We recently sat down with Dan Guido, CEO and Co-Founder of Trail of Bits at SOURCE Boston 2012, to get his views on topics related to application security. In the first of a three part segment, Dan's commentary focuses on vulnerabilities in general. You can watch the interview here.
We've also included a short recap of highlights of the interview in this post. How can organizations better communicate around vulnerabilities?
Dan details the behavioral problem that exists in most organizations today when vulnerabilities are found in software. He notes that organizations are very concerned about individual vulnerabilities, not as much about the reasons as to why the vulnerabilities exist. Dan notes that mitigation efforts should be focused around classes of vulnerabilities, not the individual vulnerabilities that are found. Which vulnerabilities matter most on the web? Dan talks about the disparity between the vulnerabilities that the security industry focuses on vs. vulnerabilities that hackers care about. He further goes on to mention that vulnerabilities that matter most on the web are the ones that gain the hacker a shell on a server, like SQL Injection or remote command execution. Should different businesses focus on different vulnerabilities? Dan focuses on the vulnerabilities organizations should care about, depending on the type of business model they use. For instance, a service provider whose customers have individual user accounts or a social networking websites like Facebook should care about Cross-site scripting (XSS). On the other hand, SQL Injection attacks have increased in frequency, and should be on every organization’s watch list. Stay tuned for more sessions with Dan Guido which we will be showcasing next week on our blog.