alt Hacker NewsThe funny thing is…
You’re stating the problem with that whole sector.
I really wish product owners, researchers and tool creators had more actual real world experience on the remediation side. I think that’s the reason we have so many crappy tools.
- We need a better way of addressing business logic issues and sensitive data leakage which starts at the data model and flows from there.
- Within large organizations we need better risk data about vulns to aid with prioritization and remediation which is always the larger problem (sifting through noise)
- We need automated threat modeling tools that reduce a teams need to start from zero
Fundamentally a tool is a waste of time if it can’t tell you there’s “x% possibility of downtime or sensitive data leakage.”
Addressing the risk equation (r=il) where the impact and likelihood variables are baked into every tool and based in real world data is where we should be.
Until then, vulnerability scanning and management will continue to suck.
I also wish that I had more real world experience. It would help me a ton if I had 25 years of software testing experience.
It sounds like you do have experience, and I would love to learn from you. It would be awesome if you could help us build a tool that is truly useful for you and your work.