David started in cybersecurity while working for a local municipality. He was pulled into a PCI audit for the energy department, which was accepting credit card payments through their website. Through that audit, he was tasked with replacing their firewalls and improving their network security. Over time, due to his background in development, David’s focus became application security. In his many roles, including 3 years with a top security consulting firm, he has focused on helping integrate and automate security testing and other important security controls into the software and systems development lifecycle for both on-premise and cloud environments. Through his consulting work, David has worked in a wide variety of environments from startup to large enterprise, and an array of industries. This diversity allows David to understand technology from many different angles and help relate to his students regardless of their technology or company background.
While vulnerability management is not the most exciting security topic, David believes it is easily one of the most important and the basis for all that is done in security. “Think of how much less critical penetration testing, threat hunting, wargaming, etc. would be if we could truly solve the vulnerability management problem!” – David Hazar
Digging into vulnerability management data sets to identify root cause issues and help clients truly understand what they need to do differently in order to succeed is David’s idea of fun. David enjoys aggregating and analyzing data in order to make more meaningful, targeted reports, as well as automating solutions to recurring problems with recurring solutions, as he believes these are some of the keys to being successful in the long-term. David has worked with numerous organizations to help them understand why they are failing and what they can do to solve the vulnerability management problem and integrates these stories and experiences throughout his training courses.
In David’s opinion, the biggest challenge his students will face when trying to solve the vulnerability management problem is shifting the focus from identification and prioritization to problem solving. Most VM programs are failing because they do not do enough analysis and correlation of the data to identify systemic issues within the program. This was a primary reason David decided to co-author MGT516, as the course helps students understand why prioritization, while important, is not the solution to their vulnerability management problems. Students are taught to understand vulnerability management more holistically across all aspects of the lifecycle so they can better engage with their partners or stakeholders throughout the organization to solve the underlying issues with the program.
One of David’s favorite anecdotes to share is about working on a vulnerability management program assessment for a large financial services company. As part of the project, he reviewed documentation and held interviews with various program participants. All the documentation and interviews made it appear the patch management program at this company was solid. However, as part of the assessment, his team reviewed the company’s vulnerability backlog. During the review, they grouped the vulnerability data by the high-level solution or remediation action that was required to resolve the vulnerability. They were surprised to find that the top three solutions were: Update Java, Update Microsoft, and Update RedHat. These three action items alone accounted for over 90% of open vulnerabilities. With the customer, they went back to the table to discuss patch management in more detail. As it turns out, they couldn’t patch Java because they were sharing application servers and almost all servers had old applications requiring Java 6 or 7. The Microsoft vulnerabilities were due to some common false positives and servers missing or excluded from the patch management technology/process. The RedHat vulnerabilities were due to a lack of resources and tooling that led to a three-month rolling update cycle instead of the typical monthly cycle. Given this knowledge, the VM program manager was able to create a story (backed by data) to illustrate what changes were needed that executives and the board were able to easily understand. This story helped justify the projects, resources, and funding required to solve these systemic issues.
In addition to teaching for SANS, David has been known to present now and then at the local UtahSec meetings, formerly led by Justin Searle, another amazing SANS instructor. David holds a Bachelor's Degree in Information Systems and a Master's of Information Systems Management from Brigham Young University along with numerous other technical and security certifications: CISSP, GCWN, GCUX, GMOB, GWAPT, GCIH, GCIA, GWEB, GISSP.NET, and GSTRT. When not managing vulnerabilities, David enjoys skiing and snowboarding (with his family when they agree to be seen with him), watching his daughter play high school basketball, and cooking and eating.
Listen in to David's webcast Top Five Vulnerability Management Failures (and Best Practices):
ADDITIONAL CONTRIBUTIONS FROM DAVID HAZAR: