Francesco Cipollone
Appsec Monkey
London, United Kingdom
Actions
Francesco is a seasoned entrepreneur, CEO of the Contextual-based vulnerability management platform from code to cloud Phoenix Security, author of several books, host of multi-award Cyber Security & Cloud Podcast, speaker known in the cybersecurity industry and recognized for his visionary views. He is on the UK&I Cloud Security Alliance Chapter board and is a professor at IANS on application security and cloud security. Previously, Francesco headed HSBC's application and cloud security and was a Senior Security Consultant at AWS. Francesco has been keynoting at global conferences and has authored and co-authored several books and whitepapers; outside of work, you can find me running marathons, snowboarding on the Italian slopes, and enjoying single malt whiskeys in one of my favourite London clubs.
Area of Expertise
Topics
Navigating the Challenges of Risk-Based Vulnerability Management in a Cloud-Native World
2015 to today we changed the way we build things...containerized environments, and modern software development practices has redefined the landscape of cybersecurity. With this shift, vulnerability management faces unprecedented challenges in terms of scale, complexity, and data consistency. In this presentation, two leading experts delve into the intricacies of adopting a risk-based approach to vulnerability management, focusing on practical strategies and emerging methodologies in the enterprise.
### Key Topics:
- **The Inconsistency of Data**: Fragmented and siloed security data often hampers efforts to prioritize vulnerabilities effectively. The presentation explores strategies to consolidate and normalize data from disparate tools and environments, enabling a unified view that supports informed decision-making.
- **Vulnerability Management at Scale**: Managing vulnerabilities in sprawling, dynamic infrastructures demands innovative approaches. The speakers share insights into automating prioritization and remediation workflows, addressing the unique challenges of containerized and server-less architectures.
- **Reachability Analysis**: Identifying exploitable vulnerabilities through reachability analysis has emerged as a game-changer. The panel discusses how contextualizing vulnerabilities within the software supply chain and runtime environments can help organizations focus their resources on the most critical risks.
### Learning Objectives:
Attendees will gain a deeper understanding of:
- How to overcome the barriers posed by inconsistent data in vulnerability management workflows.
- Best practices for managing vulnerabilities across diverse and rapidly scaling environments.
- The value of incorporating reachability analysis into risk-based prioritization to reduce noise and focus on actionable threats.
This session is addressed to leaders who are looking at scaling vulnerability management in an organization, bringing code, cloud, and traditional attack paths under a single view the session has practitioner-to-practitioner use cases and stories to bring reality.
Let's stop fixing fighting over Vulns : A Threat-Centric View of Application and Cloud Security
Application security vulnerabilities and cloud/infra vulnerabilities have been historically divided. One team talks about MITRE&ATTACK, Threat Actors, and exposure, and the other team (appsec) talks about developer relationships, security-centric approaches, shift left, CWE, etc…
CISOs are confused about how to create metrics and initiatives. Should vulnerability management/exposure management and application security be really separated?
The gap is real! As the organization starts its journey into the cloud and containerized world,d there is a clear divide between development teams and security operations (SecOps) . These two worlds are really part of the same, each critical to the cybersecurity ecosystem, and often struggle to find a common ground for effective communication and collaboration. This talk takes a threat-centric approach to understanding and addressing these challenges, offering actionable insights to align these teams and strengthen your security posture.
Key Discussion Points:
1. The Journey of Application and Cloud Security Teams:
2. The CWE Challenge complexity and completeness
3. The Power of Patterns / Weakness / Threat Impact and Patterns
• How focusing on root causes and recurring patterns in vulnerabilities drives maturity in security practices.
• Using pattern recognition to prioritize critical vulnerabilities and reduce noise.
4. Context is Key
• Moving beyond generic vulnerability management to focus on deployment context:
5. A Path Forward: Threat-Centric Maturity:
• Leveraging threat-centric strategies to unify teams under a shared understanding of risks.
Future peak: Using AI and automated tools to analyze, categorize, and prioritize vulnerabilities in context.
Takeaways for Attendees:
• Understand how a threat-centric view can align development and security operations for better collaboration.
• Learn the importance of focusing on deployment context to prioritize vulnerabilities effectively.
• Discover how AI and pattern recognition can simplify complex frameworks like CWE and drive actionable insights.
• Explore practical strategies to mature application and cloud security programs by bridging gaps between teams.
Data:
CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
Exploit in the wild: https://phoenix.security/what-is-exploitability/
OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/
CWE over the years
https://phoenix.security/cwe-top-25-comparison-dataset/
https://phoenix.security/cwe-top-25-2024-2/
https://phoenix.security/understanding-the-2023-cwe-top-25-most-dangerous-software-weaknesses-and-application-security-patterns-over-the-years/
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top