…And so does @rybolov. I don’t often do this, but the latest post on the Guerilla CISO blog is worth a re-post. Go check it out here. I have been talking about this a lot lately. SCAP is still coming into its own but has a lot of promise in helping security teams automate much of the vulnerability management and patching pains they experience today.
Of course we’ll be watching these guys closely as well. =)
Just a quick post to let you know of two events I’ll be participating in next month.
On March 5th, OWASP SnowFROC is holding it’s second annual application security conference in Denver, Colorado. This promises to be a great event with a ton of good content and speakers. I’m honored to participate in this again and I’d like to thank David, Kathy and all the organizers for including me. The conference itself is free thanks to the sponsors, so no excuse for you not to attend. SecTwits, break out the RV and come on out!
I hope to shed some light on some of the vulnerability management automation I’ve been working on. Good things to come. Check out the lineup here.
Three weeks later on March 26th, I’ll be giving a presentation at CSO Online’s DLP event at the Palmer House Hilton here in Chicago. My talk is first up (Note to Self: Extra Coffee!) on the use of penetration testing in a large web based environment. Should be pretty fun given all the “pen testing is dead” meme’s going around the net in the past couple months.
Thanks to Bill Brenner and Lafe Low for the invite and coordination of the event.
The lineup for the CSO event can be found here. You can register for it here.
Hope to see you next month!
Jeremiah Grossman had an interesting post the other day about creating an inventory of a company’s existing web sites. Many people I speak with are surprised that this can be a difficult task for many medium and large businesses.
This is not nearly as simple as an inventory of domains owned as most of these companies have many more domains than actual sites (brand protection, squatting prevention, etc.). Often a large corporation will own thousands of domains. Also, there may be many subdomains representing different sites, read mail.google.com, www.google.com, code.google.com, etc.
You’ll also need to determine what sites are real versus a simple redirect. An oversimplified example of this would be www2.google.com redirecting users to www.google.com. This task can be complex with a large number of subdomains, many created for search engine optimization (SEO) purposes.
Take a look at Jeremiah’s post. It’s good advice and a very necessary first step to finding your application vulnerabilities.
Subscribe in a reader
