Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornette - Digitribe - 18-12-18


Published on

Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornette - Digitribe - 18-12-18

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

Fintech Belgium - MeetUp on The Right Tech for your FinTech - Philippe Cornette - Digitribe - 18-12-18

  1. 1. Security & data privacy by design for new applications development Philippe Cornette Partner
  2. 2. | 2 DigiTribe is an IT & business Consulting company specialized in Digital enablement & execution 30+ Hands-on Experts & former C-level managers 3 Tribes: Cybersecurity, Digital enablement, Data Science Customers: Large & Mid-sized organizations & Fintech Mission Bring innovation, relevant digital practices and start- up mindset to large corporate organizations
  3. 3. | 32018 | DigiTribe | Confidential 63% of data breaches linked to a third-party component 56% of companies have experienced a 3rd-party breach in 2017 Data security laws and regulators increasingly require Banks & Insurance companies to perform sufficient oversight of their third-party vendor’s data security protocols By 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level initiative(Source: Gartner) IOT, Open Banking APIs under PSD2, outsourcing, … and the FINTECHs create new risks & opportunities EBA & NBB “While staying behind and ignoring fintech is a real risk for banks, they should still tread carefully when implementing fintech or, of course, any change. Banks should fully take into account the EBA’s 2018 “report on the prudential risks and opportunities arising for institutions from fintech” when considering, implementing or using fintech technologies, in the sense that they should take the necessary precautions to avoid, mitigate or reduce certain risks.” Why Financial institutions are increasing the number of Information Security Due Diligences / TPSA ?
  4. 4. | 42018 | DigiTribe | Confidential
  5. 5. | 52018 | DigiTribe | Confidential Reduce the risk of information security incidents Ensure that their offerings are secure and dependable Gain active assurance that suppliers are protecting their data Comply with legal and policy requirements Enable informed decision making when selecting new suppliers What do your customers expect ?
  6. 6. | 62018 | DigiTribe | Confidential Entry ticket for new contracts (Third-party assessment, due diligence requirements) Compliance (e.g. GDPR, NIS, PCI DSS,…) Key differentiator / marketing advantages Reduce costs of fixing bugs Why security by design is important for the Fintechs
  7. 7. | 72018 | DigiTribe | Confidential Defense in Depth
  8. 8. | 82018 | DigiTribe | Confidential System layers where security may be compromised
  9. 9. | 92018 | DigiTribe | Confidential Software Security requirements
  10. 10. Security by Design principles • Secure the weakest link • Minimize attack surface area • Establish secure defaults • Principle of Least privilege • Principle of Defense in depth • Fail securely • Don’t trust services • Separation of duties • Avoid security by obscurity • Keep security simple • Fix security issues correctly • Promote privacy | 10
  11. 11. | 11 Secure SDLC
  12. 12. | 122018 | DigiTribe | Confidential Requirements • Do you gather security objectives? • How are they mapped to the rest of the design process? Design • Does your team conduct security architecture and design reviews? • Do you use checklists to drive the process? Do you revise them over time? • Does your team create threat models to understand and prioritize risk? Coding • Does your team use a formalized set of security coding best practices? • What type of code scanning tools do you use? • Do you perform code reviews against security best practices? Testing • Does your team conduct 3rd party or internal penetration tests? • Are your testers QA trained on the latest attack trends and test techniques? • Do you use security testing tools? Questions to ask yourself
  13. 13. Secure coding
  14. 14. Secure Coding Secure software does not happen by itself. It requires consistently applied methodologies across the organization Securing coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities. Defects, bugs and logic flaws are consistently the primary cause of commonly exploited software vulnerabilities. This includes acceptance tests for third-parties code (e.g. : libraries downloaded from internet)
  15. 15. | 152018 | DigiTribe | Confidential The importance of knowing how to code with style… guide
  16. 16. | 162018 | DigiTribe | Confidential Coding Standards Benefits • Code Clarity/Easier to Understand • Easier to Maintain • Reduces Bugs • Simplifies Code Reviews • Shorter learning curve for new team members • Consistency across large and distributed teams • Comply with internal or regulatory quality initiatives Business Benefits • Improve software quality • Accelerate time to market • Enhance customer satisfaction • Reduce long term cost • Improve productivity Coding Style guide
  17. 17. | 182018 | DigiTribe | Confidential Component • The average application consists of 106 open source components. Vulnerability • A typical application contains 23 known vulnerabilities. License • Most applications indicate at least 8 GPL licensed components. Architecture • Many components in use are old, unsupported, and unpopular. The need for open source security management became front-page news in 2017 owing to a major data breach at Equifax (Consumer credit rating agency). The breach (due to a Apache Struts security hole) has compromised the information of over 148 million U.S. consumers, nearly 700,000 U.K. residents, and more than 19,000 Canadian customers. Open Source Security
  18. 18. Open source, Libraries and Frameworks: Best Practices • Use libraries and frameworks from trusted sources actively maintained and widely used. • Create and maintain an inventory catalogue of all the third party libraries. • Proactively keep libraries and components up to date; use tools, like OWASP Dependency Check, Retire.JS, to identify project dependencies and check if there are known, publicly disclosed vulnerabilities for all third party code. • Reduce the attack surface by encapsulating the library and expose only the required behaviour into your software. • Manage your technical debt • Create a concise Open Source Security Policy
  19. 19. | 202018 | DigiTribe | Confidential
  20. 20. | 212018 | DigiTribe | Confidential Risk, Cybersecurity & GDPR assessment & gap analysis (ISO27001, NIST, SWIFT CSP, GDPR,…) IT Strategy, architecture and governance Cybersecurity strategy, roadmap & implementation CISO & DPO as a service Support to answer TPSA Third-party assessment of your suppliers Partnership on solutions with our customers Second opinion as a service What can Digitribe do for you ?
  21. 21. To contact us +32 478403012 | 222018 | DigiTribe | Confidential