ISSA-LA InfoSec Summit XI

In today’s environment, people can be anywhere, using any device, accessing applications both in the cloud and in the datacenter. The temptation with such complexity is to say “trust no one,” but savvy consumers won’t stand for heavy-handed IT that slows them down just as business is becoming more agile. The #YOLO challenge -- You Only Login Once -- is the call to make trusted access easier, while maintaining or increasing security as needed.

Hear from the highest Law Enforcement person in the SoCal region.

There is a serious misalignment of interests between Application Security vulnerability assessment vendors and their customers. On the surface you can see it within the pages of any Application Security vulnerability statistics report, where they state that the vast majority of websites contain serious issues — averaging dozens (SQL Injection, Cross-Site Scripting, Cross-Site Request Forgery, etc).  Their data also shows only half of those reported vulnerabilities ever get fixed and takes months. The data itself is not in dispute, these are legitimate vulnerabilities, but underneath there’s a secret: Vendors are incentivized to report everything they possible can, which they use to impress and win deals, even issues those vulnerabilities rarely matter. As a proof point, the vast majority of those ‘serious’ website vulnerabilities are simply NOT being exploited. Why is that?

Conversely, customers just want the vulnerability reports that are likely to get them hacked. Every finding beyond that is a waste of time, money, and energy, which is precisely what everyone is currently experiencing. If attackers really aren’t finding, exploiting, or even caring about these vulnerabilities as we can infer from the supplied data — the value in discovering them in the first place becomes questionable.