Francesco Cipollone
Appsec Monkey
London, United Kingdom
Actions
Francesco is a seasoned entrepreneur, CEO of the Contextual-based vulnerability management platform from code to cloud Phoenix Security, author of several books, host of multi-award Cyber Security & Cloud Podcast, speaker known in the cybersecurity industry and recognized for his visionary views. He is on the UK&I Cloud Security Alliance Chapter board and is a professor at IANS on application security and cloud security. Previously, Francesco headed HSBC's application and cloud security and was a Senior Security Consultant at AWS. Francesco has been keynoting at global conferences and has authored and co-authored several books and whitepapers; outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs.
Area of Expertise
Topics
WTH is recheability analysis and why do i have 5? Is recheability analysis actually useful?
Mastering Reachability Analysis: Redefining Product security, bridging Application Security and Cloud Vulnerability Management
Reachability analysis is complex and involves 5 types of reachability analysis. but which one of them is actually useful and applicable to you?
As appsec and operational security merge into prodsec, we see appsec becoming more complex with containerized environments and intricate architectures, and traditional vulnerability management/ application security has reached its limits. Security teams are often overwhelmed by alerts, many of which pose no real threat. Enter reachability analysis—a transformative approach to vulnerability prioritization that filters out noise and highlights exploitable vulnerabilities.
Key Discussion Points:
1. What Is Reachability Analysis and what is ASPM?
2. The Five Types of Reachability Analysis:
• Code Reachability Analysis: Identifying if vulnerable code paths are executed during runtime.
• Library Reachability Analysis: Assessing whether third-party libraries’ vulnerabilities are actively used in application execution.
• Container Reachability Analysis: Determining whether vulnerable packages in containerized environments are executed during runtime.
• Static Reachability Analysis: Analyzing vulnerabilities in the codebase and loaded libraries without runtime execution.
• Runtime Reachability Analysis: Focusing on vulnerabilities actively being executed in the live environment
3. Challenges in Implementing Reachability Analysis:
4. Leveraging Context and AI when it makes sense
Takeaways for Attendees:
• Gain a clear understanding of reachability analysis and its role in reducing vulnerability overload.
• Learn how to implement and prioritize vulnerabilities using contextual deduplication and threat intelligence.
• Explore how static and runtime reachability analysis complement each other for a comprehensive approach.
• Discover practical applications of reachability analysis in modern ASPM solutions to improve security team efficiency.
This talk offers a roadmap for security teams looking to harness the power of reachability analysis to focus on what truly matters. By bridging the gap between overwhelming alerts and actionable insights, you can redefine your vulnerability management strategy and build a stronger, more resilient security posture.
Navigating the Challenges of Risk-Based Vulnerability Management in a Cloud-Native World
2015 to today we changed the way we build things...containerized environments, and modern software development practices has redefined the landscape of cybersecurity. With this shift, vulnerability management faces unprecedented challenges in terms of scale, complexity, and data consistency. In this presentation, two leading experts delve into the intricacies of adopting a risk-based approach to vulnerability management, focusing on practical strategies and emerging methodologies in the enterprise.
### Key Topics:
- **The Inconsistency of Data**: Fragmented and siloed security data often hampers efforts to prioritize vulnerabilities effectively. The presentation explores strategies to consolidate and normalize data from disparate tools and environments, enabling a unified view that supports informed decision-making.
- **Vulnerability Management at Scale**: Managing vulnerabilities in sprawling, dynamic infrastructures demands innovative approaches. The speakers share insights into automating prioritization and remediation workflows, addressing the unique challenges of containerized and server-less architectures.
- **Reachability Analysis**: Identifying exploitable vulnerabilities through reachability analysis has emerged as a game-changer. The panel discusses how contextualizing vulnerabilities within the software supply chain and runtime environments can help organizations focus their resources on the most critical risks.
### Learning Objectives:
Attendees will gain a deeper understanding of:
- How to overcome the barriers posed by inconsistent data in vulnerability management workflows.
- Best practices for managing vulnerabilities across diverse and rapidly scaling environments.
- The value of incorporating reachability analysis into risk-based prioritization to reduce noise and focus on actionable threats.
This session is addressed to leaders who are looking at scaling vulnerability management in an organization, bringing code, cloud, and traditional attack paths under a single view the session has practitioner-to-practitioner use cases and stories to bring reality.
Let's stop fixing fighting over Vulns : A Threat-Centric View of Application and Cloud Security
Application security vulnerabilities and cloud/infra vulnerabilities have been historically divided. One team talks about MITRE&ATTACK, Threat Actors, and exposure, and the other team (appsec) talks about developer relationships, security-centric approaches, shift left, CWE, etc…
CISOs are confused about how to create metrics and initiatives. Should vulnerability management/exposure management and application security be really separated?
The gap is real! As the organization starts its journey into the cloud and containerized world,d there is a clear divide between development teams and security operations (SecOps) . These two worlds are really part of the same, each critical to the cybersecurity ecosystem, and often struggle to find a common ground for effective communication and collaboration. This talk takes a threat-centric approach to understanding and addressing these challenges, offering actionable insights to align these teams and strengthen your security posture.
Key Discussion Points:
1. The Journey of Application and Cloud Security Teams:
2. The CWE Challenge complexity and completeness
3. The Power of Patterns / Weakness / Threat Impact and Patterns
• How focusing on root causes and recurring patterns in vulnerabilities drives maturity in security practices.
• Using pattern recognition to prioritize critical vulnerabilities and reduce noise.
4. Context is Key
• Moving beyond generic vulnerability management to focus on deployment context:
5. A Path Forward: Threat-Centric Maturity:
• Leveraging threat-centric strategies to unify teams under a shared understanding of risks.
Future peak: Using AI and automated tools to analyze, categorize, and prioritize vulnerabilities in context.
Takeaways for Attendees:
• Understand how a threat-centric view can align development and security operations for better collaboration.
• Learn the importance of focusing on deployment context to prioritize vulnerabilities effectively.
• Discover how AI and pattern recognition can simplify complex frameworks like CWE and drive actionable insights.
• Explore practical strategies to mature application and cloud security programs by bridging gaps between teams.
Data:
CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
Exploit in the wild: https://phoenix.security/what-is-exploitability/
OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
CWE over the years
https://phoenix.security/cwe-top-25-comparison-dataset/
https://phoenix.security/cwe-top-25-2024-2/
https://phoenix.security/understanding-the-2023-cwe-top-25-most-dangerous-software-weaknesses-and-application-security-patterns-over-the-years/
Surfacing Product security - one Surface to rule them all
2015 had a much simpler scenario; from that point, cloud, container, advanced development and warped speed have created more complex scenarios. How can a modern develops team really help developers?
What is an asset in this modern scenario? How are assets related to each other?
We will explore the concepts of reachability and exploitability and the value of those concepts in the exploitation of vulnerability.
Product security and digital supply chain - Let’s go on a DATA with vulnerabilities
Posture and Data don’t lie - risk and fact-driven approach to posture management with a deep dive into exploitability, reliability and the likelihood of exploitation.
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top