2024-11-11 –, WestIn - Munich
The goal of this presentation is to give developers practical insight into the vulnerability analysis process and to provide them with ideas and tools they can use when the next vulnerability appears.
With an increasing number of high and critical vulnerabilities being released each year, and with more than 6000 CVE entries released so far in 2024 being rated high or critical, developers and project teams are faced with the ongoing challenge of quickly responding to serious flaws in their codebases and projects. Often there is no structured process or dedicated security team to manage these issues, but project teams must quickly decide on the next steps to take.
In this presentation, based on real-world experience with numerous project teams, we will discuss how to efficiently analyze vulnerabilities and estimate their potential impact in their specific context. CVSS (Common Vulnerability Scoring System) metrics provide a general assessment of vulnerability severity and are often used as a first step in prioritization. We will explain what CVSS scores mean and their limitations. We will also introduce the Exploit Prediction Scoring System (EPSS), which uses artificial intelligence to estimate the likelihood that a vulnerability will be exploited within the next 30 days, but has its own shortcomings that we will explore.
Ultimately, relying on these metrics alone does not provide a comprehensive view of exploitability and risk. The context of an application is critical. We will show how to get a clearer picture of the risks indicated by these metrics by analyzing the cyber kill chain for some well-known disclosed vulnerabilities as examples. Specifically, we will show how current application design and network architecture can disrupt the cyber kill chain at its seven stages, thereby contributing to a more reliable vulnerability assessment.
Through this presentation, you will learn about different approaches to vulnerability analysis, the meaning of CVSS and EPSS scores, and how to incorporate your technical context into a structured process for better vulnerability management.
vulnerability analysis, devsecops, epss
Michael is a cybersecurity strategist and expert working on a wide range of product and cybersecurity topics with a background in secure software development. He is the co-founder of a security consulting firm that helps clients across industries implement product security programs, adopt DevSecOps, and achieve compliance with various standards. He believes that people and communication are at least as important and effective in moving organizations forward as tools and technology.
Alvaro Martinez holds a Bachelor of Engineering in Telecommunications and a Master's degree in Information Security, graduated in 2018. After several years working as web developer, he decided to switch to his preferred area, cybersecurity, where he currently works at conducting vulnerability assessments and web penetration tests, integrating security tools into corporate environments and helping development teams to better understand and mitigate vulnerabilities in their applications.