Posts

Showing posts from August, 2015

Risk - Medieval approaches to AppSec

Image
Vulnerability management involves a little more than finding security issues in code and/or hosting systems......I find that much of the industry does not understand that vulnerability management, penetration testing, threat detection, endpoint detection, malware prevention and even anti-virus services and tools are about managing risk. Managing risk is about reducing it to a suitable level based on the cost of reducing it in the first place. There is no point in spending lots of time and effort on an issues which have little impact or which are very unlikely. Firstly what we want to to reduce the impact of the stuff which has a decent chance of occurring and would be a real pain in the ass if it happened, it would disrupt our business etc. "A situation involving exposure to danger..." So blindly throwing tools at a problem to help discover risks to your business is not going to work....but why?? Tools don't understand Risk : automated tools cannot give you an