Application security vulnerabilities and cloud/infra vulnerabilities have been historically divided. One team talks about MITRE&ATTACK, Threat Actors, and exposure, and the other team (appsec) talks about developer relationships, security-centric approaches, shift left, CWE, etc…

CISOs are confused about how to create metrics and initiatives. Should vulnerability management/exposure management and application security be really separated?

The gap is real! As the organization starts its journey into the cloud and containerized world,d there is a clear divide between development teams and security operations (SecOps) . These two worlds are really part of the same, each critical to the cybersecurity ecosystem, and often struggle to find a common ground for effective communication and collaboration. This talk takes a threat-centric approach to understanding and addressing these challenges, offering actionable insights to align these teams and strengthen your security posture.

Key Discussion Points:
1. The Journey of Application and Cloud Security Teams:

2. The CWE Challenge complexity and completeness

3. The Power of Patterns / Weakness / Threat Impact and Patterns
• How focusing on root causes and recurring patterns in vulnerabilities drives maturity in security practices.
• Using pattern recognition to prioritize critical vulnerabilities and reduce noise.

4. Context is Key
• Moving beyond generic vulnerability management to focus on deployment context:

5. A Path Forward: Threat-Centric Maturity:
• Leveraging threat-centric strategies to unify teams under a shared understanding of risks.

Future peak: Using AI and automated tools to analyze, categorize, and prioritize vulnerabilities in context.

Takeaways for Attendees:
• Understand how a threat-centric view can align development and security operations for better collaboration.
• Learn the importance of focusing on deployment context to prioritize vulnerabilities effectively.
• Discover how AI and pattern recognition can simplify complex frameworks like CWE and drive actionable insights.
• Explore practical strategies to mature application and cloud security programs by bridging gaps between teams.

Data:
CISA KEV: https://phoenix.security/what-is-cisa-kev-main/
Exploit in the wild: https://phoenix.security/what-is-exploitability/
OWASP/Appsec Vulnerability: https://phoenix.security/what-is-owasp-main/
CWE/Appsec Vulnerabilities: https://phoenix.security/what-is-cwe-main/

CWE over the years
https://phoenix.security/cwe-top-25-comparison-dataset/
https://phoenix.security/cwe-top-25-2024-2/
https://phoenix.security/understanding-the-2023-cwe-top-25-most-dangerous-software-weaknesses-and-application-security-patterns-over-the-years/