CVE, CVSS, and The Land of Broken Dreams

Agenda:
It's November and we're back to our regular format! We'll be heading back to Liverpool Street for our session on the death of CVSS. There's going to be drinks, chats and some serious truth bombs.

18:00 - Doors open
18:15 - Intros
18:30 - Lightning Talk - Murat Lostar
19:00 - Main Event - Francesco Cipollone
Followed by a trip to the nearest pub for a chat

Lightning Talk Abstract:
Best Effort Security Testing & Decision Making (BESTdm)
BESTdm helps security decision makers which security testing methodology to use (such as software based DAST & SAST, pen testing, bug bounty) and go-no go decision to release the product with known bugs. BESTdm uses relatively basic parameters, such as application risk/severity level, change size/scope of the current release and finally severity of the found bugs

Speaker bio:
Murat Lostar
Murat is a cyber-security enthusiast, entrepreneur, co-founder of Bugbounter & founder of Lostar Information Security. He started his career as software developer in 1986. Murat Lostar specialized in Information Security, IT Governance and Business Continuity. Previously, he taught courses in information security, forensics, network security, etc. at several universities. On the NGO side, Murat is the founding x-president of ISACA Istanbul Chapter and founding president of Cloud Security Alliance Turkey Chapter. Outside of work, you can find me cruising & racing on a sailboat or on Acid Radio FM 95.0 station & internet (unfortunately in Turkish) talking on cyber security.

Main Talk Abstract:
CVE, CVSS, and the land of broken dreams
Context is king; Prioritization is queen, and CVSS is dead. Stop your tiers and start with a risk approach and contextual view of vulnerabilities

Vulnerability tooling is increasing, security advisories are faster, and teams are leaner. Have we lost the battle of vulnerabilities, is shift left and the view that 'security is everyone's' problem working?

We present a risk and cyber quantification view on vulnerabilities across cloud, application, and infrastructure addressing modern approaches to cybersecurity from the point of view of the product security team.

We will walk several use cases that show how context, prioritization, probability and impact analysis can be used to improve which vulnerability to solve first.

Speaker bio:
Francesco Cipollone
Francesco is a seasoned entrepreneur, CEO of the Application Security Risk based posture management Appsec Phoenix, author of several books, host of multi award Cyber Security & Cloud Podcast, speaker and known in the in the cybersecurity industry and recognized for his visionary views. He currently serves as Chapter Chair UK&I of the Cloud Security Alliance. Previously, Francesco headed up the application and cloud security at HSBC and was Senior Security Consultant at AWS. Francesco has been keynoting at global conferences, have authored and co-authored of a number of books. Outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs.