Tabitha Sable @tabbysable
====

Diversity in the discussion the better we can get the scanning. To strike a balance between the harm scanning can cause and being too nice.

Understanding findings, validating them, evaluating the risk, and then remediating it

Why?
  - Find old stuff you forgot about
  - Give you a reason to get rid of cruft 
  - Improve your Infosec relationship
  - Vacation is more fun :-) 

Working with findings 
  Common Issue Types
    - RCE
    - Auth bypass
    - Information disclosure
    - DDOS

Scanning vulnerability reports are not that great without feedback and tweaking. 

Evaluating risk is done by looking at the taret, plan what happens, then do it. Lockheed martin cyber kill chain
aka OODA workflow

Look at atttack trees. How would this vulnerability help an attacker. 
Threat Modeling book. This is a useful visualization

The tree is helpful in understanding why it's bad. 

Remediation - 
  - Start with the process. try to fix the hole before you bail out the boat
  - Is it something you can remediate? If not plan for the incident.