Lessons Learned from Large-Scale Security Assurance


Details
This month we welcome William Jardine from MWR InfoSecurity to present his valuable insights into how large companies are carrying out security assurance at scale. No matter how big your organisation I'm sure this talk will give you some ideas to take back to your team to try out, as well as an understanding about how the nature of security testing will likely need to adapt as your organisation grows.
Doors at 6pm, talk starts at 6:30 followed by some networking.
More and more, we hear clients complaining about problems of scale - 1000s of new apps a year, lack of knowledge of what exactly they own, inability to do vulnerability management effectively. A lot of the work we've been involved in the last 12 months has been looking at these sorts of problems. This talk is going to share some insights learned from this, some suggestions for ways to tweak security assurance programs to address these issues, and ways you can potentially start applying those ideas yourself. Some key thinking points:
- Pentest scoping is broken.
- Do you know everything you own?
- Tooling is nice. But knowing the business context of your assets is better.
- Threat modelling doesn't necessarily have to mean STRIDE.
- Are you reporting/tracking vulnerabilities that you don't care about/don't intend to fix? i.e. are you focusing on disparate 'vulnerabilities' rather than tangible business risk?
Not all these ideas are going to be relevant for everyone. But if you're struggling with security-at-scale and have a high number of assets, there should hopefully be some useful things for you to take away and think about.
Speaker Bio
William Jardine is a Senior Security Consultant at MWR InfoSecurity. Previously Will's focuses in security have ranged from ICS/SCADA to Hadoop/Big Data tech to general AppSec. More recently, Will's been involved in looking at problems of scale in security, which is where the roots of this talk come from.
This will be an excellent talk, one not to miss. We hope to see you there.

Lessons Learned from Large-Scale Security Assurance