RSA San Francisco 2018 - What to expect (from edgescan)

By -

So here we are again, RSA 2018 in San Francisco, but to be honest its edgescans first time to attend as a vendor. The last time I was there was in 2014 teach 400 developers on secure application development with Jim manico. Funnily enough things have not changed so much, the slides are here

 So what will the edgescan team be doing on our first foray into RSA as a vendor?

 Apart from numerous meetings with clients, partners and media we are also flying to Irish flag and attending an "Irish Night" hosted by Enterprise Ireland and the IDA. Feel Free to pop along for a pint and to meet some of the edgescan senior team.

 Personally I have a slight reservation regarding the event and industry as a whole....

 The problems have not changed since 2014, vulnerabilities are similar/the same and the most common vulnerabilities discovered by our edgescan SaaS are still older variants.

 Many of the solutions being proposed are not solving the issue and not making even a dent in the metrics we see every day.

 We seem to continue to propose new types of solutions for the same problem but non of them appear to make a large impact. - Can anyone disagree that cyber security issues are now more commonplace and destructive than ever? 

 Whats old is new.... 



 At RSA, we hope to get the opportunity to explain how we can "put a dent" in the problem with fullstack vulnerability management. We've been talking about the items below since 2016 or before 

 edgescan have focused on using tried and trusted techniques albeit automation combined with human expertise and orchestrated to help scalability  without sacrificing accuracy or coverage.

 Simple things like Visibility of a users cyber-estate are now "cool", even though we had the technology for years in some form or another.

 Metrics and measurement is another weakness which, again we have the technology but its only being addressed now. - "We cant improve what we can measure".

 Delivering Penetration test reports to clients is an old tradition but needs to be replaced with API integration, Vulnerability feeds and connectivity into an organisations bug and risk tracking platforms. - New idea? I don't think so.

 So given as an industry we have not embraced the basics (above) why to we gravitate to other unproven solutions? I understand it keeps the industry buoyant and innovation is great, believe me we innovate and spend hundreds of thousands on innovation every year but lets focus on solutions that actually move the dial a little in favor of cyber security resilience and robustness.
edgescan Vulnerability Statistics Report
edgescan gartner








Comments

Post a Comment

Popular posts from this blog

Edgescan, why we do what we do.....

By -
Image
  The cyber security industry is full of solutions to make you more secure. Some are unproven and other approaches work if deployed properly. Our industry is very fragmented. for example a recent "Cyber Defense" award I noticed has 195 categories!  I suppose we need to ask ourselves as companies from time to time why we do what we do?  So, the following post is, I guess, the reason we developed Edgescan and why we believe its a decent solution to help organizations improve and be more resilient in relation to cyber security and system protection.... Vulnerability scanning alone did not work. The idea of software testing software for vulnerabilities is a good one but both sides of the equation may have bugs. Bugs in one side (The target) may result in vulnerabilities, whilst bugs on the other side (Scanner) may result in false negatives and false positives.  Accuracy : To that end we built edgescan as a combination of automation to discover vulnerabilities at scale but  when c
Read more

20 years of Vulnerability Managment - Why we've failed and continue to do so.

By -
Image
Cyber Security: Keeping Pace with Change. Getting breached can really ruin your day. Actually it normally happens on a friday evening as you are about chill for the weekend. The cause of must breaches is not rocket science, its more to do with the poor approach we have accepted because we underestimate the threat actor.  - An attacker does not scan your website/network once a quarter with a commercial or open source scanner or perform an annual penetration test against your systems to see if there is any low hanging fruit, so how do we expect to defend against such an advisory using that approach? Systems change now more frequently than ever due to the ease of cloud deployments and the speed of software deployments due to iterative development techniques. The rate of change increase results in exposures quickly manifesting and the organisation not even being aware of the exposure in the first place. Many organisations dont know what they have exposed on the public Internet. We need t
Read more
By -
Image
The HSE Data Breach and the State of Irish Cyber Security Many years ago, shortly after I founded the Irish chapter of OWASP ( http://www.owasp.org ) (in 2007??) we were delivering free application and software development classes to anyone who wanted them. It was a local low key affair but every class we delivered was "sold out". We have 60-80 folks mostly developers willing to spend 4-5 hours on learning the fundamentals of secure application development and testing. I suppose we felt cyber security was an important issue because that's what we did. At the time many folks in business felt cyber security was an overhead or a "tax" and did not give it much time. A few years later (late 2010) when the the foundation of the NCSC (National Cyber Security Centre) was announced, a few of us (local OWASP Ireland leaders) wrote a number of emails to the Irish government offering free cyber security training. As we were working for a non profit (501.3c) charity (OWA
Read more