OWASP Frankfurt’s Post

Demystification coming your way! 🚨 EPSS, Reachability Analysis, and Vulnerability Prioritization 🚨 Application security is never one-size-fits-all. 🔐 In a recent discussion, I broke down some key insights on EPSS, library usage, and reachability analysis—and how these tools can help you make smarter decisions when managing vulnerabilities. When do CVEs like Log4j or Spring4Shell get linked to libraries via EPSS? 📚 Why should you combine multiple data sets for better accuracy? 📊 Here’s the crux: while EPSS can provide exploitation evidence in specific cases, it doesn’t always tell the full story. This is where reachability analysis comes in, helping pinpoint whether a vulnerable library is in use within your environment. At Phoenix Security, we integrate both EPSS and reachability analysis to give you a more complete picture and help you prioritize what truly matters in your risk management. ⚡ 📚 Also, don’t forget to check out the latest books on Threat Modeling and Application Security that are shaping the conversation in #cybersecurity. #CyberSecurity #EPSS #VulnerabilityManagement #appsec #vulnerability

I've been a bit quiet on content recently, but there's a good reason for it! If you're interested in learning how to save years of work, millions of dollars in waste, and reduce risk while streamlining program development in CTI and Threat Management with a results-oriented approach, please reach out! I'd be happy to connect you with our F50 customers for their direct feedback. #CyberSecurity #CTI #ThreatManagement #BlueOceanStrategy #Innovation #BusinessStrategy

Attended an insightful introductory session on **Cybersecurity**, diving into the fundamentals of safeguarding digital assets and data. The session covered key topics such as risk management, threat detection, and essential best practices for maintaining a secure online environment. It also highlighted the growing importance of cybersecurity in today’s tech-driven world, addressing emerging threats and how organizations can stay resilient. Excited to apply these concepts in practical scenarios and further explore this ever-evolving field. A great step towards enhancing my knowledge and contributing to a more secure digital landscape! #Cybersecurity #DigitalSafety #RiskManagement #TechInnovation #ProfessionalDevelopment #hpLIFE

🔒 Enhance Your Insider Risk Strategy with BigSASIG! 🔒 🚀 Don't miss our workshop session: "The Evolution of Insider Risk"! 📅 Date: 23 April, 2024 🕒 Time: 10:00 - 10:30 Join us as we explore the changing landscape of insider risk and discover more effective approaches to mitigating this growing threat. Led by Darren Jones from DTEX Systems, this session will cover: 📈 Trends in insider incident costs, frequency, and containment time 🔍 The limitations of traditional DLP and surveillance platforms 💡 A data-driven approach focusing on human behavior and intent 🛡️ Detecting, deterring, and disrupting high-risk activities Discover how leveraging data-driven science can dramatically reduce your organization's risk posture and prevent insider incidents from occurring! Secure your spot now and register for #BigSASIG: https://lnkd.in/ewMpJ7Dd #CyberSecurity #CyberThreats #CyberSecurityAwareness #DataProtection 

#informationsecurity #itsecurity #cybersecurity #cybersecurityawareness #learneveryday This Tenable "Introduction to Tenable Vulnerability Management" course consists of a series of short on-demand videos providing the fundamental building blocks to deploy, configure and use Tenable’s cloud-based solution for vulnerability management. You will learn the basics of how to install, configure and use the Tenable.io platform. Topics covered include installation and configuration, asset discovery, vulnerability and compliance assessment, analysis, using workbenches and dashboards, and accepting and recasting risk.

#readingRadar: 1. Johnson, Leighton, Security Controls Evaluation, Testing, and Assessment Handbook, Elsevier Science;Syngress is an imprint of Elsevier, 2019. - 2. Davis, Robert E., Auditing Information and Cyber Security Governance: A Controls-Based Approach, CRC Press, 2024. How can the managerial, operational, and technical security controls of an organisation be tested? How to know whether the controls are implemented correctly, operating as intended and producing the desired outcome? You may tackle these questions by diving right into the NIST800-53 revision 5, spreadsheet, containing hundreds of controls [1], yet it is also beneficial to have these two books as companions. I like Robert Davis' approach, which is to understand controls in the broader context of an information governance landscape. Such a landscape can be complex as it generally consists of multiple interdependent stakeholders and systems, which often require diverse methodologies and interfaces - think of management, engineers, regulators, customers and so on. So you want to be able to answer the "why" of a particular control or control set, before diving into the "how". While Davis' book may consist of almost 300 pages of rather dry reading, the insights it provides are surprisingly valuable. It offers a 'balcony view' of control management, enabling first-principle thinking in the governance landscape. Such a perspective is instrumental in prioritizing and managing the often overwhelming amount of controls and control enhancements. With Davis' systemic knowledge in the back of your head, it's down to the practical hands-on approach given by Leighton Johnson. The book provides an almost cooking-style recipe approach to control management, mainly focussed on NIST800-53 (in version 4). It includes valuable templates for control testing and evaluation.    [1] https://lnkd.in/eEUZ-2aV   #SecurityControlTesting #InformationGovernance #NISTFramework

Today, Martin Prpic, FIRST Member and Principal Security Engineer at Red Hat, highlighted the importance of accurate security data for vulnerability management and risk assessment in his presentation, “CSAF/VEX: Improved Security Data.” He dove deep into Red Hat's implementation of CSAF/VEX and how it correlates with product SBOMs. Key takeaways included: ✅ Benefits of machine-readable security metadata ✅ Red Hat's approach to CSAF/VEX ✅ Integrating CSAF/VEX data into SDL processes ✅ Leveraging SBOM and CSAF/VEX synergies ✅ Challenges and roadmap for future enhancements This talk was particularly beneficial to PSIRT professionals and those working in vulnerability management. If you missed it live, stay tuned for the replay. #CyberSecurity #SBOM #VulnCon2024 #VulnerabilityManagement

🛡 Day 3 at BCAD-Accelerated: Incident Classification and Prioritization! Today, I explored the critical aspects of incident classification and prioritization in the BCAD-Accelerated program by BlackPerl DFIR. Here's a summary of what I've learned: • Incident Classification: Explored various types of security incidents, including malware infections, unauthorized access, denial of service attacks, data breaches, and social engineering attacks. Identified incident impact levels categorized as high, medium, or low. Learned about incident severity levels ranging from critical to low, based on the potential harm and consequences. • Incident Prioritization: Understood the factors involved in incident prioritization, such as impact assessment, urgency, criticality, risk assessment, and alignment with business and operational priorities. → Understanding incident classification and prioritization is critical for effectively managing cybersecurity incidents and allocating resources where they are needed most. Excited to continue learning and enhancing my skills in the days ahead! Stay tuned for more updates! #BCAD #Cybersecurity #BlueTeam #DFIR #SecOps #CloudIR #CyberDefense #SIEM #SOC #Detection

We have two exciting Common Security Advisory Framework (CSAF) events coming up in Munich! These sessions are for everyone from beginners to seasoned practitioners, focusing on critical skills like CSAF advisory creation, automation, and vulnerability management. The CSAF Workshops (9-12 December) will offer hands-on exercises and industry insights, and you’ll be able to walk away with the skills to implement CSAF within your organization. https://lnkd.in/ehnXj58v CSAF Community Days (12-13 December) will offer sessions tailored for CSAF users and developers. Connect, network, and, learn about the latest in vulnerability disclosure standards. https://lnkd.in/eH9Kga_t #cybersecurity #openstandards #oCSAF