Broken glass

Earlier last month NIST released a draft copy of CyberSecurity White paper titled “Mitigating the risk of Software Vulnerabilities by adopting a Secure Software Development Framework [SSDF]” for comments. The paper highlights how few software development lifecycle [SDLC] models explicitly address software security in detail and it recommends a core set of high-level secure software […]

What are reserved CVE’s ? Reserved CVE’s are NVD records for confirmed vulnerabilities with little to no information. In most cases there is no information available. ThreatWatch’s prediction model, “Coeus“ goes through all the related information about these CVE like attack vector type, social chatter and vendor advisories, and arrives at a CVSS vector and […]

Priority

The number of vulnerabilities being reported has just been growing over the years. The below chart help depict how the count of vulnerabilities has grown significantly (though not yet exponentially) over the recent years. Note it is apparent from the chart how ThreatWatch provides better overall vulnerability intel coverage, apart from standard sources like NVD. […]

If not, then you should be…and here’s why. Most organizations leverage clouds providers (like AWS, Azure, etc.) extensively these days. Typically public cloud is an integral part of the overall roadmap, with most organizations having some form of a hybrid model. The hybrid model involves a private cloud (internal managed data center) along with a […]

Energy is the all pervasive fuel which drives world economies. It is no wonder that hackers regularly target energy sector companies to cause massive disruption. In a report titled “The road to resilience: managing cyber risks”, Christoph Frei, Secretary General, World Energy Council said the following: Cyber threats are among top issues keeping energy leaders […]

Most organizations face challenges with prioritizing risk from a new vulnerability or threat. At times, late breaking threats do not provide a severity assessment. The standard way to identify the key characteristics of a threat is using CVSS (Common Vulnerability Scoring System). CVSS provides a Vector (based on key dimensions / attributes of the threat […]

  Lately I have been going through recorded sessions from RSA Conference 2019. Thanks RSA for making these recordings available. This particular session “In the wake of an attack – Thoughts from a seasoned CISO” caught my attention and I listened to its playback. It is around 45 minutes for those of you who are […]

Recently the industry has seen a trend where organizations are moving rapidly to integrate vulnerability detection tools as part of their CI / CD environments. That’s a step in the right direction only if the risks that emanate out of those integrations are carefully considered and mitigated. Unfortunately we don’t see much evidence of due […]

[Credits: Photo by rawpixel.com from Pexels] With the internet, things are moving at an alarmingly fast pace. This equates to increased attack surface and phenomenal increase in the number of vulnerabilities out there. Industries are trying to keep up. Evidently one industry which is struggling to keep the pace is Healthcare. In the healthcare industry, the […]

United States Senate Permanent Subcommittee on Investigations recently published a report titled “How Equifax neglected cybersecurity and suffered a devastating data breach“. It details out what aspects contributed to the data breach at Equifax and how Equifax’s competitors (TransUnion and Experian) were able to successfully mitigate the threat. The report is around 71 pages long and […]