Eoin & The Security

Rules for Vulnerability Management Below is a list of items and requirements based on client discussions in the case of delivering decent vulnerability management to clients both big and small.  From Visibility to API integration, from Validation to Developer support the items below are what you should consider when deploying a vulnerability management program. 1. Coverage is king, Both depth, Breadth and Frequency.  Both authenticated and public. 2. Full stack vulnerability intelligence is key as "Hackers don't give a Shit" where your vulnerability is at. 2. Keeping pace with development. As change occurs, vulnerability management should detect and assess the changes. DevSecOps / Development pipeline Integration is required. 3. False Positives are an evil waste of time even if handled by automation. - Validation is important. 4. False Negatives are evil-er. - Scanner tuning is important so we don't miss anything. 5. Situational Awareness is req

Some edgescan clients, large and small use bug bounties and our fullstack vulnerability SaaS service combined:  The big players in the bug bounty market are Bugcrowd and HackerOne and Synack and many larger enterprises run their own programs. Breath and Depth : Bugbounty for depth, edgescan for breadth and continuous assessment where and edgescan Advanced license is not used Budget and Cost: To reduce the escalating cost and effort of implementing multiple tools or programs for our clients, a joint integration between Bugbounty dashboards and edgescan’s fullstack SaaS may bring together the scale and efficiency of vulnerability management web & host application scanning with the expertise of the penetration-testing community via a bugbounty in one simple solution. Reducing duplication, validation and payouts: Joint customers of Bugbounty programs and edgescan will be able to eliminate discovered & validated vulnerabilities by edgescan from their list of offered

At edgescan we have built a pretty good continuous fullstack vulnerability management platform and have a list of very interesting clients across many verticals such as media, gaming, medical sciences, finance, cloud etc. We do a good job of finding, validating and risk assessing vulnerabilities across the full stack and helping our clients manage and protect their systems from a security breach and reduce Bugbounty costs... More Here: www.edgescan.com An elephant in the room: Client Security One important part of security is a difficult "nut to crack" is client side security:  We don't know  if a user is patched; using an old insecure browser; is infected or compromised  We have not way of knowing the "health of our users" whom use our web applications.  A common vector of attack is not to attack a system or service but to attack users given they are generally less secure. To that end the product development team have built "e

So here we are again, RSA 2018 in San Francisco, but to be honest its edgescans first time to attend as a vendor. The last time I was there was in 2014 teach 400 developers on secure application development with Jim manico . Funnily enough things have not changed so much, the slides are here So what will the edgescan team be doing on our first foray into RSA as a vendor ? Apart from numerous meetings with clients, partners and media we are also flying to Irish flag and attending an " Irish Night " hosted by Enterprise Ireland and the IDA. Feel Free to pop along for a pint and to meet some of the edgescan senior team. Personally I have a slight reservation regarding the event and industry as a whole.... The problems have not changed since 2014, vulnerabilities are similar/the same and the most common vulnerabilities discovered by our edgescan SaaS are still older variants. Many of the solutions being proposed are not solving the issue and not making even a dent i

Enterprise cyber security can be daunting with so many systems to consider both internally and public Internet facing. Something which on the surface seems simple is asset profiling and system visibility.  - Knowing what we have to secure is a good step in the right direction. Visibility is of paramount importance. It helps us understand what we have to secure.  In our experience, as an organization grows towards enterprise level visibility reduces. - More systems to secure, both physical and virtual and more change/flux occurring more frequently. The ability to understand what systems and services (assets) are enabled and exposed to both internal users and the public Internet is key given we cannot secure assets we are not aware of. Having visibility of your estate is important given many of such assets contain sensitive organizational data or are ingress points to such data and systems and require an adequate level of security management applied to them.

We finally finished off the 2018 edgescan Vulnerability Stats report this week. Overall things have not changed too much but we did a little more digging into the vulnerability data we harvested over the 12 months to December 2017. To that end we did some PCI compliance comparison (given that edgescan is a certified PCI ASV) service in addition to the awesome full stack vulnerability intelligence solution it always has been. How to improve security in a dramatic fashion? Whats the biggest quick win to improve your security posture you ask? All vulnerabilities are not created equal. We need to look at vulnerability management in a pragmatic way. Its not possible to be vulnerability-free and 100% secure, but we can aim for removing any issues which may give rise to a breach of client or organisational data. So, lets mitigate the highest risks first and not sweat about the small stuff. Risk is not linear and reducing vulnerability count does not necessarily translate to s

Vulnerability Management: False Positives, False Negatives, Technical, Logical Vulnerabilities and Human Error At edgescan, we have delivered thousands of assessments over the past years and one topic which is both a commonly known weakness but also a source of concern is Accuracy of assessment - The challenge being (human & technical); Can the technology detect security weaknesses report accurate findings ?   Can the technology avoid reporting issues that are not real? - "False Positives" Can the technology miss critical issues and simply not report the weakness - "False Negatives" In addition, once an issue is reported shall the human dismiss the issue as a "False positive" because they misunderstand or cannot reproduce the issue, resulting in a "False negative" The majority of commercial and open source vulnerability scanning tools can not provide reliable results and require significant human validation which can also fail