Priyanka Aash, profile picture
Uploaded byPriyanka Aash
147 views

Securing 100 products - How hard can it be?

This document summarizes a presentation on securing 100 products. It discusses the challenges of securing multiple products, including mapping responsibilities, diverse technologies, and resource limitations. It provides approaches for prioritizing security based on product type and risk level. These include developing a security maturity program, product strategy, and correctly budgeting security resources. Automating security tools and finding partnerships can help scale efforts. Measuring effectiveness over time is also important.

Embed presentation

Download to read offline
SESSION ID:SESSION ID: #RSAC Nir Valtman, CISSP, CSSLP Securing 100 Products - How Hard Can It Be? ASD-W10F Head of Application Security NCR Corporation @ValtmaNir © 2017 NCR Corporation. All rights reserved.
#RSAC Why Does This Talk Matter? 2 You Like Expensive Stuff! Someone Will Pay You Lots Of $$$ To Do It You May Need To Secure Many Products It's A Big Challenge To Secure 100 Products Provides Practical Approaches To Secure 100 Products Why Does It Matter? Why Does It Matter? Why Does It Matter? Why Does It Matter?
#RSAC Meet Dave! 3 Accountable for Product Security Cloud-based, self-hosted or installed on customers’ premise Part of the products are regulated Needs to keep the company out of the news Got executives to support him Avatar generated on avatarmaker.com
#RSAC Legal Internal Audit The Daily Challenges 4 IT Services CISO Solution Management Hardware Solutions Professional ServicesProduct Management Software R&D Need to secure a single high-risk product. Who’s involved?
#RSAC Mapping The Business Owners 5 Product #1  Software R&D  CISO  Legal  Product Management  Internal Audit Product #2  Software R&D  CISO  Legal  Product Management  Solution Management  Hardware Solutions Product #100  Software R&D  IT  CISO  Legal  Product Management  Solution Management  Professional Services
#RSAC Will I Finish This Mapping Soon? 6 Will I Finish This Mapping Soon?
#RSAC Scoping The Accountability
#RSAC Core vs. Extensions 8 Customer #1 Extensions Customer #N Extensions Core/Vanilla Customer #2 Extensions ?
#RSAC Difficult To Control All Engineering Parties 9 Security requirements are documented! APIs are documented! Who cares? BYOAPI rocks!! Software R&D Professional Services Application Security
#RSAC Resource Diversity & Limitations
#RSAC Distinct Technologies The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement
#RSAC Diverse Application Security Tools 12 Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement.
#RSAC Labor Limitations 13 1%-2% of engineering org size
#RSAC Application Security Maturity Program So Simple To Follow Guidelines, Isn’t It?
#RSAC Governance – Easy To Say, Difficult To Control 15 Develop an S-SDLC Enforce the S-SDLC Provide Technology-Specific Training Map, Track & Drive Towards Completion Of Trainings Define Risk Management & Risk Acceptance Process Get Executives To Sign On A Security Risk Strategy & Metrics Policy & Compliance Education & Guidance
#RSAC Construction – Relatively Difficult 16 ThreatAssessment Documenting risks in agile development lifecycle consumes resources Consider 3rd party software risks SecurityRequirements Should security be involved in all requirements sessions? Who audits the security requirements? SecurityArchitecture Providing best practices for various product types Audit the teams for following the secure architecture guidelines
#RSAC Verification – Roadblocks Ahead! 17 •Get the/a design diagram from engineering teams… lots of teams!!! •Working with many smart engineering people – they know everything! Design Review •Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly impossible (technology & labor wise) Code Review •Automation = [sophisticated] vulnerability scanning. Manual work = penetration test! •$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Security Testing
#RSAC Deployment – Only Sounds Easy 18 ”Shadow”-operated IRT IT-operated IRT Work w/ every engineering team to QA hardening If I define & It doesn’t work, they’re responsible Enforce operational security guide per product. Vulnerability Management Environment Hardening Operational Enablement
#RSAC Perspective On 1 Of 100 Products 19 1.60 2.60 3.00 1.00 2.601.35 1.70 2.10 1.67 1.68 2.35 1.70 0.00 0.50 1.00 1.50 2.00 2.50 3.00 Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Analysis Implementation Review Security Testing Issue Management Environment Hardening Operational Enablement Application Security Maturity Overview
#RSAC Perspective On 1 Of 100 Products 20 Additional Considerations Number of items per development lifecycle stage E.g. pending QA, not started, in dev, etc. Average time to mitigate a vulnerability Prioritized list of outstanding Epics/US/Bugs
#RSAC Perspective On 100 Products 21
#RSAC Perspective On 100 Products 22 Product names are sanitized
#RSAC Don’t Reinvent The Wheel, Just Realign It! (Anthony J. D’Angelo)
#RSAC NCR’s App Sec Team’s Specialties 24 Application Security Architect Application Security Engineer Application Security Program Manager Application Security Risk & Compliance Manager
#RSAC NCR’s App Sec Team’s Specialties Mapping 25 OpenSAMM Speciality Domain Activity Security Architecture Program Management Risk Management & Compliance Application Security Engineering Governance Strategy & Metrics V V Policy & Compliance V Education & Guidance V V V V Construction Threat Assessment V Security Requirements V V V Secure Architecture V Verification Design Review V Code Review V V Security Testing V Deployment Vulnerability Mgmt V V Environment Hardening V Operational Enablement V
#RSAC Prioritizing Security 26 Internet- Facing & Regulated Internet- Facing Internal Internal Regulated >$5M $500K- $1M <$500K $1M- $5M Product Type Financial ImpactStrategy Investments & Commitments
#RSAC Budgeting Labor Correctly – The Formula 27 Product Type % Of R&D Internet-Facing & Regulated 2% Internet-Facing 1% Internal & Regulated 1% Internal 0.3% Product Type % Of AppSec Program Manager 20% Risk & Compliance 10% Architecture 23% Engineering 47% R&D Labor Count Example An Internet-facing & regulated product suite that is developed by an org size of 1000 employees needs: 2% X 1000 = 20 App Sec Team Members, consisting of 4 PM, 2 R&C, 4.6 Architects and 9.4 Engineers
#RSAC A Lesson Learned 28 Even with an aggressive strategy, hiring app sec people is a REAL bottleneck! (Nir Valtman, RSA Conference 2017)
#RSAC Measuring Effectiveness! 29 Ongoing Escalations asking for security resources by the engineering teams are good! Status reports must be balanced Neither too Green nor Red
#RSAC Measuring Effectiveness! 30 Year Over Year Overall Application Security Maturity rank increases Decreased number of security vulnerability reporting Engineers will always make mistakes Use 3rd parties to assess it
#RSAC Scaling Out Team’s Capabilities 31 Security Questionnaire For Engaging An App Sec Architect 10 Yes/No Questions
#RSAC Scaling Out Team’s Capabilities 32 Security Questionnaire For Engaging An App Sec Architect 10 Yes/No Questions Is Data Classified? Do You Follow The S-SDLC? Data Encryption? Handle Sensitive Data Related To PII/PCI? Security Automation Integrated Into Pipeline? Consumer-Facing Mobile App?
#RSAC 10 Yes/No Questions Scaling Out Team’s Capabilities 33 Security Questionnaire For Engaging An App Sec Architect Workflow Collaboration Page File Good Better Best
#RSAC Scaling Up Security 34 Application Security Must Fit Into Any Pipeline Plan Code Build Test Release Deploy Operate DEV OPS Continuous Delivery Continuous Integration Agile Development
#RSAC Scaling Up Security Using Release Automation 35 Static App Sec Testing Interactive App Sec Testing (IAST) Binary Signing Code Obfuscation Dynamic App Sec Testing (DAST) Vulnerability Scanning Dynamic App Sec Testing (DAST) Vulnerability Scanning Runtime App Self Protection (RASP) Runtime App Self Protection (RASP)
#RSAC Scaling Up Security When Lacking Automation 36 Identify Quick Wins Static App Sec Testing Binary Signing Code Obfuscation Dynamic App Sec Testing (DAST) Vulnerability Scanning Even A Long-Term Plan Is A Viable Plan Penetration Tests Manual Code Review
#RSAC Finding The Partnerships – Use Cases 37 Partnerships Customer Needs Industry Trends Regulations Security
#RSAC Additional Tips 38 Securing 100 products takes years. Start by investing 80% of the resources in 20% of the products. Reflect your success! Trending charts of app sec metrics Integration of tools into the build process Share product certifications completion Speak at RSA Conference 
#RSAC 39
#RSAC Apply What You Have Learned Today 40 Next week you should: Generate security engagement questionnaire (10 Yes/No Qs) Identify security tool implementation quick wins In the first three months following this presentation you should: Establish an application security maturity program Develop a product security strategy based on — Company’s strategy — Development methodologies & pipelining tools — Product Types Within six months you should: Hopefully map all products & owners  Start executing the strategy
#RSAC 41 QUESTIONS QUESTIONS QUESTIONS QUESTIONS QUESTIONS QUESTIONS Nir Valtman Nir.Valtman@ncr.com @ValtmaNir

More Related Content

PDF
Collaborative security : Securing open source software
byPriyanka Aash
 
PDF
How to transform developers into security people
byPriyanka Aash
 
PDF
Practical appsec lessons learned in the age of agile and DevOps
byPriyanka Aash
 
PDF
DevSecOps - Building continuous security into it and app infrastructures
byPriyanka Aash
 
PDF
A worldwide journey to build a secure development environment
byPriyanka Aash
 
PDF
Lessons from a recovering runtime application self protection addict
byPriyanka Aash
 
PDF
DevSecOps in Baby Steps
byPriyanka Aash
 
PDF
Estimating Development Security Maturity in About an Hour
byPriyanka Aash
 
Collaborative security : Securing open source software
byPriyanka Aash
 
How to transform developers into security people
byPriyanka Aash
 
Practical appsec lessons learned in the age of agile and DevOps
byPriyanka Aash
 
DevSecOps - Building continuous security into it and app infrastructures
byPriyanka Aash
 
A worldwide journey to build a secure development environment
byPriyanka Aash
 
Lessons from a recovering runtime application self protection addict
byPriyanka Aash
 
DevSecOps in Baby Steps
byPriyanka Aash
 
Estimating Development Security Maturity in About an Hour
byPriyanka Aash
 

What's hot

PDF
Agile Security—Field of Dreams
byPriyanka Aash
 
PDF
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
PDF
A Pragmatic Union: Security and SRE
byJames Wickett
 
PPTX
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
PDF
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
byCA Technologies
 
PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
byOWASP
 
PDF
DevSecOps at Agile 2019
byElizabeth Ayer
 
PDF
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
PDF
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
PPTX
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
PPTX
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
PDF
Top 10 Practices of Highly Successful DevOps Incident Management Teams
byDeborah Schalm
 
PDF
Application Security in a DevOps World
byCA Technologies
 
PDF
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
PDF
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
PDF
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
PPTX
Speeding Up Secure Software Development
byUlisses Albuquerque
 
PDF
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
PDF
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 
Agile Security—Field of Dreams
byPriyanka Aash
 
DevSecOps: essential tooling to enable continuous security 2019-09-16
byRich Mills
 
A Pragmatic Union: Security and SRE
byJames Wickett
 
DEVSECOPS: Coding DevSecOps journey
byJason Suttie
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
byCA Technologies
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
byOWASP
 
DevSecOps at Agile 2019
byElizabeth Ayer
 
DevSecOps Singapore 2017 - Security in the Delivery Pipeline
byJames Wickett
 
ChaoSlingr: Introducing Security-Based Chaos Testing
byPriyanka Aash
 
Take Control: Design a Complete DevSecOps Program
byDeborah Schalm
 
DevSecOps-OWASP Indonesia Day 2017
bySuman Sourav
 
ABN AMRO DevSecOps Journey
byDerek E. Weeks
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
byDeborah Schalm
 
Application Security in a DevOps World
byCA Technologies
 
[DevSecOps Live] DevSecOps: Challenges and Opportunities
byMohammed A. Imran
 
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
byDevSecCon
 
DevSecOps: A New Hope for Security in CI/CD
byFranklin Mosley
 
Speeding Up Secure Software Development
byUlisses Albuquerque
 
AppSec Fast and Slow: Your DevSecOps CI/CD Pipeline Isn’t an SSA Program
byDenim Group
 
Practical DevSecOps Course - Part 1
byMohammed A. Imran
 

Similar to Securing 100 products - How hard can it be?

PDF
Introducing a Security Program to Large Scale Legacy Products
byPriyanka Aash
 
PDF
Realizing Software Security Maturity: The Growing Pains and Gains
byPriyanka Aash
 
PDF
A successful application security program - Envision build and scale
byPriyanka Aash
 
PDF
AppSec Awareness: A Blueprint for Security Culture Change
byPriyanka Aash
 
PDF
Vendor Security Practices: Turn the Rocks Over Early and Often
byPriyanka Aash
 
PDF
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
byMichael Hammer
 
PPTX
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
PDF
RSA ASIA 2014 - Internet of Things
byWolfgang Kandek
 
PDF
Rsac2015 burns-fighting the right battle
byBill Burns
 
PDF
Efficacy Of Layered Application Security Through The Lens Of Hacker
byPriyanka Aash
 
PPTX
Building an AppSec Team Extended Cut
byMike Spaulding
 
PPTX
Mike Spaulding - Building an Application Security Program
bycentralohioissa
 
PPTX
Digital Product Security
bySoftServe
 
PDF
Exploring the Real-World Application Security Top 10
byPriyanka Aash
 
PDF
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
PPTX
How to build app sec team &amp; culture in your organization the hack summi...
bykunwaratul hax0r
 
PPTX
Efforts in Scaling Application Security Programs
byEric Fay
 
PDF
Rapid Threat Modeling Techniques
byPriyanka Aash
 
PDF
Security in the App Economy: How to Ride the Wave Without Wiping Out!
byCA Technologies
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 
Introducing a Security Program to Large Scale Legacy Products
byPriyanka Aash
 
Realizing Software Security Maturity: The Growing Pains and Gains
byPriyanka Aash
 
A successful application security program - Envision build and scale
byPriyanka Aash
 
AppSec Awareness: A Blueprint for Security Culture Change
byPriyanka Aash
 
Vendor Security Practices: Turn the Rocks Over Early and Often
byPriyanka Aash
 
str-f02-vendor_security_practices-turn_the_rocks_over_early_and_often
byMichael Hammer
 
Cybersecurity model and top cloud security controls for product development e...
byJames DeLuccia IV
 
RSA ASIA 2014 - Internet of Things
byWolfgang Kandek
 
Rsac2015 burns-fighting the right battle
byBill Burns
 
Efficacy Of Layered Application Security Through The Lens Of Hacker
byPriyanka Aash
 
Building an AppSec Team Extended Cut
byMike Spaulding
 
Mike Spaulding - Building an Application Security Program
bycentralohioissa
 
Digital Product Security
bySoftServe
 
Exploring the Real-World Application Security Top 10
byPriyanka Aash
 
Security Checkpoints in Agile SDLC
byRahul Raghavan
 
How to build app sec team &amp; culture in your organization the hack summi...
bykunwaratul hax0r
 
Efforts in Scaling Application Security Programs
byEric Fay
 
Rapid Threat Modeling Techniques
byPriyanka Aash
 
Security in the App Economy: How to Ride the Wave Without Wiping Out!
byCA Technologies
 
Best Practices for a Mature Application Security Program Webinar - February 2016
bySecurity Innovation
 

More from Priyanka Aash

PPTX
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
PDF
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
PDF
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
PDF
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
PDF
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
PDF
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
PDF
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
PDF
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
PDF
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
PDF
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
PDF
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
PDF
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
PDF
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
PDF
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
PDF
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
PDF
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
PDF
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
PDF
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 
AI Code Generation Risks (Ramkumar Dilli, CIO, Myridius)
byPriyanka Aash
 
From Chatbot to Destroyer of Endpoints - Can ChatGPT Automate EDR Bypasses (1...
byPriyanka Aash
 
Cracking the Code - Unveiling Synergies Between Open Source Security and AI.pdf
byPriyanka Aash
 
Oh, the Possibilities - Balancing Innovation and Risk with Generative AI.pdf
byPriyanka Aash
 
Lessons Learned from Developing Secure AI Workflows.pdf
byPriyanka Aash
 
Cyber Defense Matrix Workshop - RSA Conference
byPriyanka Aash
 
A Constitutional Quagmire - Ethical Minefields of AI, Cyber, and Privacy.pdf
byPriyanka Aash
 
Securing AI - There Is No Try, Only Do!.pdf
byPriyanka Aash
 
GenAI Opportunities and Challenges - Where 370 Enterprises Are Focusing Now.pdf
byPriyanka Aash
 
Coordinated Disclosure for ML - What's Different and What's the Same.pdf
byPriyanka Aash
 
10 Key Challenges for AI within the EU Data Protection Framework.pdf
byPriyanka Aash
 
Techniques for Automatic Device Identification and Network Assignment.pdf
byPriyanka Aash
 
Keynote : Presentation on SASE Technology
byPriyanka Aash
 
Keynote : AI & Future Of Offensive Security
byPriyanka Aash
 
Redefining Cybersecurity with AI Capabilities
byPriyanka Aash
 
Demystifying Neural Networks And Building Cybersecurity Applications
byPriyanka Aash
 
Finetuning GenAI For Hacking and Defending
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Kids Cyber Security .pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Regulation & Response In Banks.pdf
byPriyanka Aash
 
(CISOPlatform Summit & SACON 2024) Cyber Insurance & Risk Quantification.pdf
byPriyanka Aash
 

Recently uploaded

PDF
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Constraint Collapse and Fidelity Decay in Scaled Language Models
bySemantic Fidelity Lab | A. Jacobs
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
GDG Cloud Southlake #49: Pradeep R Kumar: Implications of Agentic AI for Iden...
byJames Anderson
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
Transcript: Escape from the Forbidden Zone: Smuggling green and inclusive tec...
byBookNet Canada
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Antminer S23Hyd-580_Manual-V1.1-oneminers.pdf
byFranzhLawrenceBataan1
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 

Securing 100 products - How hard can it be?

  • 1.
    SESSION ID:SESSION ID: #RSAC NirValtman, CISSP, CSSLP Securing 100 Products - How Hard Can It Be? ASD-W10F Head of Application Security NCR Corporation @ValtmaNir © 2017 NCR Corporation. All rights reserved.
  • 2.
    #RSAC Why Does ThisTalk Matter? 2 You Like Expensive Stuff! Someone Will Pay You Lots Of $$$ To Do It You May Need To Secure Many Products It's A Big Challenge To Secure 100 Products Provides Practical Approaches To Secure 100 Products Why Does It Matter? Why Does It Matter? Why Does It Matter? Why Does It Matter?
  • 3.
    #RSAC Meet Dave! 3 Accountable forProduct Security Cloud-based, self-hosted or installed on customers’ premise Part of the products are regulated Needs to keep the company out of the news Got executives to support him Avatar generated on avatarmaker.com
  • 4.
    #RSAC Legal Internal Audit TheDaily Challenges 4 IT Services CISO Solution Management Hardware Solutions Professional ServicesProduct Management Software R&D Need to secure a single high-risk product. Who’s involved?
  • 5.
    #RSAC Mapping The BusinessOwners 5 Product #1  Software R&D  CISO  Legal  Product Management  Internal Audit Product #2  Software R&D  CISO  Legal  Product Management  Solution Management  Hardware Solutions Product #100  Software R&D  IT  CISO  Legal  Product Management  Solution Management  Professional Services
  • 6.
    #RSAC Will I FinishThis Mapping Soon? 6 Will I Finish This Mapping Soon?
  • 7.
  • 8.
    #RSAC Core vs. Extensions 8 Customer#1 Extensions Customer #N Extensions Core/Vanilla Customer #2 Extensions ?
  • 9.
    #RSAC Difficult To ControlAll Engineering Parties 9 Security requirements are documented! APIs are documented! Who cares? BYOAPI rocks!! Software R&D Professional Services Application Security
  • 10.
  • 11.
    #RSAC Distinct Technologies The trademarksspecified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement
  • 12.
    #RSAC Diverse Application SecurityTools 12 Static Application Security Testing (SAST) Dynamic Application Security Testing (DAST) Interactive Application Security Testing (IAST) Software Composition Analysis The trademarks specified above are trademarks or registered trademarks of their respective owners. This slide is intended for informational purposes only and does not represent any endorsement.
  • 13.
  • 14.
    #RSAC Application Security Maturity Program SoSimple To Follow Guidelines, Isn’t It?
  • 15.
    #RSAC Governance – EasyTo Say, Difficult To Control 15 Develop an S-SDLC Enforce the S-SDLC Provide Technology-Specific Training Map, Track & Drive Towards Completion Of Trainings Define Risk Management & Risk Acceptance Process Get Executives To Sign On A Security Risk Strategy & Metrics Policy & Compliance Education & Guidance
  • 16.
    #RSAC Construction – RelativelyDifficult 16 ThreatAssessment Documenting risks in agile development lifecycle consumes resources Consider 3rd party software risks SecurityRequirements Should security be involved in all requirements sessions? Who audits the security requirements? SecurityArchitecture Providing best practices for various product types Audit the teams for following the secure architecture guidelines
  • 17.
    #RSAC Verification – RoadblocksAhead! 17 •Get the/a design diagram from engineering teams… lots of teams!!! •Working with many smart engineering people – they know everything! Design Review •Utilizing automation is great if ALL bug tracking, code repo, and build systems are centralized •Scaling automation for 100 products is nearly impossible (technology & labor wise) Code Review •Automation = [sophisticated] vulnerability scanning. Manual work = penetration test! •$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ Security Testing
  • 18.
    #RSAC Deployment – OnlySounds Easy 18 ”Shadow”-operated IRT IT-operated IRT Work w/ every engineering team to QA hardening If I define & It doesn’t work, they’re responsible Enforce operational security guide per product. Vulnerability Management Environment Hardening Operational Enablement
  • 19.
    #RSAC Perspective On 1Of 100 Products 19 1.60 2.60 3.00 1.00 2.601.35 1.70 2.10 1.67 1.68 2.35 1.70 0.00 0.50 1.00 1.50 2.00 2.50 3.00 Strategy & Metrics Policy & Compliance Education & Guidance Threat Assessment Security Requirements Secure Architecture Design Analysis Implementation Review Security Testing Issue Management Environment Hardening Operational Enablement Application Security Maturity Overview
  • 20.
    #RSAC Perspective On 1Of 100 Products 20 Additional Considerations Number of items per development lifecycle stage E.g. pending QA, not started, in dev, etc. Average time to mitigate a vulnerability Prioritized list of outstanding Epics/US/Bugs
  • 21.
  • 22.
    #RSAC Perspective On 100Products 22 Product names are sanitized
  • 23.
    #RSAC Don’t Reinvent TheWheel, Just Realign It! (Anthony J. D’Angelo)
  • 24.
    #RSAC NCR’s App SecTeam’s Specialties 24 Application Security Architect Application Security Engineer Application Security Program Manager Application Security Risk & Compliance Manager
  • 25.
    #RSAC NCR’s App SecTeam’s Specialties Mapping 25 OpenSAMM Speciality Domain Activity Security Architecture Program Management Risk Management & Compliance Application Security Engineering Governance Strategy & Metrics V V Policy & Compliance V Education & Guidance V V V V Construction Threat Assessment V Security Requirements V V V Secure Architecture V Verification Design Review V Code Review V V Security Testing V Deployment Vulnerability Mgmt V V Environment Hardening V Operational Enablement V
  • 26.
  • 27.
    #RSAC Budgeting Labor Correctly– The Formula 27 Product Type % Of R&D Internet-Facing & Regulated 2% Internet-Facing 1% Internal & Regulated 1% Internal 0.3% Product Type % Of AppSec Program Manager 20% Risk & Compliance 10% Architecture 23% Engineering 47% R&D Labor Count Example An Internet-facing & regulated product suite that is developed by an org size of 1000 employees needs: 2% X 1000 = 20 App Sec Team Members, consisting of 4 PM, 2 R&C, 4.6 Architects and 9.4 Engineers
  • 28.
    #RSAC A Lesson Learned 28 Evenwith an aggressive strategy, hiring app sec people is a REAL bottleneck! (Nir Valtman, RSA Conference 2017)
  • 29.
    #RSAC Measuring Effectiveness! 29 Ongoing Escalations askingfor security resources by the engineering teams are good! Status reports must be balanced Neither too Green nor Red
  • 30.
    #RSAC Measuring Effectiveness! 30 Year OverYear Overall Application Security Maturity rank increases Decreased number of security vulnerability reporting Engineers will always make mistakes Use 3rd parties to assess it
  • 31.
    #RSAC Scaling Out Team’sCapabilities 31 Security Questionnaire For Engaging An App Sec Architect 10 Yes/No Questions
  • 32.
    #RSAC Scaling Out Team’sCapabilities 32 Security Questionnaire For Engaging An App Sec Architect 10 Yes/No Questions Is Data Classified? Do You Follow The S-SDLC? Data Encryption? Handle Sensitive Data Related To PII/PCI? Security Automation Integrated Into Pipeline? Consumer-Facing Mobile App?
  • 33.
    #RSAC 10 Yes/No Questions ScalingOut Team’s Capabilities 33 Security Questionnaire For Engaging An App Sec Architect Workflow Collaboration Page File Good Better Best
  • 34.
    #RSAC Scaling Up Security 34 ApplicationSecurity Must Fit Into Any Pipeline Plan Code Build Test Release Deploy Operate DEV OPS Continuous Delivery Continuous Integration Agile Development
  • 35.
    #RSAC Scaling Up SecurityUsing Release Automation 35 Static App Sec Testing Interactive App Sec Testing (IAST) Binary Signing Code Obfuscation Dynamic App Sec Testing (DAST) Vulnerability Scanning Dynamic App Sec Testing (DAST) Vulnerability Scanning Runtime App Self Protection (RASP) Runtime App Self Protection (RASP)
  • 36.
    #RSAC Scaling Up SecurityWhen Lacking Automation 36 Identify Quick Wins Static App Sec Testing Binary Signing Code Obfuscation Dynamic App Sec Testing (DAST) Vulnerability Scanning Even A Long-Term Plan Is A Viable Plan Penetration Tests Manual Code Review
  • 37.
    #RSAC Finding The Partnerships– Use Cases 37 Partnerships Customer Needs Industry Trends Regulations Security
  • 38.
    #RSAC Additional Tips 38 Securing 100products takes years. Start by investing 80% of the resources in 20% of the products. Reflect your success! Trending charts of app sec metrics Integration of tools into the build process Share product certifications completion Speak at RSA Conference 
  • 39.
  • 40.
    #RSAC Apply What YouHave Learned Today 40 Next week you should: Generate security engagement questionnaire (10 Yes/No Qs) Identify security tool implementation quick wins In the first three months following this presentation you should: Establish an application security maturity program Develop a product security strategy based on — Company’s strategy — Development methodologies & pipelining tools — Product Types Within six months you should: Hopefully map all products & owners  Start executing the strategy
  • 41.