Top Five Vulnerability Management Failures and Best Practices

We have had tools and technology to help us identify vulnerabilities for over 20 years. The Nessus project began in 1998. Qualys and Rapid7 released products shortly thereafter. Tools for identifying vulnerabilities in code were made available around the same time with AppScan, Fortify, WebInspect, and Acunetix being just a handful of early options. The number of identification mechanisms and the maturity of tools has greatly increased over the years, yet we still struggle to eliminate vulnerabilities in our environments. Why can't we solve this seemingly simple problem? Obviously, identification is not the key to effective vulnerability management. So, what should we be doing and what are some of the reasons we are failing? Join me as I share examples of the struggles many of my clients are facing and discuss the best practices that can help organizations avoid these failures. Speaker Bio David Hazar David is a security consultant based in Salt Lake City, Utah focused on vulnerability management, application security, cloud security, and DevOps. David has 20+ years of broad, deep technical experience gained from a wide variety of IT functions held throughout his career, including: Developer, Server Admin, Network Admin, Domain Admin, Telephony Admin, Database Admin/Developer, Security Engineer, Risk Manager, and AppSec Engineer. David is a co-author and instructor for MGT516: Building and Leading Vulnerability Management Programs an instructor for and contributor to SEC540: Cloud Security and DevSecOps Automation, and has also developed and led technical security training initiatives at many of the companies for which he has worked. MGT516: Building and Leading Vulnerability Management Programs www.sans.org/cyber-security-courses/building-leading-vulnerability-management-programs/ Vulnerability, patch, and configuration management are not new enterprise security topics. In fact, they are some of the oldest security functions. Yet, we still struggle to manage security vulnerability capabilities effectively. The quantity of outstanding vulnerabilities for most enterprise organizations is overwhelming, and all organizations struggle to keep up with the never-ending onslaught of new security vulnerabilities in their infrastructure and applications. When you add in the cloud, and the increasing speed with which all organizations must deliver systems, applications, and features to both their internal and external customers, enterprise security may seem unachievable. This vulnerability management training course will show you the most effective ways to mature your vulnerability management program and move from identifying vulnerabilities to successfully treating them. 18 Cyber42 and lab exercises SEC540: Cloud Security and DevSecOps Automation www.sans.org/cyber-security-courses/cloud-security… Organizations are moving to the cloud to enable digital transformation and reap the benefits of cloud computing. However, security teams struggle to understand the DevOps toolchain and how to introduce security controls in their automated pipelines responsible for delivering changes to cloud-based systems. Without effective pipeline security controls, security teams lose visibility into the changes released into production environments. SEC540 provides security professionals with a methodology to secure modern Cloud and DevOps environments. By embracing the DevOps culture, students will walk away from SEC540 battle-tested and ready to build to their organization's Cloud & DevSecOps Security Program. 35 Unique, Immersive, Hands-On Labs 3 CI/CD security labs 16 AWS focused labs 16 Azure focused labs CloudWars Bonus Challenges SANS Cloud Security focuses the deep resources of SANS on the growing threats to The Cloud by providing training, GIAC certification, research, and community initiatives to help security professionals build, deploy and manage secure cloud infrastructure, platforms, and applications. www.sans.org/cloud-security Follow us on social: Twitter: @SANSCloudSec LinkedIn: www.linkedin.com/showcase/sanscloudsec/ Discord: www.sansurl.com/cloud-discord YouTube: youtube.com/SANSCloudSecurity

• #science_technology
• #cloud_security
• #sans_cloud_security
• #cloud_training
• #cloud_education
• #vulnerability_management