Vulnerability Management Lifecycle

1. Vulnerability Management Lifecycle Panel Discussion

2. Panelists Carole Fennelly - Tenable Network Security Chris Wysopal - Veracode Steven Christey - MITRE Bob Martin - MITRE HD Moore - Rapid7 Jonathan Klein - Broadridge Financial Solutions Kelly Todd - OSVDB

3. Overview • Vulnerability Discovery • Private Vulnerability Sharing • Public Disclosure • Vulnerability Database Management • Vulnerability Monitoring/Testing • Remediation

4. Lifecycle Players

5. Vulnerability Discovery • Monitoring for Anomalies/ 0-Day • Monitoring Local Applications • Initial Discovery of Vulnerability • Development of Exploit • Posting to security lists

6. Private Vulnerability Sharing • Passing around on underground lists • Additional research • Expanded impact • 0-day exploits • “Oops, I broke the Internet…”

7. Public Disclosure • Determine when to disclose • Coordination between vendor and researcher • What to disclose • Public reaction/ working with media • FUD

8. Vulnerability Database Management • Monitoring of sources • Validation • Summarization • Classification • Determine/develop remediation measures

9. Vulnerability Monitoring/Testing • Vulnerabilities discovered during a penetration test • Vulnerabilities discovered by security software (IDS, Logs, Scanners) • Vulnerabilities discovered from external source

10. Remediation • Analysis of organizational impact • Prioritization • Determine/test remediation measures

11. Questions? cfennelly@tenablesecurity.com coley@mitre.org ramartin@mitre.org cwysopal@gmail.com jonathan.klein@broadridge.com hdm@metasploit.com lyger@attrition.org