Publisher's Synopsis
Security usually fails because vulnerabilities and attack scenarios were not envisioned. This is often the weak link in the chain of security. A Vulnerability Assessment (VA) can help to fix the problem, but VAs are often missing or else get confused with other kinds of assessments and security "testing" that are not VAs, and are not very good at finding vulnerabilities. This book is the missing, comprehensive guide for how to actually do quality VAs and find security problems. Along the way, tips for better security are offered.The book is based on the author's 30+ years of experience as a Vulnerability Assessor. Topics covered include the purpose of Vulnerability Assessments (VAs), what they are and what are they not, how and who should do them, brainstorming & creativity in VAs, the VA report, cognitive dissonance & intellectual humility, sham rigor in security, the fear of VAs, Security Culture, Security Theater, metrics and the Fallacy of Precision, Marginal Analysis, insider threat mitigation, security reasoning errors, attacks on security hardware, and miscellaneous security tips.
