The document discusses assessing the security of cloud SaaS solutions. It covers cloud security standards like ISO 27001, CSA Cloud Controls Matrix, and CSA STAR certification. Trust in the cloud is difficult due to lack of transparency from cloud providers. The document provides approaches for evaluating a cloud provider's security controls, privacy practices, and data protection. It also includes sample questions from the CSA consensus assessment initiative to assess these areas for a specific cloud SaaS solution.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.
Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.
The answer is no for about 90% of the cyber assets due to the very minimal risk reduction achieved. Spend your effort elsewhere. Presentation goes over categories of security patching in ICS and recommends prioritized security patching.
Active Directory in ICS: Lessons Learned From The FieldDigital Bond
Donovan Tindall of Honeywell at the S4x15 Operations Technology Day (OTDay). A meaty, but practical technical session on how to use Active Directory to help manage and secure your ICS.
Managing Multiple Assessments Using Zero Trust PrinciplesControlCase
ControlCase discusses the following:
•What is “One Audit” for multiple assessments
•Current Research
•Zero Trust Principles for IT security
•Remote Assessment Methodology
Unidirectional Security, Andrew Ginter of Waterfall Security Digital Bond
This presentation reviews the spectrum of perimeter solutions based on unidirectional technology - solutions that are being deployed to protect the safety and reliability of industrial control systems. Learn why the technology is truly unidirectional based on physics and different ways it can be used in SCADA and DCS.
Many practitioners find parts of the spectrum to be counter-intuitive. Further, some parts of the spectrum are straightforward to deploy, and others require that practitioners take some care to ensure that the results really are as strong as they should be. Technologies and techniques covered include unidirectional gateways, secure bypass, temporary/programmed gateway reversals, opposing gateways, secure remote access, and parallel operations and IT WANs.
The answer is no for about 90% of the cyber assets due to the very minimal risk reduction achieved. Spend your effort elsewhere. Presentation goes over categories of security patching in ICS and recommends prioritized security patching.
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
Skybox Security joins SANS to address using a network model to gain insight into your attack surface and how to address SANS Critical Controls 10 and 11
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Ralph Langner of The Langner Group at S4x15 OTDay.
Ralph explains how the RIPE framework and associated tools and templates can be used to implement and measure an ICS security program. This session was followed by a nuclear plant owner/operator who was implementing RIPE.
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
This presentation from escar Asia does go into detail on the Progressive Snapshot dongle security problems, but it also addresses common issues found in ICS security and the path forward. For example the insecure by design problem, no thought on embedded product security, importance of a security perimeter as the immediate best security solution, and the medium to long term solutions.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
View this webcast to learn how you can accelerate your security transformation from traditional SIEM to a unified platform for incident detection, investigation and advanced security analysis. Understand why organizations are moving to a true big data security platform where compliance is a byproduct of security, not the other way around. More via
http://bcove.me/d2e9wpd2
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
Symantec Cyber Security Solutions minimize the potential business impact of increasingly sophisticated and targeted attacks by reducing the time it takes to detect, assess and respond to security incidents.
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
When weighing options for increasing enterprise computing capabilities or seeking ways
to improve IT operational efficiency, the prevailing method is to integrate an external IT
services vendor, commonly referred to as a cloud service provider (CSP). There is a
high probability that audit clients will engage this CSP service to manage their IT needs.
Learn how to cope with the audit and risk assessment challenges related to this
emerging technology trend in this key session.
•Understanding the various Cloud Service Levels and Implementation Types
•Identifying Compliance, Service Level Agreement and other Important Duties each
party must perform
•Understand the Complexities of Auditing internal controls, data security, privacy and
performancerelated to cloud
•Mitigating the underlying Business Risks associated with adopting a cloud-based IT model
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveAlgoSec
Ever wish you could get inside your QSA’s head before your next PCI audit?
QSA Adam Gaydosh of Anitian, and Nimmy Reichenberg, VP of Strategy at AlgoSec present the inside scoop on what QSAs are looking for when they audit you. Aimed at security and networking professionals, this webinar will provide insider tips and tricks to help you prepare for and pass your audit – wherever your credit card data is stored – and remain continuously compliant even if you’re breached.
Learn about the pitfalls your colleagues have already faced, and how to make the audit experience less stressful, including:
- Less is more: demystifying the scope of a PCI audit
- What’s in and what’s out: Segmenting your network for compliance
- Best practices for configuring your security infrastructure
- PCI in the public cloud – it’s not an oxymoron
For many companies, Cyber Security is achieved solely through the application of technological solutions to software and hardware challenges. Schneider-Electric takes a more holistic approach with a program built around complete product lifecycles and encompassing safety, maintenance and security. Discover Schneider-Electric's cyber security vision, from understanding how secure functionality is engineered into products through the tools and support available to manage updates and patches, plus specific procedures for handling potential vulnerabilities. A software and hardware ecosystem is only as strong as its weakest component, and Schneider-Electric is working to strengthen this through StruXureware and the evolution of platforms.
ControlCase discusses the following:
•About the cloud
•About PCI DSS
•PCI DSS in the cloud
•How to keep sensitive data secure as you move to the cloud
•Q&A
Using a Network Model to Address SANS Critical Controls 10 and 11Skybox Security
Skybox Security joins SANS to address using a network model to gain insight into your attack surface and how to address SANS Critical Controls 10 and 11
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. In this talk we will discuss the top cloud risks in 2020, why perimeters are a concept of the past and how in the world of no perimitiers do Cloud Security groups, the "Cloud FIrewalls", fit it. We will practically explore Cloud Security Group limitations across different cloud setups from a single vNet to multi-cloud
Ralph Langner of The Langner Group at S4x15 OTDay.
Ralph explains how the RIPE framework and associated tools and templates can be used to implement and measure an ICS security program. This session was followed by a nuclear plant owner/operator who was implementing RIPE.
Attacking and Defending Autos Via OBD-II from escar AsiaDigital Bond
This presentation from escar Asia does go into detail on the Progressive Snapshot dongle security problems, but it also addresses common issues found in ICS security and the path forward. For example the insecure by design problem, no thought on embedded product security, importance of a security perimeter as the immediate best security solution, and the medium to long term solutions.
the IBM Security Intelligence Platform, also known as QRadar®, integrates SIEM, log management, anomaly detection, vulnerability management, risk management and incident forensics into a unified, highly scalable, real-time solution that provides superior threat detection, greater ease of use, and low total cost of ownership compared with competitive products
View this webcast to learn how you can accelerate your security transformation from traditional SIEM to a unified platform for incident detection, investigation and advanced security analysis. Understand why organizations are moving to a true big data security platform where compliance is a byproduct of security, not the other way around. More via
http://bcove.me/d2e9wpd2
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
"Like any information security processes, there should be an adequate and"
"reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes."
"These controls are supported by appropriate metrics and indicators for"
"security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self- assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework"
"and COBIT 5 for Information Security as a baseline."
Symantec Cyber Security Solutions minimize the potential business impact of increasingly sophisticated and targeted attacks by reducing the time it takes to detect, assess and respond to security incidents.
Auditing & Assessing The Risk Of Cloud Service Providers at Auditworld 2015 ...Alan Yau Ti Dun
When weighing options for increasing enterprise computing capabilities or seeking ways
to improve IT operational efficiency, the prevailing method is to integrate an external IT
services vendor, commonly referred to as a cloud service provider (CSP). There is a
high probability that audit clients will engage this CSP service to manage their IT needs.
Learn how to cope with the audit and risk assessment challenges related to this
emerging technology trend in this key session.
•Understanding the various Cloud Service Levels and Implementation Types
•Identifying Compliance, Service Level Agreement and other Important Duties each
party must perform
•Understand the Complexities of Auditing internal controls, data security, privacy and
performancerelated to cloud
•Mitigating the underlying Business Risks associated with adopting a cloud-based IT model
Top PCI Pitfalls and How to Avoid Them: The QSA’s PerspectiveAlgoSec
Ever wish you could get inside your QSA’s head before your next PCI audit?
QSA Adam Gaydosh of Anitian, and Nimmy Reichenberg, VP of Strategy at AlgoSec present the inside scoop on what QSAs are looking for when they audit you. Aimed at security and networking professionals, this webinar will provide insider tips and tricks to help you prepare for and pass your audit – wherever your credit card data is stored – and remain continuously compliant even if you’re breached.
Learn about the pitfalls your colleagues have already faced, and how to make the audit experience less stressful, including:
- Less is more: demystifying the scope of a PCI audit
- What’s in and what’s out: Segmenting your network for compliance
- Best practices for configuring your security infrastructure
- PCI in the public cloud – it’s not an oxymoron
For many companies, Cyber Security is achieved solely through the application of technological solutions to software and hardware challenges. Schneider-Electric takes a more holistic approach with a program built around complete product lifecycles and encompassing safety, maintenance and security. Discover Schneider-Electric's cyber security vision, from understanding how secure functionality is engineered into products through the tools and support available to manage updates and patches, plus specific procedures for handling potential vulnerabilities. A software and hardware ecosystem is only as strong as its weakest component, and Schneider-Electric is working to strengthen this through StruXureware and the evolution of platforms.
Webinar presented live on January 10, 2018.
Version 3.0 of Security for Cloud Computing: Ten Steps to Ensure Success has just been released for publication. Read it here: http://www.cloud-council.org/deliverables/security-for-cloud-computing-10-steps-to-ensure-success.htm
As organizations consider a move to cloud computing, it is important to weigh the potential security benefits and risks involved and set realistic expectations with cloud service providers. The aim of this guide to help enterprise information technology (IT) and business decision makers analyze the security implications of cloud computing on their business.
In this webinar, authors of the paper will discuss:
• Security, privacy and data residency challenges relevant to cloud computing
• Considerations that organizations should weigh when migrating data, applications, and infrastructure to a cloud computing environment
• Threats, technology risks, and safeguards for cloud computing environments
• A cloud security assessment to help customers assess the security capabilities of cloud service provide
Learn how PTC Cloud Services can provide you peace of mind for your ever-evolving security needs. To learn more or to speak to a Cloud Security expert, go to
Webinar presentation September 20, 2016.
This deck introduces the CSCC’s deliverable, Cloud Security Standards: What to Expect and What to Negotiate V2.0, which was updated in August 2016 to reflect the latest developments in cloud security standards. The presentation is an overview of the various security standards, frameworks, and certifications that exist for cloud computing. This information will help cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable here: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Applying Technologies Across the End-to-End Pharmacovigilance Process to Incr...MyMeds&Me
MyMeds&Me CEO Andrew Rut and Oracle Health Science's Director of Safety Analytics, Michael Braun-Boghos review the positive impacts of technology on current pharmacovigilance processes.
Webinar presentation: November 17, 2016
Subject matter experts from the CSCC present an overview of the security standards, frameworks, and certifications that exist for cloud computing. We also discuss privacy considerations in light of new regulations (e.g., EU’s General Data Protection Regulation (GDPR)). This presentation helps cloud customers understand and distinguish between the different types of security standards that exist and assess the security standards support of their cloud service providers.
Read the CSCC's deliverable, Cloud Security Standards: What to Expect and What to Negotiate: http://www.cloud-council.org/deliverables/cloud-security-standards-what-to-expect-and-what-to-negotiate.htm
Intelligent Maintenance: Mapping the #IIoT ProcessDan Yarmoluk
A presentation about Industrial IoT, the value chain and real-world use cases; how to create value with IoT at your organization with an emphasis on predictive maintenance (bearing fault detection).
CSP and LegalTech in Leeds hosted an event on Thursday 9th February 2023. This event discussed ‘Data and Cyber Security’ to help the Legal sector be more aware, protected and secure.
Remote Control Automobiles at ESCAR US 2015Digital Bond
Corey Thuen of Digital Bond Labs gave this presentation at the Embedded Systems in Cars (ESCAR) US event is May 2015.
He assessed the security, or lack thereof, in the Progressive Snapshot dongle. This is an important example of how an attacker could gain remote access to a car's CANBus.
The last part of the presentation goes over some CANBus tools that are available at Digital Bond's GitHub.
Bryan Owen of OSIsoft at S4x15 OTDay.
Bryan shows how to harden a Windows Services generically and then specifically to a service used by OSIsoft's PI Server
Jonathan Pollet and Mark Heard of Red Tiger Security at S4x15 OTDay.
The NIST Cybersecurity Framework (CSF) has been out for a year now, and some owner/operators have begun to use it to help create an ICS cyber security program. The Red Tiger Security team discusses what the CSF is and there experience in using it with real world clients.
Liam Randall of Critical Stack at S4x15 Operation Technology Day. Liam is a Bro guru and describes how it can be used to monitor communications, detect attacks and analyze data.
Tatsuaki Takebe of Yokogawa Electric Corporation provides the closing keynote with a focus on international standards activity and how it affects the Japanese ICS community.
Internet Accessible ICS in Japan (English)Digital Bond
Dale Peterson of Digital Bond gathered reports and examples from Shodan researchers to quantify and describe ICS devices that are connected to the Internet in Japan. It is not a small number and some of the examples are compelling.
Survey and Analysis of ICS Vulnerabilities (Japanese)Digital Bond
Masaki Kubo of JPCERT provides some statistical analysis of the ICS vulnerabilities. He also looks at the coding errors that caused the vulnerabilities and takes an indepth look at recent Yokogawa vulnerabilities.
ICS Security Training ... What Works and What Is Needed (Japanese)Digital Bond
Tomomi Aoyama of Nagoya Institute of Technology discusses Red/Blue and other types of ICS training. She identifies what is effective and offers suggestions for future training.
Vulnerability Inheritance in ICS (English)Digital Bond
Reid Wightman of Digital Bond Labs shows how software libraries integrated into ICS can bring vulnerabilities along with them.
In this case it is the CoDeSys library bringing vulnerabilities to more than 200 products including PLC's from Hitachi and Sanyo-Denki. Reid goes into the vulnerabilities and shows the tools that can exploit the vulnerabilities.
Equally important is the vendor misrepresenting the fact that the vulns were fixed, when they were not. And the vendors, Hitachi and Sanyo-Denki to name two, that did not test the security of the libraries before including them in their products and selling them to customers.
Dale Peterson and Corey Thuen pinch hit for Kyle Wilhoit to present his concept of malware incubation. It is creating a realistic environment for malware to be grown so that it can be studied and help with incident response.
Dynamic Zoning Based On Situational Activity in ICS (Japanese)Digital Bond
Wataru Machii of the Nagoya Institute of Technology introduces this novel defensive measure that alters the perimeter defenses or zoning based on the certain operational modes or observed activity.
There are numerous possibilities for this idea.
Corey Thuen of Digital Bond Labs describes in technical detail how Havex/Dragonfly enumerated OPC servers.
Havex is the second ICS malware ever seen in the wild.
Unsolicited Response - Getting BACnet Off of the Internet (Japanese)Digital Bond
Terada-san from Hitachi provides a quick, unsolicited response session on how they investigated systems Shodan identified as Hitachi. They in fact were Advantech systems, and they were tracked down.
Using Assessment Tools on ICS (English)Digital Bond
Dale Peterson of Digital Bond describes the methodology of using security assessment tools on an operational ICS. He also discusses how to best use the features and functions of these tools.
Sharing Plant Data with Phones, Tablets and the Cloud (Englsh)Digital Bond
Dale Peterson of Digital Bond describes how to share Plant data without putting the integrity and availability of ICS at risk. He also describes the dangers of allowing remote access to an ICS.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
2. Schneider Electric 2– Digital Services Transformation – Matthew Theobald – January 2015
Agenda
1. Introduction
2. Cloud Security Standards
3. Trust in the Cloud
4. Privacy in the Cloud
5. Exercise – Assessing Security of a Cloud SaaS Solution
3. Schneider Electric 3– Digital Services Transformation – Matthew Theobald – January 2015
INTRODUCTION
4. Schneider Electric 4– Digital Services Transformation – Matthew Theobald – January 2015
Control System Data
in the Cloud
● ICS vendors are beginning to develop cloud SaaS (Software as a
Service) solutions to store and analyze control system data
● Driven by need to collect, cleanse, store, analyze and report on large
volumes of data from multiple sources, in a cost-effective manner
● Through analysis, this data can be turned into information to quantify,
improve and optimize business processes
● Examples
● Cloud Historian
● Remote Monitoring
● Asset Management
● Smart Buildings
5. Schneider Electric 5– Digital Services Transformation – Matthew Theobald – January 2015
Difficulty Assessing Cloud
SaaS Solutions
● Cloud provider’s security controls must be assessed at multiple
layers:
● Facilities (physical security)
● Network infrastructure (network security)
● IT systems (system security)
● Information and applications (application security)
● People (for example, separation of duties between development and
production)
● Process (for example, change management and incident response)
● Biggest obstacle to assessing the security of a Cloud SaaS solution is a
lack of transparency on the part of the Cloud Provider
6. Schneider Electric 6– Digital Services Transformation – Matthew Theobald – January 2015
Term Definition
Cloud Provider An organization or entity responsible for making a
service available to interested parties - for example, an
ICS vendor providing a Cloud Historian service
Cloud Consumer An organization that maintains a business relationship
with, and uses services from, a Cloud Provider – for
example, an asset owner that has subscribed to and
uses an ICS vendor’s Cloud Historical service
Definitions
7. Schneider Electric 7– Digital Services Transformation – Matthew Theobald – January 2015
CLOUD SECURITY STANDARDS
8. Schneider Electric 8– Digital Services Transformation – Matthew Theobald – January 2015
ISO/IEC
ISO/IEC 27001 Information technology -- Security techniques --
Information security management systems -- Requirements
● Provides requirements for an information security management
system (ISMS), which is a systematic approach to keep information assets
secure
● Auditable
ISO/IEC 27002 Information technology -- Security techniques -- Code of
practice for information security controls
● Provides best practice recommendations for use by those responsible for
those initiating, implementing or maintaining an ISMS
9. Schneider Electric 9– Digital Services Transformation – Matthew Theobald – January 2015
Cloud Security Alliance
CSA Cloud Controls Matrix
● First ever baseline control framework specifically designed for Cloud
supply chain risk management
● Backbone of CSA’s Cloud Certification framework (more later)
● 16 control areas, 133 controls
● Controls mapped to 32 other security standards, regulations, and controls
frameworks including ISO 27001 and 27002, ISACA COBIT, FedRAMP,
NERC CIP, NIST SP800-53, 95/46/EC, HIPAA, PCI DSS
10. Schneider Electric 10– Digital Services Transformation – Matthew Theobald – January 2015
NIST
NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal
Information Systems and Organizations
NIST SP 800-161 (Draft) Supply Chain Risk Management Practices for
Federal Information Systems and Organizations
11. Schneider Electric 11– Digital Services Transformation – Matthew Theobald – January 2015
TRUST IN THE CLOUD
12. Schneider Electric 12– Digital Services Transformation – Matthew Theobald – January 2015
Trust
● Lack of Cloud Provider transparency inhibits Governance, Risk
Management, and Compliance (GRC)
● Difficult to monitor and audit supply chains necessary for the company’s
consistent performance and growth
● Difficult to identify and understand
exposure to risk and the capability
to manage risk
● Challenge for a Cloud Consumer to
show auditors that the organization
is in compliance with industry
security / privacy standards and
regulations
13. Schneider Electric 13– Digital Services Transformation – Matthew Theobald – January 2015
The higher up the Service Model stack, the
more security the Cloud Provider is
responsible for implementing and managing
Build It In
RFP /
Contract
It In
14. Schneider Electric 14– Digital Services Transformation – Matthew Theobald – January 2015
General Approach
• Network segmentation and
segregation
• Boundary protection
• Firewall policy
• Defense in depth
• Authentication and
authorization
• Monitoring and auditing
• etc.
NIST 800-82
IEC-62443
NIST 800-53
15. Schneider Electric 15– Digital Services Transformation – Matthew Theobald – January 2015
Cloud Certifications
● Provide transparency and visibility to cloud customers
● Deliver compliance-supporting data and artifacts
ISO/IEC
27001
CSA STAR
SSAE-16 SOC 2
16. Schneider Electric 16– Digital Services Transformation – Matthew Theobald – January 2015
SSAE-16 SOC 2 Report
● Reports on the design (Type I) and operating effectiveness (Type II)
of a service organization’s controls as they relate to security,
availability, processing integrity, confidentiality, and privacy
of a system
17. Schneider Electric 17– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR (Security, Trust
& Assurance Registry)
● Goal is to improve transparency and assurance in the cloud
● Searchable, publicly accessible registry to allow cloud customers to
review the security practices of providers, accelerating their due
diligence and leading to higher quality procurement experiences
● Helps customers to assess the security of Cloud Providers
● Based on a multilayered structure defined by Open Certification
Framework Working Group
18. Schneider Electric 18– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
19. Schneider Electric 19– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Self-Assessment
● Voluntary
● Based on:
● Cloud Control Matrix
● Consensus Assessments Initiative Questionnaire
20. Schneider Electric 20– Digital Services Transformation – Matthew Theobald – January 2015
21. Schneider Electric 21– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
22. Schneider Electric 22– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Certification
● Rigorous third party independent assessment of a cloud
provider’s security
● Measures cloud provider’s capability levels
● No formal approach
● Reactive approach
● Proactive approach
● Improvement based approach
● Optimising approach
23. Schneider Electric 23– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Certification
● Leverages the requirements of:
● ISO 27001:2013
● CSA Cloud Control Matrix
● Ensures the scope, processes and objectives are “fit for
purpose”
24. Schneider Electric 24– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
25. Schneider Electric 25– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR Attestation
● Provides a framework for performing assessments
of cloud service providers using SOC 2
engagements supplemented by criteria in the CSA
Cloud Control Matrix
● Typically, Cloud Providers acquire a CSA
Attestation, 27001 certification, and SOC 2 Type II
certification at the same time since so many of the
criteria are common between the three
26. Schneider Electric 26– Digital Services Transformation – Matthew Theobald – January 2015
CSA STAR
27. Schneider Electric 27– Digital Services Transformation – Matthew Theobald – January 2015
CSA CAI Questionnaire
● Consensus Assessments Initiative Questionnaire
● Provides a set of questions a cloud consumer can ask of a
cloud provider about their security controls
● Questions can be tailored to suit each unique cloud consumer’s
evidentiary requirements
● Questions mapped to the compliance requirements in Cloud
Control Matrix
28. Schneider Electric 28– Digital Services Transformation – Matthew Theobald – January 2015
PRIVACY IN THE CLOUD
29. Schneider Electric 29– Digital Services Transformation – Matthew Theobald – January 2015
PII and Personal Information
● PII (Personally Identifiable Information)
● Information that can identify an individual (name, date
of birth, etc.)
● Personal information
● Information that does not directly identify an individual,
but is deemed sensitive by social mores è race,
religion, shopping habits
30. Schneider Electric 30– Digital Services Transformation – Matthew Theobald – January 2015
Privacy vs Security
● Privacy governs how PII should be used, shared, and retained
● Security restricts access to the sensitive data and protects
confidentiality/integrity during collection, storage, and transmission
Privacy in ICS
● Information primarily Business Sensitive / Confidential
● Biggest privacy impact is Identity / Account stores
● Full name
● Email address
● Etc.
31. Schneider Electric 31– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and
Regulations
● FTC Consent Decrees
● Designate individuals to be accountable for the information security program
● Identify risks to personal information
● Design, implement and test reasonable safeguards to control risk
● EU Data Protection Directive (95/46/EC)
● Data controller (cloud customer) “must implement appropriate technical and
organizational measures to protect personal data against …. all unlawful
forms of processing…”
● Processing of data by a data processor (cloud provider) must be governed
by a contract or legal act binding the processor to the controller
● Cross-border data transfer out of the EEA prohibited unless the third
country in question ensures an adequate level of protection
32. Schneider Electric 32– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and
Regulations
● US/EU Safe Harbor
● Allows US companies to register their certification that they meet the EU
Data Protection requirements
● Take reasonable precautions to protect personal information
● Onward Transfer Principle
● PIPEDA Principles for the Protection of Personal Data (Canada)
● An organization is responsible for personal information in its possession or
control, including information that has been transferred to a third party
(cloud provider) for processing
33. Schneider Electric 33– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Standards and
Regulations
● NIST SP800-53 Rev. 4 Appendix J “Privacy Control Catalog”
● ISO/IEC 27018 Information technology -- Security techniques -- Code
of practice for PII protection in public cloud acting as PII processors
● HIPAA Health Insurance Portability and Accountability Act
● PCI DSS Payment Card Industry Data Security Standard
34. Schneider Electric 34– Digital Services Transformation – Matthew Theobald – January 2015
Privacy Policy
● Cloud Provider should have a strong Privacy Policy that specifies the
following for personal information:
● Collection
● Usage
● Storage
● Release
● Retention
● Deletion
● Cloud Provider should provide Privacy Notice to Cloud Consumer
upon demand
35. Schneider Electric 35– Digital Services Transformation – Matthew Theobald – January 2015
EXERCISE
Assessing the Security of a Cloud SaaS Solution
36. Schneider Electric 36– Digital Services Transformation – Matthew Theobald – January 2015
Network Segmentation
and Zoning
IEC 62443-3-3 Requirement Impact
SR 5.1 – Network Segmentation The network with access to the Cloud Provider’s
application should be logically or physically
segmented from the (critical) control system
network
SR 5.2 – Zone boundary protection Access to the Cloud Provider’s application must
take place via a zone and conduit designed for
this purpose
SR 5.2 – Zone boundary protection The Cloud Provider’s security and access controls
must fulfill the requirements of the asset owner’s
zone and conduit security policy designed to
meet the target Security Level
37. Schneider Electric 37– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
IEC 62443-3-3 Requirement Impact
SR 3.1 – Communication integrity
SR 4.1 – Information confidentiality
The confidentiality and integrity of all network
communication between the asset owner’s
system and the Cloud Provider’s system must be
protected via cryptographic means
SR 3.4 – Software and information
integrity
SR 4.1 – Information confidentiality
The confidentiality and integrity of data at rest
must be protected by the Cloud Provider using
strong access and/or cryptographic
controls
38. Schneider Electric 38– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Interoperability &
Portability
Standardized Network
Protocols
Can data import, data export and service management be
conducted over secure (e.g., non-clear text and authenticated),
industry accepted standardized network protocols?
Do you provide consumers (tenants) with documentation
detailing the relevant interoperability and portability network
protocol standards that are involved?
Application &
Interface Security
Data Integrity
Are data input and output integrity routines (i.e.,
reconciliation and edit checks) implemented for application
interfaces and databases to prevent manual or systematic
processing errors or corruption of data?
39. Schneider Electric 39– Digital Services Transformation – Matthew Theobald – January 2015
Multi-Tenancy
● Def.
● Resources and services used by multiple cloud consumers are
physically collocated, but logically separated – for example, data
from multiple cloud consumers are stored in the same database, or on the
same server, and security controls keep the data logically separated
● To Cloud Providers
● Enables economies of scale, availability, management, segmentation,
isolation, and operational efficiency
● To Cloud Consumers
● Implies a need for security controls, at different layers, to ensure logical
separation
40. Schneider Electric 40– Digital Services Transformation – Matthew Theobald – January 2015
Encrypting Data At Rest
in Cloud SaaS
● Typical cloud guidance
● Cloud Consumer (tenant) generates encryption key, encrypts and
decrypts data en-route to/from the Cloud SaaS Provider
● Cloud SaaS encryption hurdles
● SaaS is not just storage – need to validate, estimate, aggregate, search,
sort, and analyze
● Cloud Consumer (tenant) should control their own encryption keys
● Encryption keys should never be stored alongside the encrypted data
● Extremely important to manage encryption keys securely
41. Schneider Electric 41– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Audit Assurance &
Compliance
Information System
Regulatory Mapping
Do you have the ability to logically segment or encrypt
customer data such that data may be produced for a single
tenant only, without inadvertently accessing another tenant's
data?
Do you have capability to recover data for a specific
customer in the case of a failure or data loss?
Encryption & Key
Management
Encryption
Do you encrypt tenant data at rest (on disk/storage) within your
environment?
Do you support tenant-generated encryption keys or
permit tenants to encrypt data to an identity without access to a
public key certificate (e.g. identity-based encryption)?
Do you have documentation establishing and defining your
encryption management policies, procedures and guidelines?
42. Schneider Electric 42– Digital Services Transformation – Matthew Theobald – January 2015
Data Integrity and
Confidentiality
Control Group Consensus Assessment Question(s)
Encryption & Key
Management
Storage and Access
Are your encryption keys maintained by the cloud consumer
or a trusted key management provider?
Do you store encryption keys in the cloud?
Do you have separate key management and key usage duties?
Supply Chain
Management,
Transparency and
Accountability
Data Quality and
Integrity
Do you inspect and account for data quality errors and
associated risks, and work with your cloud supply-chain
partners to correct them?
Do you design and implement controls to mitigate and contain
data security risks through proper separation of duties, role-
based access, and least-privileged access for all
personnel within your supply chain?
43. Schneider Electric 43– Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account
Management
IEC 62443-3-3 Requirement Impact
SR 1.3 – Account management Ideally the asset owner should manage accounts
centrally and the cloud provider should federate
against the asset owner’s identity store, or the
cloud provider can provide an application
account store
SR 1.5 – Authenticator management
SR 1.7 – Strength of password-
based authentication
SR 1.11 – Unsuccessful login
attempts
The asset owner must be able to customize
account and password policies when
managing accounts in the Cloud Provider’s
application account store
44. Schneider Electric 44– Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account
Management
Control Group Consensus Assessment Question(s)
Identity & Access
Management
User ID Credentials
Do you support use of, or integration with, existing customer-
based Single Sign On (SSO) solutions to your service?
Do you use open standards to delegate authentication
capabilities to your tenants?
Do you support identity federation standards (SAML,
SPML, WS-Federation, etc.) as a means of authenticating/
authorizing users?
Do you provide tenants with strong (multifactor) authentication
options (digital certs, tokens, biometrics, etc.) for user access?
Do you allow tenants to use third-party identity assurance
services?
45. Schneider Electric 45– Digital Services Transformation – Matthew Theobald – January 2015
Identity and Account
Management
Control Group Consensus Assessment Question(s)
Identity & Access
Management
User ID Credentials
Do you support the ability to force password changes upon first
logon?
Do you support password (minimum length, age, history,
complexity) and account lockout (lockout threshold, lockout
duration) policy enforcement?
Do you allow tenants/customers to define password and account
lockout policies for their accounts?
Do you have mechanisms in place for unlocking accounts that
have been locked out (e.g., self-service via email, defined
challenge questions, manual unlock)?
46. Schneider Electric 46– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
IEC 62443-3-3 Requirement Impact
SR 6.2 – Continuous monitoring The Cloud Provider must continuously monitor
their system and use common security industry
practices and tools (a SIEM, for example) to
detect and respond to security breaches in a
timely manner
SR 6.1 – Audit log accessibility The Cloud Provider must provide the capability for
an asset owner to access tenant-specific audit
log reports
SR 2.8 – Auditable events It should be possible to export tenant-specific
audit logs from the Cloud Provider into a centrally
managed audit trail on the asset owner's system
where they can be further analyzed by standard log
analysis tools such as a SIEM
47. Schneider Electric 47– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s)
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Management
Do you have a documented security incident response plan?
Do you integrate customized tenant requirements into your
security incident response plans?
Do you publish a roles and responsibilities document
specifying what you vs. your tenants are responsible for during
security incidents?
Have you tested your security incident response plans in the
last year?
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Reporting
Does your security information and event management (SIEM)
system merge data sources (app logs, firewall logs, IDS logs,
physical access logs, etc.) for granular analysis and alerting?
Does your logging and monitoring framework allow isolation of
an incident to specific tenants?
48. Schneider Electric 48– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s)
Security Incident
Management, E-
Discovery & Cloud
Forensics
Incident Response
Legal Preparation
Does your incident response plan comply with industry standards
for legally admissible chain-of-custody management
processes and controls?
Does your incident response capability include the use of legally
admissible forensic data collection and analysis techniques?
Are you capable of supporting litigation holds (freeze of data
from a specific point in time) for a specific tenant without
freezing other tenant data?
Do you enforce and attest to tenant data separation when
producing data in response to legal subpoenas?
49. Schneider Electric 49– Digital Services Transformation – Matthew Theobald – January 2015
Auditing and Monitoring
Control Group Consensus Assessment Question(s)
(Custom) Do you provide the capability for a customer (tenant) to access
their audit logs via a visual or programmatic interface?
Do you provide the capability for a customer (tenant) to export
their audit logs in an industry standard format such that the logs
may be analyzed by the customer’s organization using industry
standard log analysis tools such as a SIEM?
50. Schneider Electric 50– Digital Services Transformation – Matthew Theobald – January 2015
Legal Compliance
Control Group Consensus Assessment Question(s)
Audit Assurance &
Compliance
Information System
Regulatory Mapping
Do you have the capability to restrict the storage of customer
data to specific countries or geographic locations?
Data Security &
Information Lifecycle
Management
Data Inventory / Flows
Can you ensure that data does not migrate beyond a defined
geographical residency?
Datacenter Security
Secure Area
Authorization
Do you allow tenants to specify which of your geographic
locations their data is allowed to move into/out of (to address
legal jurisdictional considerations based on where data is stored
vs. accessed)?
51. Schneider Electric 51– Digital Services Transformation – Matthew Theobald – January 2015
Summary
● Assessing the security of a Cloud SaaS solution can be daunting
● Certifications provide transparency and visibility into the Cloud
Provider’s security controls
● Delivers evidence-based confidence and compliance-supporting data and
artifacts
● Cloud Providers that are not certified can be assessed using the
Consensus Assessments Initiative Questionnaire
TRUST