyCodecamp Romania
 
Digital connection
Digital connectionDigital connection
Digital connection16ZimJ
 
Tactics for Implementing Test Automation for Legacy Code
Tactics for Implementing Test Automation for Legacy CodeTactics for Implementing Test Automation for Legacy Code
Tactics for Implementing Test Automation for Legacy CodeJeff Gallimore
 
Anatomy of a web page
Anatomy of a web pageAnatomy of a web page
Anatomy of a web pagedharvey100
 
Making Data Useful
Making Data Useful Making Data Useful
Making Data Useful Jakub Uniejewski
 
Rise presentation for workshop 2011 07-04
Rise presentation for workshop 2011 07-04Rise presentation for workshop 2011 07-04
Rise presentation for workshop 2011 07-04Richard Nurse
 
My Portfolio
My PortfolioMy Portfolio
My PortfolioEric Linden
 
Contaminacion
ContaminacionContaminacion
Contaminacioncristian197
 
Griffey "AI Possible Futures!"
Griffey "AI Possible Futures!"Griffey "AI Possible Futures!"
Griffey "AI Possible Futures!"National Information Standards Organization (NISO)
 
Eye anatomy part 1
Eye anatomy part 1Eye anatomy part 1
Eye anatomy part 1Andy Neill
 
Eye anatomy part 2
Eye anatomy part 2Eye anatomy part 2
Eye anatomy part 2Andy Neill
 
Christopher rodriguez keep people on life support
Christopher rodriguez keep people on life supportChristopher rodriguez keep people on life support
Christopher rodriguez keep people on life supportcrodz1634
 
BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresHybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresAdrian Sanabria
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Michael Roytman
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportAlex Himmelberg
 
Using Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramUsing Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramSurfWatch Labs
 
Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...SurfWatch Labs
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeMichael Roytman
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 
Big Data Analytics & Insights
Big Data Analytics & InsightsBig Data Analytics & Insights
Big Data Analytics & InsightsListenLogic
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebSurfWatch Labs
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 

More Related Content

What's hot

Eye anatomy part 1
Eye anatomy part 1Eye anatomy part 1
Eye anatomy part 1Andy Neill
 
Eye anatomy part 2
Eye anatomy part 2Eye anatomy part 2
Eye anatomy part 2Andy Neill
 
Christopher rodriguez keep people on life support
Christopher rodriguez keep people on life supportChristopher rodriguez keep people on life support
Christopher rodriguez keep people on life supportcrodz1634
 

What's hot (6)

My Portfolio
My PortfolioMy Portfolio
My Portfolio
 
Contaminacion
ContaminacionContaminacion
Contaminacion
 
Griffey "AI Possible Futures!"
Griffey "AI Possible Futures!"Griffey "AI Possible Futures!"
Griffey "AI Possible Futures!"
 
Eye anatomy part 1
Eye anatomy part 1Eye anatomy part 1
Eye anatomy part 1
 
Eye anatomy part 2
Eye anatomy part 2Eye anatomy part 2
Eye anatomy part 2
 
Christopher rodriguez keep people on life support
Christopher rodriguez keep people on life supportChristopher rodriguez keep people on life support
Christopher rodriguez keep people on life support
 

Viewers also liked

BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersMichael Roytman
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceMichael Roytman
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresHybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresAdrian Sanabria
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Michael Roytman
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportAlex Himmelberg
 
Using Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramUsing Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramSurfWatch Labs
 
Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...SurfWatch Labs
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeMichael Roytman
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineEd Bellis
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Michael Roytman
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementMichael Roytman
 
Big Data Analytics & Insights
Big Data Analytics & InsightsBig Data Analytics & Insights
Big Data Analytics & InsightsListenLogic
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebSurfWatch Labs
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011Ed Bellis
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMichael Roytman
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesEd Bellis
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OMichael Roytman
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a DiseaseSurfWatch Labs
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer SymposiumEd Bellis
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursSurfWatch Labs
 

Viewers also liked (20)

BsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What MattersBsidesSF 2014 Fix What Matters
BsidesSF 2014 Fix What Matters
 
Data Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data ScienceData Science ATL Meetup - Risk I/O Security Data Science
Data Science ATL Meetup - Risk I/O Security Data Science
 
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not NightmaresHybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
Hybrid Cloud Security: Potential to be the Stuff of Dreams, not Nightmares
 
Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015Attacker Behavior Boston Security Conference 2015
Attacker Behavior Boston Security Conference 2015
 
SecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_ReportSecurityScorecard_2016_Financial_Report
SecurityScorecard_2016_Financial_Report
 
Using Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence ProgramUsing Threat Information to Build Your Cyber Risk Intelligence Program
Using Threat Information to Build Your Cyber Risk Intelligence Program
 
Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...Completing the Risk Picture: Adding a business intelligence and collaborative...
Completing the Risk Picture: Adding a business intelligence and collaborative...
 
Risk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach LandscapeRisk IO Webisode 1: The Breach Landscape
Risk IO Webisode 1: The Breach Landscape
 
SecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza LineSecTor 2012 The Security Mendoza Line
SecTor 2012 The Security Mendoza Line
 
Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016Chicago Security Meetup 08/2016
Chicago Security Meetup 08/2016
 
Fix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability ManagementFix What Matters: A Data Driven Approach to Vulnerability Management
Fix What Matters: A Data Driven Approach to Vulnerability Management
 
Big Data Analytics & Insights
Big Data Analytics & InsightsBig Data Analytics & Insights
Big Data Analytics & Insights
 
Shining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark WebShining a Light on Cyber Threats from the Dark Web
Shining a Light on Cyber Threats from the Dark Web
 
Bay threat2011
Bay threat2011Bay threat2011
Bay threat2011
 
Measure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done RightMeasure What You FIx: Asset Risk Management Done Right
Measure What You FIx: Asset Risk Management Done Right
 
Amateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your WorriesAmateur Hour: Why APTs Are The Least Of Your Worries
Amateur Hour: Why APTs Are The Least Of Your Worries
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 
Treat Cyber Like a Disease
Treat Cyber Like a DiseaseTreat Cyber Like a Disease
Treat Cyber Like a Disease
 
Palmer Symposium
Palmer SymposiumPalmer Symposium
Palmer Symposium
 
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach OccursHow to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
How to Connect Your Server Room to the Board Room – Before a Data Breach Occurs
 

Similar to Fix What Matters: BSidesDetroit 2014

BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksEd Bellis
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secureEoin Keary
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Eoin Keary
 
Verizon 2015 DBIR VM portion
Verizon 2015 DBIR VM portionVerizon 2015 DBIR VM portion
Verizon 2015 DBIR VM portionTawnia Beckwith
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium SecurityJack Mannino
 
Semantics, Deep Learning, and the Transformation of Business
Semantics, Deep Learning, and the Transformation of BusinessSemantics, Deep Learning, and the Transformation of Business
Semantics, Deep Learning, and the Transformation of BusinessSteve Omohundro
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Kymberlee Price
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingJim Manico
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info SecurityEd Bellis
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionEoin Keary
 
ccna course 2
ccna course 2ccna course 2
ccna course 2S Sridhar
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza LineEd Bellis
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...DevOps Indonesia
 
Fix What Matters
Fix What MattersFix What Matters
Fix What MattersEd Bellis
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...lior mazor
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gatesEoin Keary
 

Similar to Fix What Matters: BSidesDetroit 2014 (20)

BSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS SucksBSidesSF 2014 Fix What Matters:Why CVSS Sucks
BSidesSF 2014 Fix What Matters:Why CVSS Sucks
 
We cant hack ourselves secure
We cant hack ourselves secureWe cant hack ourselves secure
We cant hack ourselves secure
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
 
Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...Web security – application security roads to software security nirvana iisf...
Web security – application security roads to software security nirvana iisf...
 
Verizon 2015 DBIR VM portion
Verizon 2015 DBIR VM portionVerizon 2015 DBIR VM portion
Verizon 2015 DBIR VM portion
 
Secure Android Apps- nVisium Security
Secure Android Apps- nVisium SecuritySecure Android Apps- nVisium Security
Secure Android Apps- nVisium Security
 
Semantics, Deep Learning, and the Transformation of Business
Semantics, Deep Learning, and the Transformation of BusinessSemantics, Deep Learning, and the Transformation of Business
Semantics, Deep Learning, and the Transformation of Business
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
 
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16Vulnerability Management Nirvana - Seattle Agora - 18Mar16
Vulnerability Management Nirvana - Seattle Agora - 18Mar16
 
RSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP TrainingRSA Europe 2013 OWASP Training
RSA Europe 2013 OWASP Training
 
An Economic Approach to Info Security
An Economic Approach to Info SecurityAn Economic Approach to Info Security
An Economic Approach to Info Security
 
Web security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud versionWeb security – everything we know is wrong cloud version
Web security – everything we know is wrong cloud version
 
ccna course 2
ccna course 2ccna course 2
ccna course 2
 
BSides SF Security Mendoza Line
BSides SF Security Mendoza LineBSides SF Security Mendoza Line
BSides SF Security Mendoza Line
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
Leveraging Vulnerability Management Beyond DPR (Discovery - Prioritization - ...
 
Fix What Matters
Fix What MattersFix What Matters
Fix What Matters
 
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
 
One login enemy at the gates
One login enemy at the gatesOne login enemy at the gates
One login enemy at the gates
 

More from Michael Roytman

O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalMichael Roytman
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsMichael Roytman
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting ExploitabilityMichael Roytman
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Michael Roytman
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanMichael Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementMichael Roytman
 

More from Michael Roytman (7)

CyberTechEurope.pptx
CyberTechEurope.pptxCyberTechEurope.pptx
CyberTechEurope.pptx
 
O'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability FinalO'Reilly Security New York - Predicting Exploitability Final
O'Reilly Security New York - Predicting Exploitability Final
 
RSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With PredictionsRSA 2017 - Predicting Exploitability - With Predictions
RSA 2017 - Predicting Exploitability - With Predictions
 
Predicting Exploitability
Predicting ExploitabilityPredicting Exploitability
Predicting Exploitability
 
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015Data Metrics and Automation: A Strange Loop - SIRAcon 2015
Data Metrics and Automation: A Strange Loop - SIRAcon 2015
 
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - RoytmanWho Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
Who Watches the Watchers Metrics for Security Strategy - BsidesLV 2015 - Roytman
 
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability ManagementA Heartbleed By Any Other Name - Data Driven Vulnerability Management
A Heartbleed By Any Other Name - Data Driven Vulnerability Management
 

Recently uploaded

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Lucknow
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Personfurqan222004
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 

Recently uploaded (20)

Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls KolkataVIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
VIP Call Girls Kolkata Ananya 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja VipCall Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
Call Girls Service Adil Nagar 7001305949 Need escorts Service Pooja Vip
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
Complet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled PersonComplet Documnetation for Smart Assistant Application for Disabled Person
Complet Documnetation for Smart Assistant Application for Disabled Person
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 

Fix What Matters: BSidesDetroit 2014

  • 1. Fix What Matters:
 ! Why CVSS Sucks And How To Do Better
  • 2. Once Jailbroke an Iphone 3G Michael Roytman Proud Owner of Remote Controlled Airplane Recently a Naive Grad Student Data Scientist, Risk I/O Does Not Wake Up Before 11 CST qualifications:
  • 4. Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
  • 5. PART 1: ! YOU SUCK AT YOUR JOB ! (and don’t even know it yet)
  • 6. Why Are We Here? Empirical Failures of CVSS Proper Remediation Frameworks CVSS SUCKS Analytical Failures of CVSS (+Data Driven Alternatives)
  • 7. Remove the Threat Remediation Accept the Risk Repair the Vulnerability
  • 8. C(ommon) V(ulnerability) S(coring) S(ystem) “CVSS is designed to rank information system vulnerabilities” Exploitability/Temporal (Likelihood) Impact/Environmental (Severity) The Good: Open, Standardized Scores
  • 9. “It is a capital mistake to theorize before one has data. ! ! ! Insensibly, one begins to twist facts to suit theories, instead of theories to suit facts.”
  • 10. FAIL 1: A Priori Modeling “Following up my previous email, I have tweaked my equation to try to achieve better separation between adjacent scores and to have CCC have a perfect (storm) 10 score...There is probably a way to optimize the problem numerically, but doing trial and error gives one plausible set of parameters...except that the scores of 9.21 and 9.54 are still too close together. I can adjust x.3 and x.7 to get a better separation . . .”
  • 11. F2: Data Fundamentalism Don’t Ignore What a Vulnerability Is: Creation Bias http://blog.risk.io/2013/04/data-fundamentalism/ ! Jerico/Sushidude @ BlackHat https://www.blackhat.com/us-13/briefings.html#Martin ! Luca Allodi - CVSS DDOS http://disi.unitn.it/~allodi/allodi-12-badgers.pdf
  • 12. F2: Data Fundamentalism Since 2006 Vulnerabilities have declined by 26 percent.” http://csrc.nist.gov/groups/SNS/rbac/documents/vulnerability-trends10.pdf ! ! The total number of vulnerabilities in 2013 is up 16 percent so far when compared to what we saw in the same time period in 2012. ” http://www.symantec.com/content/en/us/enterprise/other_resources/b- intelligence_report_06-2013.en-us.pdf
  • 15. Empirical Failures of CVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
  • 17. I Love It When You Call Me Big Data 50,000,000 Live Vulnerabilities 1,500,000 Assets 2,000 Organizations
  • 18. I Love It When You Call Me Big Data 3,000,000 Breaches
  • 19. Baseline Allthethings Probability (You Will Be Breached On A Particular Open Vulnerability)? =(Open Vulnerabilities | Breaches Occurred On Their CVE) /(Total Open Vulnerabilities) 2%
  • 20. Probability A Vuln Having Property X Has Observed Breaches RANDOMVULN CVSS 10 CVSS 9 CVSS 8 CVSS 6 CVSS 7 CVSS 5 CVSS 4 Has Patch 0.000 0.010 0.020 0.030 0.040
  • 22. Empirical Failures of CVSS Objective: Remediate the riskiest vulnerabilities Constraint: Can’t measure impact/priority Need: MOAR DATA!!!
  • 23. Proper Framework Know which vulnerabilities put you most at risk.
  • 24.
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 33. Defend Like You’ve Done It Before Groups, Motivations Exploits Vulnerability Definitions Asset Topology, Actual Vulns on System Learning from Breaches
  • 34. Work With What You’ve Got: Akamai, Safenet ExploitDB, Metasploit NVD, MITRE
  • 36. Probability A Vuln Having Property X Has Observed Breaches RandomVuln CVSS 10 Exploit DB Metasploit MSP+EDB 0.0 0.1 0.2 0.2 0.3
  • 37. Be Better Than The Gap
  • 38. I Love It When You Call Me Big Data ! Spray and Pray => 2% ! CVSS 10 => 4% ! Metasploit + ExploitDB => 30%