Your engineering team is petrified when looking at their huge backlog of security findings. They are drowning in reports from dependency scans, static analysis, security reviews, and penetration tests. How to even start sifting through all that and understand what is most valuable to fix right now - or what at all?
Your security team feels desperate, staring at the long backlogs of security findings across teams. How to even start advising teams on how to deal with all these findings? Stakeholders require resolution, yet if the security team cries wolf all the time about a “super critical vulnerability”, who will listen to them when a real need arises?
In this interactive workshop, we will reduce overwhelm and cognitive load by learning about various approaches to triage security findings. We can classify the component where the finding occurs: how business-critical is it, and what kind of data do we protect? We can test if the identified vulnerability is even reachable and exploitable. We can consider mitigations already in place or easily added to buy us time to fix the root cause. We can define our risk appetite - not every finding needs to be mitigated in the first place.
Let’s practice triaging security findings together. You will learn how to reduce noise and figure out what is most valuable to invest in first. You can finally take action to get things back in order - and keep them that way. Whatever new finding gets reported, you will be ready for it!