This talk will draw from multiple research projects we’ve done across a spectrum of security domains from weaknesses in software development, to patching strategies and defensive measures, and finally data breaches. We’ll start with an examination of software development, and dive into how organizations fix flaws, what can contribute to security debt, and how proactive developers can reduce the density of flaws in their apps. Then we’ll follow vulnerabilities in products as we move on to enterprise vulnerability management. We’ll show how to create objective measures of vulnerability remediation performance and highlight practices of high performing orgs. We’ll then look at what we can learn about the risk surface of an organization from outside measurement. We’ll tackle whether cloud deployment is more secure than on-prem (it depends, but in interesting ways). Finally, we’ll investigate data breaches, and show that even if your network isn’t breached, the impact of a partner’s breach could be just as devastating. All the results in this talk are grounded in real world data, derived from organizations facing daily security challenges.
- Scanning applications for flaws frequently during development reduces security debt.
- Setting vulnerability remediation deadlines increases patching velocity.
- Increasing cloud deployment can reduce security issues, to a point.
- Third party relationships are as important as your own security.
About Benjamin Edwards
Dr. Benjamin Edwards is a Senior Data Scientist at the Cyentia Institute. He received his Ph.D. from the University of New Mexico with a research focus that blended the fields of security, data science, and complex systems. His work has lead to a better understanding of global attack trends, the effects of security interventions, and even nation state cybersecurity policy. Before joining the Cyentia Institute he worked at IBM Research, where he worked in applying advanced machine learning techniques to solve real world security problems and shaped the next generation of analytical security models. At Cyentia, Dr. Edwards advances knowledge of security risk, vulnerability management, secure software development, and data breaches through rigorous analysis and visualization of unique data sets.
About Jay Jacobs
Jay Jacobs is a co-founder and chief data scientist at Cyentia Institute, a research firm dedicated to advancing the state of information security knowledge and practice through data-driven research. Jacobs also hosts the Cyentia Podcast and is the co-author of Data-Driven Security, a book covering data analysis and visualizations for information security.