Since Heartbleed, the (in)security of third party libraries has taken center stage in infosec thanks to the follow up releases of Shellshock, POODLE, and FREAK, each causing vendors to scramble to investigate and remediate flaws in third party libraries. Clearly, vulnerability counts and patch frequency are just the beginning of evaluating product and library security. Days of Risk (DoR) analysis starts at public disclosure of a vulnerability, but doesn't account for the time from initial discovery through fix availability which could be months. We analyze the risks that are created by the extended Time of Exposure that DoR does not address. Learn how metrics can assist in the evaluation of vendors and products, and provide a scorecard for organizations to understand their effectiveness in managing vulnerabilities.
This presentation will will also share case studies of companies who took action in 2014 to get ahead of 3rd party patch whack-a-mole, and provide concrete actions security practitioners can take to mitigate risk in their environments.
Jake Kouns is the CISO for Risk Based Security that provides vulnerability and data breach intelligence and he also oversees the operations of OSVDB.org and DataLossDB.org. Mr. Kouns has presented at many well-known security conferences including Black Hat, DEF CON, CISO Executive Summit, EntNet IEEE GlobeCom, FIRST, CanSecWest, RSA, SOURCE, SyScan and many more. He is the co-author of the book Information Technology Risk Management in Enterprise Environments, Wiley, 2010 and The Chief Information Security Officer, IT Governance, 2011. He has briefed the DHS and Pentagon on Cyber Liability Insurance issues and is frequently interviewed as an expert in the security industry by Information Week, eWeek, Forbes, PC World, CSO, CIO and SC Magazine. He has appeared on CNN as well as the Brian Lehrer Show and was featured on the cover of SCMagazine. He holds both a Bachelor of Business Administration and a Master of Business Administration with a concentration in Information Security from James Madison University. In addition, he holds a number of certifications including ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.