Articles by Jeremiah Grossman

Personal site: https://www.jeremiahgrossman.com

WhiteHat – Bit Discovery partnership announcement

By Jeremiah Grossman on April 27, 2021

20 years ago, I founded WhiteHat Security, a company helped pioneer the Application Security industry and revolutionized vulnerability management. Beyond finding and fixing vulnerabilities throughout the SDLC, we saw that the largest and most important problem all of WhiteHat’s customers faced was attack surface management  — finding all their websites …

Read More

High-Fidelity Attack Surface Mapping

By Jeremiah Grossman on April 12, 2021

“High-fidelity” is the reproduction of sound with little distortion, resulting in a product very similar to the original. Similarly, in information security, having a clear picture of your attack surface is critical. Breaches happen when adversaries know more than you about your attack surface. These days, you simply cannot afford …

Read More

“Responsible Person” and Attack Surface Management

By Jeremiah Grossman on January 26, 2021

One might assume it would be common practice within every IT department for there to be a centralized source of truth to easily lookup the primary contact for every IT asset (i.e. network range, hostname, IP address, or domain name).

 
This person, or group of people, is typically referred to …

Read More

Attack Surface Management: “These assets no longer belong to us”

By Jeremiah Grossman on January 13, 2021

Bit Discovery has been tracking the attack surface maps for hundreds of companies for a few years now. In the process we’ve found an interesting use-case. Companies will have assets in their inventory that they were once interested in, then they’ll suddenly say, “these assets no longer belong to us,” …

Read More

The Attack Surface is Foundational Knowledge

By Jeremiah Grossman on December 30, 2020

Foundational knowledge is information, or a skillset, generally accepted as essential to understanding more advanced cognitive subjects or performing increasingly sophisticated processes. As a simple example, learning basic addition is necessary before taking on multiplication. Familiarity with the fundamentals of TCP/IP is necessary before grasping how ACLs and network firewalls work. …

Read More

Analyze the Attack Surface Before Taking a CISO Job

By Jeremiah Grossman on December 29, 2020

I once had a conversation with a Chief Financial Officer (CFO) who said whenever they join a new company, they never know what they’ll find lurking in the financials until well after their first day. They said it’s a little nerve wracking to be unclear about the level of accuracy …

Read More

We want to scan “ALL” our websites…

By Jeremiah Grossman on December 21, 2020

Back in my days at WhiteHat Security, countless customer conversations would begin with them saying, “We want to [DAST] scan all of our websites.” DAST refers to Dynamic Application Security Testing. To which we’d instantly reply, “Great! Just give us the list, and some test account credentials, and we’ll get …

Read More

Why Attack Surface Management is Hard

By Jeremiah Grossman on December 18, 2020

Everyone agrees that attack surface management is critically important, as it is the very first step of any information security program. While enterprise interest and market traction for attack surface management is building, it’s curious why every organization doesn’t already have an up-to-date attack surface map. They should! It may …

Read More

Naming the Shadows within Shadow IT

By Jeremiah Grossman on August 21, 2020

When managing the inventory of internet-connected assets for an organization, the term Shadow IT is often used. The more accurate an Asset Inventory is, the less Shadow IT exists. Generally, Shadow IT refers to IT assets that an organization doesn’t know about or doesn’t have control over. Obviously, you can’t …

Read More

Free Asset Inventory for Healthcare Providers

By Jeremiah Grossman on March 26, 2020

As the world continues to grapple with the effects of the global COVID-19 pandemic, it is infuriating to see cyber-attacks targeting healthcare providers. Already impacted are the U.S. Health and Human Services Department, Champaign-Urbana Public Health District (Champaign, IL), Brno University Hospital (Brno, Czech Republic), Affordacare Urgent Care Clinic (Abilene, TX), Hammersmith Medicines Research (London, United Kingdom), and presumably …

Read More