SlideShare a Scribd company logo

Scaling an Application Security Program at the IMF: A Case Study

Priyanka Aash
Priyanka Aash

The IMF and Aspect Security (now part of EY) created a risk-based assurance process to build the IMF’s application security program from the ground up. Presenters will share experiences in scaling from the occasional review of a few applications to providing assurance across our portfolio of applications. The session will discuss how to provide targeted training, tailored design guidance and risk-based assessment activities. Learning Objectives: 1: Understand the value of risk-based assessments. 2: Understand how to vary the rigor of security activities based on risk. 3: Understand the value of tailored security design guidance. (Source: RSA Conference USA 2018)

Technology
1 of 28
Download to read offline
SESSION ID: #RSAC Jason Li SCALING AN APPLICATION SECURITY PROGRAM AT THE IMF: A CASE STUDY GRC-F03 Senior Manager Aspect Security (now part of EY) @InnocuousInfo Majid Malaika Application Security Specialist International Monetary Fund @MajidMalaika
#RSAC 2 THE VIEWS EXPRESSED HEREIN ARE THOSE OF THE SPEAKERS AND SHOULD NOT BE ATTRIBUTED TO THE IMF, ITS EXECUTIVE BOARD, OR ITS MANAGEMENT.
#RSAC How did we get here? 3
#RSAC What does your application security (AppSec) program look like? 4 Just Starting Still Young Mature Wait, what?? Where am I?!?
#RSAC Application security is hard 5
#RSAC Application security is hard 6 New field Rapidly changing environment Competing priorities Industry still behind
#RSAC Why are you doing this? 7
#RSAC Prerequisites for success 8 Management Accurate and up-to-date asset inventory Baseline and a plan Deep technical knowledge of software development
#RSAC Approach 9 Develop current state or “as-is” security capabilities and maturity assessment Develop strategy or “to-be” security capabilities Perform gap analysis Develop transition plan from current state to target state
#RSAC AppSec programs have to be tailored 10
#RSAC Plan 11 Application risk profiling Secure Software Development Lifecycle (SDLC) integration services Tailored application security training and guidance Application security automation Vulnerability management
#RSAC Application Security Risk Level (ASRL) 12 Application questionnaire Network environment Development process Application architecture Usage scenarios Security controls Data classification
#RSAC Application Security Risk Level (ASRL) 13 Model calibration Application Security Risk Levels Very High High Medium Low Very Low Representative sampling of applications Scoring calculation Sanity check
#RSAC Benefits of ASRL 14
#RSAC SDLC integration 15
#RSAC SDLC integration 16
#RSAC CASE STUDY Actual results and lessons learned 17
#RSAC Case study: ASRL process 18 Challenges we faced Lack of continuity hurt efficiency Teams found questions confusing Same owner for many applications Legacy apps with new owners Discrepancy between collected fields and asset inventory fields Lessons learned Use a dedicated resource Update based on experiences Short meetings across multiple weeks Provide questions in advance Work with asset inventory team to update
#RSAC ASRL results 19 Expected results Actual results 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00% 45.00% Very High High Medium Low Very Low 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 Very High High Medium Low Very Low
#RSAC Case study: targeted training Challenges we faced Roles need different training Outsourced development results in staff that comes and goes Developers geographically dispersed Off-the-shelf trainings insufficiently tailored Lessons learned Ensure role-based curriculum Include security training requirements in contract agreements Favor e-learning/recorded modules Mix commodity training with custom developed modules 20
#RSAC Training results 21 Three main series Security awareness Secure processes/activities Technical application security Nine roles identified 28 e-learning modules
#RSAC Case study: application security guidance 22 Challenges we faced Lessons learned Streamline as two-page reference Tailor to most common architectures Highlight standard control equivalents Teams don’t have time to read docs Teams need relevant guidance Organization moving toward cloud
#RSAC Case study: Application Security Knowledge Domains (ASKDs) 23 User Example Admin (Ops Team) Internet Central Administration SharePoint Farm SC IntraLinks (Content Mgmnt) Control Point (Reporting) Nintex (Workflow) Web Front End Web Crawler (Search) Document Respository HTTPS (IWA/Basic NTLM) SharePoint Services Business Intelligence -Performance Point -Excel Services -Power Pivot ActiveDirectory HTTPS Application Server (SSRS) SQL Server Reporting Services Application Server (SSAS) SQL Server Analysis Services SharePoint App External DBs Site Admin Config Services DBs Content HTTPS NTFS Cluster FS Large Blobs Legend Present and Requires Limited Action Present but Not Standard Not Provided Provided But Irrelevant to Security Present but Requires Action
#RSAC Case study: road map status 24 Part of a multiyear program build-out Still progress to be made What does the future look like? New testing methods New development paradigms Emerging trend toward security champions
#RSAC How can you start applying? 25 Next week you should: Get buy-in from management In the first three months following this presentation you should: Identify your set of profiling questions Model an initial sample set of applications to calibrate Align appropriate security activities based on risk level Within six months you should: Complete the profiling of your application portfolio Identify program activities based on portfolio trends Begin assessing your highest risk applications
#RSAC Takeaways 26 Find your crown jewels Buy-in from management Don’t do the same thing for every application A stitch in time saves nine …
#RSAC QUESTIONS? Jason Li (@InnocuousInfo) Majid Malaika (@MajidMalaika)
#RSAC 28 EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2018 Ernst & Young LLP. All Rights Reserved. ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com

Recommended

Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsPriyanka Aash
 
Battle Tested Application Security
Battle Tested Application SecurityBattle Tested Application Security
Battle Tested Application SecurityTy Sbano
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hourcentralohioissa
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksPECB
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
CGS - Security Training
CGS - Security TrainingCGS - Security Training
CGS - Security TrainingNick Chavis, MBA
 
Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Alvin Integrated Services [AIS]
 
Know about cisa certification
Know about cisa certificationKnow about cisa certification
Know about cisa certificationJasonRoy50
 

Recommended

Briefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsBriefing the board lessons learned from cisos and directors
Briefing the board lessons learned from cisos and directorsPriyanka Aash
 
Battle Tested Application Security
Battle Tested Application SecurityBattle Tested Application Security
Battle Tested Application SecurityTy Sbano
 
Keith Fricke - CISO for an Hour
Keith Fricke - CISO for an HourKeith Fricke - CISO for an Hour
Keith Fricke - CISO for an Hourcentralohioissa
 
Crisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksCrisis Management Techniques for Cyber Attacks
Crisis Management Techniques for Cyber AttacksPECB
 
Erm talking points
Erm talking pointsErm talking points
Erm talking pointsEnterpriseGRC Solutions, Inc.
 
CGS - Security Training
CGS - Security TrainingCGS - Security Training
CGS - Security TrainingNick Chavis, MBA
 
Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Business Continuity Management System: How, Why and for What?
Business Continuity Management System: How, Why and for What?Alvin Integrated Services [AIS]
 
Know about cisa certification
Know about cisa certificationKnow about cisa certification
Know about cisa certificationJasonRoy50
 
Intégrating ISO 37001 MS with other MSs
Intégrating ISO 37001 MS with other MSsIntégrating ISO 37001 MS with other MSs
Intégrating ISO 37001 MS with other MSsPECB
 
10 Commandments for Achieving Operational Excellence
10 Commandments for Achieving Operational Excellence10 Commandments for Achieving Operational Excellence
10 Commandments for Achieving Operational ExcellenceMitch Ackles
 
CompTIA CASP Course and Training details
CompTIA CASP Course and Training detailsCompTIA CASP Course and Training details
CompTIA CASP Course and Training detailsCRAW CYBER SECURITY PVT LTD
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
ASSE PDC 2008
ASSE PDC 2008ASSE PDC 2008
ASSE PDC 2008Johnstevensfleetrisks
 
harnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEharnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEDaad Nassif
 
harnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEharnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVENezar Albkower
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
5 highest paying it certifications
5 highest paying it certifications5 highest paying it certifications
5 highest paying it certificationsAdept Technologies pvt ltd
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
Hack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
Hack Warz® Cyber Attack: A Hands-On Lab for Network DefendersHack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
Hack Warz® Cyber Attack: A Hands-On Lab for Network DefendersLife Cycle Engineering
 
IT Optimization & Risk Management
IT Optimization & Risk ManagementIT Optimization & Risk Management
IT Optimization & Risk ManagementJeromie Jackson
 
Technology leadership driving business innovation
Technology leadership driving business innovationTechnology leadership driving business innovation
Technology leadership driving business innovationJoAnna Cheshire
 
Cissp certified information systems security professional - 27 th february ...
Cissp certified information systems security professional - 27 th february ...Cissp certified information systems security professional - 27 th february ...
Cissp certified information systems security professional - 27 th february ...Access Business Management Conferencing International
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Robert Stroud
 
rimap Code of Ethics
rimap Code of Ethicsrimap Code of Ethics
rimap Code of EthicsFERMA
 
The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...PECB
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyIBMGovernmentCA
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 

More Related Content

What's hot

Intégrating ISO 37001 MS with other MSs
Intégrating ISO 37001 MS with other MSsIntégrating ISO 37001 MS with other MSs
Intégrating ISO 37001 MS with other MSsPECB
 
10 Commandments for Achieving Operational Excellence
10 Commandments for Achieving Operational Excellence10 Commandments for Achieving Operational Excellence
10 Commandments for Achieving Operational ExcellenceMitch Ackles
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk managementRamana K V
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016Prime Infoserv
 
harnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEharnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEDaad Nassif
 
harnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEharnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVENezar Albkower
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security InvestmentJojo Colina
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
Hack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
Hack Warz® Cyber Attack: A Hands-On Lab for Network DefendersHack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
Hack Warz® Cyber Attack: A Hands-On Lab for Network DefendersLife Cycle Engineering
 
IT Optimization & Risk Management
IT Optimization & Risk ManagementIT Optimization & Risk Management
IT Optimization & Risk ManagementJeromie Jackson
 
Technology leadership driving business innovation
Technology leadership driving business innovationTechnology leadership driving business innovation
Technology leadership driving business innovationJoAnna Cheshire
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Robert Stroud
 
rimap Code of Ethics
rimap Code of Ethicsrimap Code of Ethics
rimap Code of EthicsFERMA
 
The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...PECB
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyIBMGovernmentCA
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiDaneWarren
 

What's hot (20)

Intégrating ISO 37001 MS with other MSs
Intégrating ISO 37001 MS with other MSsIntégrating ISO 37001 MS with other MSs
Intégrating ISO 37001 MS with other MSs
 
10 Commandments for Achieving Operational Excellence
10 Commandments for Achieving Operational Excellence10 Commandments for Achieving Operational Excellence
10 Commandments for Achieving Operational Excellence
 
CompTIA CASP Course and Training details
CompTIA CASP Course and Training detailsCompTIA CASP Course and Training details
CompTIA CASP Course and Training details
 
Key pillars for effective risk management
Key pillars for effective risk managementKey pillars for effective risk management
Key pillars for effective risk management
 
Infocon Bangladesh 2016
Infocon Bangladesh 2016Infocon Bangladesh 2016
Infocon Bangladesh 2016
 
ASSE PDC 2008
ASSE PDC 2008ASSE PDC 2008
ASSE PDC 2008
 
harnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEharnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVE
 
harnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVEharnsergroup-brochure2015-INTERACTIVE
harnsergroup-brochure2015-INTERACTIVE
 
Justifying Security Investment
Justifying Security InvestmentJustifying Security Investment
Justifying Security Investment
 
5 highest paying it certifications
5 highest paying it certifications5 highest paying it certifications
5 highest paying it certifications
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
Hack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
Hack Warz® Cyber Attack: A Hands-On Lab for Network DefendersHack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
Hack Warz® Cyber Attack: A Hands-On Lab for Network Defenders
 
IT Optimization & Risk Management
IT Optimization & Risk ManagementIT Optimization & Risk Management
IT Optimization & Risk Management
 
Technology leadership driving business innovation
Technology leadership driving business innovationTechnology leadership driving business innovation
Technology leadership driving business innovation
 
Cissp certified information systems security professional - 27 th february ...
Cissp certified information systems security professional - 27 th february ...Cissp certified information systems security professional - 27 th february ...
Cissp certified information systems security professional - 27 th february ...
 
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...Establishing Effective ERM of IT: Implementation and Operational Issues of th...
Establishing Effective ERM of IT: Implementation and Operational Issues of th...
 
rimap Code of Ethics
rimap Code of Ethicsrimap Code of Ethics
rimap Code of Ethics
 
The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...The missing parts of the governance puzzle : The 2000 tide and what to expect...
The missing parts of the governance puzzle : The 2000 tide and what to expect...
 
Finding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO StudyFinding a Strategic Voice - IBM CISO Study
Finding a Strategic Voice - IBM CISO Study
 
Implementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren LiImplementing Business Aligned Security Strategy Dane Warren Li
Implementing Business Aligned Security Strategy Dane Warren Li
 

Similar to Scaling an Application Security Program at the IMF: A Case Study

From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROPriyanka Aash
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programPriyanka Aash
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResiliencePriyanka Aash
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorPriyanka Aash
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO SuccessFrank Kim
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadsavassociates1
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainSanjay Chadha, CPA, CA
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Priyanka Aash
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...Mighty Guides, Inc.
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Needsimplyme12345
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringEmma Kelly
 
S sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnlS sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnlSally Chan
 
The five secrets of high performing cisos
The five secrets of high performing cisosThe five secrets of high performing cisos
The five secrets of high performing cisosPriyanka Aash
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsPriyanka Aash
 
Isaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industryIsaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industryInfosec
 
The Brands of The Year 2023 - Ciolook India.pdf
The Brands of The Year 2023 - Ciolook India.pdfThe Brands of The Year 2023 - Ciolook India.pdf
The Brands of The Year 2023 - Ciolook India.pdfCIO Look Magazine
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scalePriyanka Aash
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai360 BSI
 

Similar to Scaling an Application Security Program at the IMF: A Case Study (20)

From Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIROFrom Cave Man to Business Man, the Evolution of the CISO to CIRO
From Cave Man to Business Man, the Evolution of the CISO to CIRO
 
Top 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk programTop 5 secrets to successfully jumpstarting your cyber-risk program
Top 5 secrets to successfully jumpstarting your cyber-risk program
 
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk ResilienceHow to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
How to Steer Cyber Security with Only One KPI: The Cyber Risk Resilience
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
 
NUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital ageNUS-ISS Learning Day 2019-Architecting security in the digital age
NUS-ISS Learning Day 2019-Architecting security in the digital age
 
Ten Tenets of CISO Success
Ten Tenets of CISO SuccessTen Tenets of CISO Success
Ten Tenets of CISO Success
 
Cyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor uploadCyber presentation spet 2019 v8sentfor upload
Cyber presentation spet 2019 v8sentfor upload
 
Weakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chainWeakest links of an organization's Cybersecurity chain
Weakest links of an organization's Cybersecurity chain
 
Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?Securing 100 products - How hard can it be?
Securing 100 products - How hard can it be?
 
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
EMEA: Using Security Metrics to Drive Action - 22 Experts Share How to Commun...
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Security of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We NeedSecurity of the future - Adapting Approaches to What We Need
Security of the future - Adapting Approaches to What We Need
 
Gain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls MonitoringGain business insight with Continuous Controls Monitoring
Gain business insight with Continuous Controls Monitoring
 
S sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnlS sdlc datasheet q1-2015 v fnl
S sdlc datasheet q1-2015 v fnl
 
The five secrets of high performing cisos
The five secrets of high performing cisosThe five secrets of high performing cisos
The five secrets of high performing cisos
 
Realizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and GainsRealizing Software Security Maturity: The Growing Pains and Gains
Realizing Software Security Maturity: The Growing Pains and Gains
 
Isaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industryIsaca career paths - the highest paying certifications in the industry
Isaca career paths - the highest paying certifications in the industry
 
The Brands of The Year 2023 - Ciolook India.pdf
The Brands of The Year 2023 - Ciolook India.pdfThe Brands of The Year 2023 - Ciolook India.pdf
The Brands of The Year 2023 - Ciolook India.pdf
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 DubaiIT Risk Management & Leadership 23 - 26 June 2013 Dubai
IT Risk Management & Leadership 23 - 26 June 2013 Dubai
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Scaling an Application Security Program at the IMF: A Case Study

  • 1. SESSION ID: #RSAC Jason Li SCALING AN APPLICATION SECURITY PROGRAM AT THE IMF: A CASE STUDY GRC-F03 Senior Manager Aspect Security (now part of EY) @InnocuousInfo Majid Malaika Application Security Specialist International Monetary Fund @MajidMalaika
  • 2. #RSAC 2 THE VIEWS EXPRESSED HEREIN ARE THOSE OF THE SPEAKERS AND SHOULD NOT BE ATTRIBUTED TO THE IMF, ITS EXECUTIVE BOARD, OR ITS MANAGEMENT.
  • 3. #RSAC How did we get here? 3
  • 4. #RSAC What does your application security (AppSec) program look like? 4 Just Starting Still Young Mature Wait, what?? Where am I?!?
  • 6. #RSAC Application security is hard 6 New field Rapidly changing environment Competing priorities Industry still behind
  • 7. #RSAC Why are you doing this? 7
  • 8. #RSAC Prerequisites for success 8 Management Accurate and up-to-date asset inventory Baseline and a plan Deep technical knowledge of software development
  • 9. #RSAC Approach 9 Develop current state or “as-is” security capabilities and maturity assessment Develop strategy or “to-be” security capabilities Perform gap analysis Develop transition plan from current state to target state
  • 10. #RSAC AppSec programs have to be tailored 10
  • 11. #RSAC Plan 11 Application risk profiling Secure Software Development Lifecycle (SDLC) integration services Tailored application security training and guidance Application security automation Vulnerability management
  • 12. #RSAC Application Security Risk Level (ASRL) 12 Application questionnaire Network environment Development process Application architecture Usage scenarios Security controls Data classification
  • 13. #RSAC Application Security Risk Level (ASRL) 13 Model calibration Application Security Risk Levels Very High High Medium Low Very Low Representative sampling of applications Scoring calculation Sanity check
  • 17. #RSAC CASE STUDY Actual results and lessons learned 17
  • 18. #RSAC Case study: ASRL process 18 Challenges we faced Lack of continuity hurt efficiency Teams found questions confusing Same owner for many applications Legacy apps with new owners Discrepancy between collected fields and asset inventory fields Lessons learned Use a dedicated resource Update based on experiences Short meetings across multiple weeks Provide questions in advance Work with asset inventory team to update
  • 19. #RSAC ASRL results 19 Expected results Actual results 0.00% 5.00% 10.00% 15.00% 20.00% 25.00% 30.00% 35.00% 40.00% 45.00% Very High High Medium Low Very Low 0 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 Very High High Medium Low Very Low
  • 20. #RSAC Case study: targeted training Challenges we faced Roles need different training Outsourced development results in staff that comes and goes Developers geographically dispersed Off-the-shelf trainings insufficiently tailored Lessons learned Ensure role-based curriculum Include security training requirements in contract agreements Favor e-learning/recorded modules Mix commodity training with custom developed modules 20
  • 21. #RSAC Training results 21 Three main series Security awareness Secure processes/activities Technical application security Nine roles identified 28 e-learning modules
  • 22. #RSAC Case study: application security guidance 22 Challenges we faced Lessons learned Streamline as two-page reference Tailor to most common architectures Highlight standard control equivalents Teams don’t have time to read docs Teams need relevant guidance Organization moving toward cloud
  • 23. #RSAC Case study: Application Security Knowledge Domains (ASKDs) 23 User Example Admin (Ops Team) Internet Central Administration SharePoint Farm SC IntraLinks (Content Mgmnt) Control Point (Reporting) Nintex (Workflow) Web Front End Web Crawler (Search) Document Respository HTTPS (IWA/Basic NTLM) SharePoint Services Business Intelligence -Performance Point -Excel Services -Power Pivot ActiveDirectory HTTPS Application Server (SSRS) SQL Server Reporting Services Application Server (SSAS) SQL Server Analysis Services SharePoint App External DBs Site Admin Config Services DBs Content HTTPS NTFS Cluster FS Large Blobs Legend Present and Requires Limited Action Present but Not Standard Not Provided Provided But Irrelevant to Security Present but Requires Action
  • 24. #RSAC Case study: road map status 24 Part of a multiyear program build-out Still progress to be made What does the future look like? New testing methods New development paradigms Emerging trend toward security champions
  • 25. #RSAC How can you start applying? 25 Next week you should: Get buy-in from management In the first three months following this presentation you should: Identify your set of profiling questions Model an initial sample set of applications to calibrate Align appropriate security activities based on risk level Within six months you should: Complete the profiling of your application portfolio Identify program activities based on portfolio trends Begin assessing your highest risk applications
  • 26. #RSAC Takeaways 26 Find your crown jewels Buy-in from management Don’t do the same thing for every application A stitch in time saves nine …
  • 28. #RSAC 28 EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US. © 2018 Ernst & Young LLP. All Rights Reserved. ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com