Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity

    Core Security Effort Aims to Improve Firms’ Handling of Software Flaws

    By
    Robert Lemos
    -
    August 6, 2014
    Share
    Facebook
    Twitter
    Linkedin
      Black Hat security conference

      LAS VEGAS—When security teams patch software vulnerabilities in their systems, they too often focus on the wrong issues, patching the holes that are easiest to fix rather than fixing the flaws that are most likely to be the focus of attackers.

      To help companies improve their handling of software flaws, vulnerability management firm Core Security will release, at the Black Hat security conference here this week, a model for companies to analyze their ability to properly patch software insecurities and a roadmap to improve their response. The model can be used by information security professionals to avoid data overload and better prioritize their vulnerability remediation efforts based on which flaws most threaten their business, Eric Cowperthwaite, vice president of advanced strategy at Core Security, told eWEEK.

      “If you are a typical CISO [chief information security officer] and you have five or six staff, do you focus broadly on your entire security surface, or do you focus on what is important?” he said, adding that companies that take a more mature approach to software patching will be more secure. “By approaching the problem this way, there will be less vulnerabilities available for the bad guys to use.”

      Core Security’s vulnerability management maturity model classifies a company’s response into one of six levels, from firms with nonexistent programs to those organizations capable of managing an attack. The third level, for example, is where IT security professionals are meeting compliance obligations, beginning to work with IT operations and tracking metrics, but perhaps not the right ones.

      The document, which Cowperthwaite has been developing using his experience as a former CISO for a large health care provider, also offers guidance for improving a company’s vulnerability management processes. Companies that want to move beyond compliance, for example, should focus on meaningful metrics, create formal processes and use penetration testing to support their vulnerability management program.

      In many ways, the model is part of a movement in the security industry to educate security professionals on best practices in security. The Building Security In Maturity Model (BSIMM), for example, is a study of the security processes at nearly 70 companies and acts as a guide for businesses that want to compare their security processes to other firms.

      The maturity models also contradict the trend of equating security with buying security products, Cowperthwaite says.

      “One reason that we are putting out a maturity model on vulnerability management is because there is more to fixing your vulnerability problems than buying a new product,” he said. “Changing the culture of a company is more powerful than buying a new firewall.”

      The vulnerability management maturity model will be released later this week at the Black Hat conference, Cowperthwaite said.

      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Careers

      SThree’s Sunny Ackerman on Tech Hiring Trends

      James Maguire - June 9, 2022 0
      I spoke with Sunny Ackerman, President/Americas for tech recruiter SThree, about the tight labor market in the tech sector, and much needed efforts to...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×