Security by design is an approach to software development that seeks to make systems as free of vulnerabilities and attacks as possible through such measures as continuous testing, authentication safeguards and adherence to best programming practices.
2. 60+
The
Team
22
Countries
Served
400
Clients
Served
Years in Business
Cyber Security
We help organizations develop
and implement information
security programs aligned with
their corporate strategy.
Transformation,
Compliance & Assurance
Assess and confirm the
appropriateness of controls to
safeguard business value and
meet compliance standards.
Risk & Data
Management
By designing and
implementing solutions to
combat financial crimes, we
help customers manage their
risks of fines and sanctions.
Data Privacy &
Protection
As customers utilize the data
they hold for strategic gains,
we guide them in managing
the risks associated with
privacy and data legislations.
Candour
Integrity
Curiosity
Extraordinary People
Exceptional Results
Core Values
3. Presenter
Director of Cyber & Information Security
M.Sc., B.Sc., CCISO, CEH, CHFI, ECSA, CND, CISSP,
CCSP, CISM, CISA, CSX, AZ-900
4. Security in the SDLC
Pen Testing Demo
Benefits/Best
Practices/Tips
Obstacles to
DevSecOps
Shifting Security Left
6. Source: Nullsweep.com
Business
Requirements
Technical Design
• Security Design Review
• Data Flow Diagram
• Threat Modelling
Development Testing
Security Gate
• Static Code
Analysis
• Penetration Test
• Dynamic Testing
Deploy
Long
iteration and development cycle
Security not considered in some stages
Security tends to be periodic instead of continuous
Makes changes difficult
7. Only 19% of cybersecurity
teams are involved at the
start of new business
initiatives.
19%
Source: The EY Global Information Security Survey 2021
9. Faster and more efficient
software delivery
Spot issues, bugs, and
vulnerabilities earlier
More secure codebase
and proactive security
Advance security, speed
and agility
Continuous feedback and
faster security
vulnerability patching
Highly automated,
standardized, and
predictable security
practices
Continuous integration
and continuous
deployment (CI/CD)
processes
Decreased time to market
10. say that lack of skills is a
significant hurdle in
embedding security into
development.*
of university educated
developers were not
required to complete any
courses focused on security
for their degrees.**
of developers say that their
employers do not provide
them with adequate training
in software security.**
70%
Sources: *Freeform Dynamics, **DevOps.com
76%
58%
ALMOST
11. Source: NIST, 1 IBM Systems Institute
Times more expensive when
security issues are
addressed at production1
30x
0
5
10
15
20
25
30
35
Requirements/
Architecture
Coding Integration/
Component Testing
System/
Acceptance Testing
Production/ Post
Release
12. Source: Symptai Consulting Limited Cyber Security Assessment Reports 2020-2022
42%
16%
11%
7%
5%
Improperly Configured
Devices and Systems
Ineffective Patch
Management Controls
Insufficient Cryptography Inadequate or Improper
Access Controls
Lack of Data Validation and
Sanitization
13. Earlier you can start
looking at security the
better it is
Human Aspect (employee,
staff, end users)
Continuous security testing
process (daily, weekly,
monthly) vs annually.
e.g., Pen Test
15. • Security testing in the agile development process
• Threat and Risk Modelling
• Development of Data Flow diagrams
• Architecture reviews
• Security Testing (Web, API and Mobile (Android, iOS & Windows)) -
Authentication, Authorization, Session Management, Transport Security,
Input/Output, Business Logic, Errors and Logging
• Automated & Manual Code Scans
Benefits:
• Digital transformation journey across the group to develop
solutions integrated into core systems by a series of back-
end microservices (via APIs) and thereafter front-end
interfaces that act as the user journeys. This is across
mobile applications, etc.
Business Imperative:
• Developer Training Session
• Test results for each sprint
• Security Issues documented in ticketing system
• Threat Model report
• Data flow diagrams
• Architecture feedback
• Monthly security report
Deliverables
Blue-chip conglomerate with several diversified companies in
the Caribbean, Europe and North America. Business lines
include Banking & Investments, Insurance, etc.
Profile