Gemalto focuses on providing security solutions across various sectors, including government, banking, and mobile IoT, to enhance connectivity and data protection. The document highlights the importance of integrating security into the development lifecycle through empowered engineering teams and continuous deployment practices. Furthermore, it addresses the rising expectations for fast, secure, and privacy-respecting services from both customers and service providers in an increasingly connected world.

1. A culture change
08/10/2019
Security in development lifecycle

2. Gemalto / THALES DIS
09.10.19Introducing Gemalto2

3. We focus on six main markets – but serve many others
9 October 2019Introducing Gemalto3
BANKING &
PAYMENT
ENTERPRISE
SECURITY
GOVERNMENT
MOBILE
IoT
SOFTWARE
MONETIZATION

4. For the world’s governments & biggest brands
9 October 20194 Introducing Gemalto
200+
GOVERNMENT
PROGRAMS
30,000+
ENTERPRISES
3,000+FINANCIAL
INSTITUTIONS
450
MOBILE
OPERATORS

5. Connecting elderly patients
to keep them safe
Internet of Things: Connect. Secure. Monetize
9 October 2019Introducing Gemalto5
• Integrators
• Mobile network operators
• Automotive & mobility players
• Consumer electronics
• Smart energy providers
• Healthcare device suppliers
• Smart home device makers
OUR CLIENTS OUR SOLUTIONS
Optimized connectivity:
wireless modules
& terminals, eSIM, MIM
Flexible subscription
management:
On-Demand Connectivity
End-to-end IoT Security:
secure elements, data
encryption, ID management
& verification
OnKöl partners with Gemalto to securely power
health and home monitoring devices that connect
elderly patients with their caregivers.

6. Mobile: Connecting more. Securing All
9 October 2019Introducing Gemalto6
• Mobile network operators
• Device manufacturers
• Service providers
OUR CLIENTS OUR SOLUTIONS
People & device
authentication:
multi-tenant removable &
embedded secure elements
Subscription management:
eSIM solutions, device
personalization & activation
Trusted Digital Identity:
Digital enrollment and ID
verification, biometrics
Cloud security:
cloud authentication
and data protection
Faster ID checks for
Telefónica Deutschland
Gemalto’s Digital Identity Verification service
optimizes the customer acquisition process and
confirms the authenticity of a vast range of identity
documents (passports, ID cards etc.) in real-time.
Big Data Analytics and AI
Network operations, customer
support, marketing insights

7. New development challenges
09.10.19Overall challenges7

8. Connect securely
Cloud resources
Continuous deployment
New generation of customers expect everything to be connected and constant
stream of updates
Customers want their service providers to
deliver faster, more often, with higher
quality and adapt quicker to their needs.
Service providers want to focus on their
services and use secured infrastructures
and platforms as commodities.
Digital devices are not just in our pockets or
our offices, but increasingly in our homes,
buildings, and many places and cities..
Customer and service provider expectations are rising

9. …and enforced
Respect of privacy is valued
Sharing?Yes, but not everything
People want to share information at scale while respecting privacy
Personal and corporate data should
be kept private and only shared under
clear rules.
Privacy and the right to be forgotten will be
top of mind for consumers when selecting
a merchant or service provider.
Policy makers and regulators are
increasingly vigilant about private
data management.
Data expectations are rising

10. A product lifecycle view
09.10.19Overall challenges10
Continuous deployment

11. Security in development lifecycle
09.10.19Security in development lifecycle11

12. Security actors
As continuous deployment exponentially
speeds
up the pace of development
Bolt-on security by security
specialists won’t scale
… so security MUST be a primary
concern of the development team
09.10.19Security in development lifecycle12

13. Continuous Secure deployment
Continuous Secure Deployment is…
empowered engineering teams
taking ownership of
how their product performs in production
including security
09.10.19Security in development lifecycle13
“Security teams are no longer gate keepers but rather tool-smiths and advisors"
Larry Maccherone, Comcast Senior Director

14. Continuous Secure Deployment Manifesto
Build security in
more than bolt it on
Rely on empowered engineering teams
more than security specialists
Implement features securely
more than security features
Rely on continuous learning
more than end-of-phase gates
Build on culture change
more than policy enforcement
09.10.19Security in development lifecycle14

15. Security in continuous deployment
09.10.19Security in development lifecycle15
Dev Ops
Security by design
Security test plan
ISRA
Threat modelling
Secure coding standards
Static code analysis
Code review
Security test cases
Antivirus scan
OSS vulnerability assessment
OSS assessment
Security test campaign
Penetration test
Compliance validation
Fuzzing
Deployment strategy (canary, red/black)
Traffic shape configuration
Configuration validation
Configuration as code
Vulnerability assessment
Intruder detection
App. attack detection
Service restoring (or maintaining)
Chaos engineering

16. Security in development lifecycle results
It’s scary to QA and Security, but “shifting left security and handling
it to developers” leads to time and cost benefits and to dramatically
lower rates of customer experienced defects and vulnerabilities
Security crucially impacts any technology choice
Knowing security risks allows to take them into account while
designing
The customer is at ease when we can have a fluent speech
about security in our software
Security processes and checkpoints allow to handle it as any
other functionality
09.10.19Security challenges16

17. Want to know more?
9 October 201917 Introducing Gemalto