Tag: vulnerability management

In this series, we examine how the reality of a security program differs from the perception some security practioners hold. To do this, we’re focusing on four specific gaps that can weaken security defenses and instigate security incidents. For example, consider the rising number of cloud breaches caused by engineers disabling basic access control, either…

Read More

In this list, we don’t see any of the significant factored software types, so there are no weights to add here. Calculating the Likelihood of Exploitation of a Vulnerability Now that we have all our factors and weights, we can do some simple math in a spreadsheet.  Factor Weight Base -6.18 Web related 0.06 Reference…

Read More

On Tuesday, December 8th, 2020, FireEye, a leading cybersecurity firm used by governments and companies for penetration testing and forensic services announced that it had been the target of an attack by nation-state actors “with top-tier offensive capabilities,” and that a suite of tools used by FireEye for penetration testing had been stolen. What do…

Read More

APIs and Sectors As more APIs are published, both by large enterprises who want to make their data more available (such as Google) and by smaller, industry-specific organizations hoping to generate value, some interesting industry patterns are also emerging. Of the organizations for which we had sector information, social networking organizations made up the largest…

Read More

If we think about vulnerabilities in this way, as a matter of action signaling, then malicious actors are, in their own malicious way, members of our audience. Applications are engineered to function, but they are designed to signal. The specific ways we design apps tell our audience how we expect them to act. When we…

Read More

Why does vulnerability management fail? There are a couple of reasons: Enterprise IT teams can’t keep up with all the vulnerabilities because secure coding hasn’t been, and still isn’t, a priority across all organizations that write software. In a recent F5 security event where 300 participants responded to live polling, 21% of respondents said they…

Read More

Executive Summary & Key Takeaways As security professionals, we often live and die by the release cycle of the latest vulnerabilities. In this report, sponsored by F5 Labs, we take a step back and examine the universe of vulnerabilities (defined by the CVE) and how it’s changed in the last 20 years. As you will…

Read More

We are excited to announce that F5 Labs has become a data partner of the Exploit Prediction Scoring System (EPSS). The Internet-wide scanning and attempted exploitation activity that makes up our Sensor Intel Series also happens to be good training data for the machine learning system under EPSS’ hood. F5 Labs wrote about EPSS in…

Read More