SlideShare a Scribd company logo

Forget cyber, it's all about AppSec

Download as PPTX, PDF
A
Adrien de Beaupre

Modern information security

Technology
1 of 23
Modern Information Security; Forget Cyber, it's all about AppSec Adrien de Beaupré SANS ISC Handler Principal SANS instructor and course author Intru-Shun.ca Inc. ©2018 Intru-Shun.ca Inc.
About me Principal SANS Instructor Black Belt & Martial Arts Enthusiast CoAuthor of SANS SEC 460 and 642 Consultant InfoSec full time since 2000
Introduction » Why this presentation? » That cyber word » A little bit of history » Visibility is one problem » The future of InfoSec is AppSec » Application behaviour modeling » Solutions
This discussion will focus on how modern information security has evolved and what we will need to move into the 21st century. We need a new paradigm in security with a workforce that understands application security; the new frontier. WHY?
CYBER I liked it better when we could tell someone did not know what they were talking about by counting the use of the word 'cyber' It is all about risk to the organization Maybe just call it security?
Everything keeps changing… » The industry re-invents itself every 5 years » Which means that we have to do the same, evolve » Security must be multi-disciplinary » We must solve risk problems with common sense, science, and technology » Massive implications of interconnection
Cloud » We are still playing catch up with cloud » It can be a business enabler » Can also be a disaster » Not just outsourcing » Not just virtualization » Architecting security in cloud has changed
We have to stop saying no » We did so for far too long » The business routes around roadblocks » Users go direct to cloud, and route around IT » 'Yes, and let me help you with that' » Get the requirements to design security from the beginning, not as an afterthought
History » Firewalls - late 1980's early 1990's » Patching - 1990's » Anti-virus - early 2000 » End point security - now » Agents » What about those applications?
Attacks evolved » Server side attacks -> firewalls » Service exploits -> patching » Worms and bots -> anti-virus and anti-malware » Client side attacks -> patching and end point » Phishing -> user awareness training » Attackers logging into the application?
Network security » Network security has matured » More and more operationalized » Firewalls have moved from being a speciality to mostly being a networking role » Intrusion Detection/Prevention IDS and IPS do not give us visibility into applications » Encryption makes it even more difficult
End point security » We are maturing security at the end point » Also gaining more visibility in user activities » A plethora of agents » We can do forensics on disk and memory » What about those applications?
Application security » We have limited visibility » Encryption is an increasing problem » Logging is an ongoing problem » Attackers use the applications with malicious intent, which can be difficult to differentiate from normal user behaviour
Applications » Almost everything involves applications » Mobile, web, containers, toasters… » The state of security in IoT and embedded systems is embarrassing » Every day there is a new framework! » New and old vulnerabilities
Application security issues »Security typically is not integrated into the development lifecycle »Companies are not investing enough in secure architecture and coding training » Application Security programs often lack structure and a systematic approach » We need to provide metrics to management
Requirements? » The business needs to help us help them » Both functional and business requirements » What does the application do? » Who will be using it? » Sensitivity of the data? » How does it process, store, transmit data?
Threat model » Asset inventory » Data categorization and classification » Who are the most likely threat sources/actors? » Identify and prioritize likely threats » What are their most likely targets » Probability and vectors?
Threat model to roadmap » Model attack and defense; broad or granular » How effective are the existing controls? » Level of sophistication and resourcing? » Now you have a threat model, develop a roadmap to mitigate
Behaviour » We need to model user behaviour » We need to have the applications log user actions so that we can study behaviour » This is both a visibility problem and a lack of tools that help us baseline users
DevSecOps.org » 'Everyone is responsible for security' www.devsecops.org » DevOps » Agile development » Cloud adoption » Security must be part of the solution with automation as much as possible
Solutions » The way forward is to better understand how to build security into our applications » We will adapt to new technologies and adopt strategies that make sense in the future
Questions?
Thanks! Adrien de Beaupré SANS ISC Handler Principal SANS Instructor and Author Consultant 613 797-3912 adrien@intru-shun.ca @adriendb

Recommended

Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On TrainingTonex
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Matthew Rosenquist
 
Career in cyber security
Career in cyber securityCareer in cyber security
Career in cyber securityManjushree Mashal
 
Whitepaper Avira about Artificial Intelligence to cyber security
Whitepaper Avira about Artificial Intelligence to cyber securityWhitepaper Avira about Artificial Intelligence to cyber security
Whitepaper Avira about Artificial Intelligence to cyber securityGopiRajan4
 
Navigating Cybersecurity
Navigating CybersecurityNavigating Cybersecurity
Navigating CybersecuritySegun Ebenezer Olaniyan
 

Recommended

Mobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingMobile Security Training, Mobile Device Security Training
Mobile Security Training, Mobile Device Security TrainingTonex
 
Cybersecurity Hands-On Training
Cybersecurity Hands-On TrainingCybersecurity Hands-On Training
Cybersecurity Hands-On TrainingTonex
 
Cyber Security 2017 Challenges
Cyber Security 2017 ChallengesCyber Security 2017 Challenges
Cyber Security 2017 ChallengesLeandro Bennaton
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...
Challenges for the Next Generation of Cybersecurity Professionals - Matthew R...Matthew Rosenquist
 
Career in cyber security
Career in cyber securityCareer in cyber security
Career in cyber securityManjushree Mashal
 
Whitepaper Avira about Artificial Intelligence to cyber security
Whitepaper Avira about Artificial Intelligence to cyber securityWhitepaper Avira about Artificial Intelligence to cyber security
Whitepaper Avira about Artificial Intelligence to cyber securityGopiRajan4
 
Navigating Cybersecurity
Navigating CybersecurityNavigating Cybersecurity
Navigating CybersecuritySegun Ebenezer Olaniyan
 
Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine LearningSiemplify
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Cyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfCyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfMitch Cardoza, SPHR, Workforce Solutions Exec.
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesSlideTeam
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
The Cyber Security Training Gap: Rotarian Reach
The Cyber Security Training Gap: Rotarian ReachThe Cyber Security Training Gap: Rotarian Reach
The Cyber Security Training Gap: Rotarian ReachRotary International
 
The Technology Horizon & Cyber Security from EISIC 2015
The Technology Horizon & Cyber Security from EISIC 2015The Technology Horizon & Cyber Security from EISIC 2015
The Technology Horizon & Cyber Security from EISIC 2015Ollie Whitehouse
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Community Protection Forum
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 

More Related Content

What's hot

Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationE.S.G. JR. Consulting, Inc.
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber securitySandip Juthani
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015Security Innovation
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine LearningSiemplify
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsIBM Security
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesSlideTeam
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber securityInderjeet Singh
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
The Cyber Security Training Gap: Rotarian Reach
The Cyber Security Training Gap: Rotarian ReachThe Cyber Security Training Gap: Rotarian Reach
The Cyber Security Training Gap: Rotarian ReachRotary International
 
The Technology Horizon & Cyber Security from EISIC 2015
The Technology Horizon & Cyber Security from EISIC 2015The Technology Horizon & Cyber Security from EISIC 2015
The Technology Horizon & Cyber Security from EISIC 2015Ollie Whitehouse
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtJohn D. Johnson
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeDenim Group
 
Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Community Protection Forum
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best PracticesEvolve IP
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 

What's hot (20)

Toward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network AutomationToward Continuous Cybersecurity with Network Automation
Toward Continuous Cybersecurity with Network Automation
 
The future of cyber security
The future of cyber securityThe future of cyber security
The future of cyber security
 
The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015The Future of Cybersecurity - October 2015
The Future of Cybersecurity - October 2015
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security Risk
 
Security Automation and Machine Learning
Security Automation and Machine LearningSecurity Automation and Machine Learning
Security Automation and Machine Learning
 
Breaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gapsBreaking down the cyber security framework closing critical it security gaps
Breaking down the cyber security framework closing critical it security gaps
 
Cyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdfCyber security report 2017 cisco 2017 acr_pdf
Cyber security report 2017 cisco 2017 acr_pdf
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation SlidesCyber Security For Organization Proposal PowerPoint Presentation Slides
Cyber Security For Organization Proposal PowerPoint Presentation Slides
 
Challenges in implementating cyber security
Challenges in implementating cyber securityChallenges in implementating cyber security
Challenges in implementating cyber security
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
The Cyber Security Training Gap: Rotarian Reach
The Cyber Security Training Gap: Rotarian ReachThe Cyber Security Training Gap: Rotarian Reach
The Cyber Security Training Gap: Rotarian Reach
 
The Technology Horizon & Cyber Security from EISIC 2015
The Technology Horizon & Cyber Security from EISIC 2015The Technology Horizon & Cyber Security from EISIC 2015
The Technology Horizon & Cyber Security from EISIC 2015
 
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and DoubtThe Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
Jump Start Your Application Security Knowledge
Jump Start Your Application Security KnowledgeJump Start Your Application Security Knowledge
Jump Start Your Application Security Knowledge
 
Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?Cyber Security Challenges: how are we facing them?
Cyber Security Challenges: how are we facing them?
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 

Similar to Forget cyber, it's all about AppSec

What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019Ulf Mattsson
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developerstechtutorus
 
111.pptx
111.pptx111.pptx
111.pptxJESUNPK
 
How to Become a Cyber Security Specialist.doc
How to Become a Cyber Security Specialist.docHow to Become a Cyber Security Specialist.doc
How to Become a Cyber Security Specialist.docEmmanuelDaniel41
 
All About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptxAll About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptxInfosectrain3
 
Cloud Security Issues and Challenge.pptx
Cloud Security Issues and Challenge.pptxCloud Security Issues and Challenge.pptx
Cloud Security Issues and Challenge.pptxInfosectrain3
 
All About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptxAll About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptxinfosec train
 
Sonia randhawa speaks on cybersecurity and innovation
Sonia randhawa speaks on cybersecurity and innovationSonia randhawa speaks on cybersecurity and innovation
Sonia randhawa speaks on cybersecurity and innovationSonia Randhawa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Alert Logic
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Rightpvanwoud
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
All About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxAll About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxInfosectrain3
 
Security Transformation
Security TransformationSecurity Transformation
Security TransformationFaisal Yahya
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
RaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docxRaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docxaudeleypearl
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Ferenc Fresz
 
Assuring Reliable and Secure IT Services
Assuring Reliable and Secure IT ServicesAssuring Reliable and Secure IT Services
Assuring Reliable and Secure IT Servicestsaiblake
 
How Cyber Security Courses Opens Up Amazing Career Opportunities?
How Cyber Security Courses Opens Up Amazing Career Opportunities?How Cyber Security Courses Opens Up Amazing Career Opportunities?
How Cyber Security Courses Opens Up Amazing Career Opportunities?Robert Smith
 

Similar to Forget cyber, it's all about AppSec (20)

What i learned at issa international summit 2019
What i learned at issa international summit 2019What i learned at issa international summit 2019
What i learned at issa international summit 2019
 
Cyber security for Developers
Cyber security for DevelopersCyber security for Developers
Cyber security for Developers
 
111.pptx
111.pptx111.pptx
111.pptx
 
How to Become a Cyber Security Specialist.doc
How to Become a Cyber Security Specialist.docHow to Become a Cyber Security Specialist.doc
How to Become a Cyber Security Specialist.doc
 
All About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptxAll About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptx
 
Cloud Security Issues and Challenge.pptx
Cloud Security Issues and Challenge.pptxCloud Security Issues and Challenge.pptx
Cloud Security Issues and Challenge.pptx
 
All About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptxAll About Cyber Security Orientation Program (Foundational Level).pptx
All About Cyber Security Orientation Program (Foundational Level).pptx
 
Sonia randhawa speaks on cybersecurity and innovation
Sonia randhawa speaks on cybersecurity and innovationSonia randhawa speaks on cybersecurity and innovation
Sonia randhawa speaks on cybersecurity and innovation
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015Journey to the Cloud: Securing Your AWS Applications - April 2015
Journey to the Cloud: Securing Your AWS Applications - April 2015
 
Application Security Done Right
Application Security Done RightApplication Security Done Right
Application Security Done Right
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
All About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptxAll About Network Security & its Essentials.pptx
All About Network Security & its Essentials.pptx
 
Security Transformation
Security TransformationSecurity Transformation
Security Transformation
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
RaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docxRaoNayakShelve inNetworkingSecurityUser levelB.docx
RaoNayakShelve inNetworkingSecurityUser levelB.docx
 
Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0Cyber_Services_2015_company_intro_ENG_v2p0
Cyber_Services_2015_company_intro_ENG_v2p0
 
Assuring Reliable and Secure IT Services
Assuring Reliable and Secure IT ServicesAssuring Reliable and Secure IT Services
Assuring Reliable and Secure IT Services
 
How Cyber Security Courses Opens Up Amazing Career Opportunities?
How Cyber Security Courses Opens Up Amazing Career Opportunities?How Cyber Security Courses Opens Up Amazing Career Opportunities?
How Cyber Security Courses Opens Up Amazing Career Opportunities?
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 

Recently uploaded (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 

Forget cyber, it's all about AppSec

  • 1. Modern Information Security; Forget Cyber, it's all about AppSec Adrien de Beaupré SANS ISC Handler Principal SANS instructor and course author Intru-Shun.ca Inc. ©2018 Intru-Shun.ca Inc.
  • 2. About me Principal SANS Instructor Black Belt & Martial Arts Enthusiast CoAuthor of SANS SEC 460 and 642 Consultant InfoSec full time since 2000
  • 3. Introduction » Why this presentation? » That cyber word » A little bit of history » Visibility is one problem » The future of InfoSec is AppSec » Application behaviour modeling » Solutions
  • 4. This discussion will focus on how modern information security has evolved and what we will need to move into the 21st century. We need a new paradigm in security with a workforce that understands application security; the new frontier. WHY?
  • 5. CYBER I liked it better when we could tell someone did not know what they were talking about by counting the use of the word 'cyber' It is all about risk to the organization Maybe just call it security?
  • 6. Everything keeps changing… » The industry re-invents itself every 5 years » Which means that we have to do the same, evolve » Security must be multi-disciplinary » We must solve risk problems with common sense, science, and technology » Massive implications of interconnection
  • 7. Cloud » We are still playing catch up with cloud » It can be a business enabler » Can also be a disaster » Not just outsourcing » Not just virtualization » Architecting security in cloud has changed
  • 8. We have to stop saying no » We did so for far too long » The business routes around roadblocks » Users go direct to cloud, and route around IT » 'Yes, and let me help you with that' » Get the requirements to design security from the beginning, not as an afterthought
  • 9. History » Firewalls - late 1980's early 1990's » Patching - 1990's » Anti-virus - early 2000 » End point security - now » Agents » What about those applications?
  • 10. Attacks evolved » Server side attacks -> firewalls » Service exploits -> patching » Worms and bots -> anti-virus and anti-malware » Client side attacks -> patching and end point » Phishing -> user awareness training » Attackers logging into the application?
  • 11. Network security » Network security has matured » More and more operationalized » Firewalls have moved from being a speciality to mostly being a networking role » Intrusion Detection/Prevention IDS and IPS do not give us visibility into applications » Encryption makes it even more difficult
  • 12. End point security » We are maturing security at the end point » Also gaining more visibility in user activities » A plethora of agents » We can do forensics on disk and memory » What about those applications?
  • 13. Application security » We have limited visibility » Encryption is an increasing problem » Logging is an ongoing problem » Attackers use the applications with malicious intent, which can be difficult to differentiate from normal user behaviour
  • 14. Applications » Almost everything involves applications » Mobile, web, containers, toasters… » The state of security in IoT and embedded systems is embarrassing » Every day there is a new framework! » New and old vulnerabilities
  • 15. Application security issues »Security typically is not integrated into the development lifecycle »Companies are not investing enough in secure architecture and coding training » Application Security programs often lack structure and a systematic approach » We need to provide metrics to management
  • 16. Requirements? » The business needs to help us help them » Both functional and business requirements » What does the application do? » Who will be using it? » Sensitivity of the data? » How does it process, store, transmit data?
  • 17. Threat model » Asset inventory » Data categorization and classification » Who are the most likely threat sources/actors? » Identify and prioritize likely threats » What are their most likely targets » Probability and vectors?
  • 18. Threat model to roadmap » Model attack and defense; broad or granular » How effective are the existing controls? » Level of sophistication and resourcing? » Now you have a threat model, develop a roadmap to mitigate
  • 19. Behaviour » We need to model user behaviour » We need to have the applications log user actions so that we can study behaviour » This is both a visibility problem and a lack of tools that help us baseline users
  • 20. DevSecOps.org » 'Everyone is responsible for security' www.devsecops.org » DevOps » Agile development » Cloud adoption » Security must be part of the solution with automation as much as possible
  • 21. Solutions » The way forward is to better understand how to build security into our applications » We will adapt to new technologies and adopt strategies that make sense in the future
  • 23. Thanks! Adrien de Beaupré SANS ISC Handler Principal SANS Instructor and Author Consultant 613 797-3912 adrien@intru-shun.ca @adriendb

Editor's Notes

  1. You may want to elaborate more on people and process issues in addition to tool problems. Examples in no particular order: Security isn’t integrated into the development lifecycle Companies aren’t investing enough in secure coding training Difficult to identify gaps in individual training (who is injecting the SQL injection?) Lack of asset and application inventory Missing process for “go-live” / subsequent releases Determining and capturing metrics for a baseline and progress (e.g. number of scans, flaw density, fix rate, compliance rate)- what’s the business value? How to executives know what to drive? Tools need canned score cards AppSec programs lack structure and systematic approach AWS especially limits the ability to scan and test in the cloud Policy and standards aren’t aligned to practical requirements Security professionals don’t understand differing requirements from different groups (HR/Legal vs web development) Lack of risk profile for various applications Inability to upgrade because of underlying components (Struts) More on the next page