Since Heartbleed, the (in)security of third party libraries has taken center stage in infosec thanks to the follow up releases of Shellshock, POODLE, and FREAK, each causing vendors to scramble to investigate and remediate flaws in third party libraries. Clearly, vulnerability counts and patch frequency are just the beginning of evaluating product and library security. Days of Risk (DoR) analysis starts at public disclosure of a vulnerability, but doesn't account for the time from initial discovery through fix availability which could be months. We analyze the risks that are created by the extended Time of Exposure that DoR does not address. Learn how metrics can assist in the evaluation of vendors and products, and provide a scorecard for organizations to understand their effectiveness in managing vulnerabilities.
This presentation will will also share case studies of companies who took action in 2014 to get ahead of 3rd party patch whack-a-mole, and provide concrete actions security practitioners can take to mitigate risk in their environments.