Dev week cloud world conf2021

•

0 likes•76 views

Talk to executives in IT divisions of large enterprises about security and invariably the conversation will hover around DevSecOps pipeline. Is DevSecOps the only thing you need to do for security in your IT division or is there more? What impact does bringing in secure culture in an engineering context mean? What handshake is needed between the IT function and the security / risk function for large enterprises? How does this impact roles and responsibilities of a developer? This talk is an attempt to answer questions such as these using a real world examples of transformations seen in Fortune 100 companies.

Software

As DevExec AreYou Doing Enough For Security?
Archana Joshi
Head –Transformation, LTI
Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with

2
Let’s us meet the characters in our story
CEO CIO Legal Director
InfoSec Director Dev Director

3
…. And ask them the same question
What are you doing about cyber security?
CEO CIO Legal Director
InfoSec Director Dev Director
One of the top agenda
Proactive investments
Being secure is our culture
Strengthening
Cloud Security &
Application Security
Compliance checks
Investing in Digital Forensics
Security lapse liability
3rd party coverage
DevSecOps
Risk based DAST, SAST

4
Alert !!!!
Security Breach !!!!
Root Cause: Application using an open source utility was hacked

5
Now ask them the same question
How can we prevent such breach in future?
CEO CIO Legal Director
InfoSec Director Dev Director
I am setting up a committee with
external experts to help us with next
steps
My team needs to come together
It’s not just us – we have partners too
We need to work together
I should provide stringent security norms
We need to work together
I don’t understand this focus for
opensource
We need to work together
My app team faces the brunt.There are
networks too
We need to work together

7
Is there a better way to handle this?
Can we truly achieve “continuous security”

8
Infrastructure
Applications
Data
Compliance
StaticTesting
DynamicTesting
Network Security
Endpoint Security
Cloud Security
Data Encryption
Access Credentials
Loss Prevention
Cloud
Data
Regula
-tions
Open
Source
/ 3rd
Party

9
Security Pod & Roles
CISO – CIO pair
Extreme Automation
Inbuilt Dev Practices
Integrated OKR and metrics
Follow the motto of Centralize – But Decentralize

10
Security Pod & Roles
Security Architect
Security Ambassador / Product Mgr
SRE with security focus
CISO – CIO pair
Common security governance
Active Legal involvement
Extreme Automation
Open source tagging via pipeline
Operations monitoring includes security parameters
Inbuilt Dev Practices
Security as a code
Secure coding insights via AI interventions
Integrated OKR and metrics
Threshold setting for central involvement
Security Debt as part of sprint goals
Follow the motto of Centralize – But Decentralize

11
Security is at the heart of
success of development

THANK YOU
https://www.linkedin.com/in/arcjoshi
Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with

What's hot

DevSecOps

Joel Divekar

An introduction to the devsecops webinar will be presented by me at 10.30am EST on 29th July,2018. It's a session focussed on high level overview of devsecops which will be followed by intermediate and advanced level sessions in future. Agenda: -DevSecOps Introduction -Key Challenges, Recommendations -DevSecOps Analysis -DevSecOps Core Practices -DevSecOps pipeline for Application & Infrastructure Security -DevSecOps Security Tools Selection Tips -DevSecOps Implementation Strategy -DevSecOps Final Checklist

Introduction to DevSecOps

Setu Parimi

In the fusion between DevOps and DevSecOps, the pace and agility of the DevSecOps approach made AppSec and InfoSec were a little left behind. The DevOps squad topology does not involve any of the organization's AppSec and InfoSec Engineer. Many DevOps team are also not included them since they lack the information on how to manage and configure DevOps CI / CD pipelines and DevSecOps approaches. There's no shortage of talent — you probably don't have a mission worth getting out of bed or a culture that fosters continuous learning such DevSecOps skill and tools and growth where people feel psychologically safe. Besides, there is no shortage of skills — most have a poor understanding of what they need to be successful or the skills that need to leverage to improve their security posture.

Why Security Engineer Need Shift-Left to DevSecOps?

Najib Radzuan

1.Security Controls Must Be Programmable and Automated Wherever Possible 2.Implement a Simple Risk and Threat Model for All Applications 3.Scan Custom Code, Applications and APIs 4.Scan for OSS Issues in Development 5.Treat Scripts/Recipes/Templates/Layers as Sensitive Code 6.Measure System Integrity and Ensure Correct Configuration at Load 7.Use Whitelisting on Production Systems, Including Container-Based Implementations 8.Assume Compromise; Monitor Everything; Architect for Rapid Detection and Response 9.Lock Down Production Infrastructure and Services 10.Tokenization and Payment Processing

Integrate Security into DevOps - SecDevOps

Ulf Mattsson

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

DevOps Indonesia

DevSecOps : an Introduction

Prashanth B. P.

Security testing is an important part of any security development life-cycle (SDLC) and, thus, should be a part of any software development life-cycle. We will present SAP's Security Testing Strategy that enables developers to find security vulnerabilities early by applying a variety of different security testing methods and tools. We explain the motivation behind it, how we enable global development teams to implement the strategy, across different SDLCs and report on our experiences.

Bringing Security Testing to Development: How to Enable Developers to Act as ...

Achim D. Brucker

Organizations enjoy the speed that DevOps brings to development and delivery. However, most security and compliance monitoring tools have not been able to keep up, becoming the most significant barrier to continuous delivery. Now some good news: you can easily integrate security into your existing processes to solve this challenge. In this session, Shiri Ivtsan, Senior Product Manager at WhiteSource, will discuss: - Leveraging the DevSecOps approach to help speed up security - Scaling security into your agile processes - 5 easy ways to start driving DevSecOps in your organization

The Challenges of Scaling DevSecOps

WhiteSource

Open source software components play an important role by providing us with the building blocks of our products. However, even as we enjoy the benefits of open source components, they are not without their challenges, especially when it comes to security vulnerabilities. In this webinar with Circle CI, you'll learn how: - WhiteSource Orb can help teams catch vulnerabilities within open source components at early stages of the development cycle - You can start implementing the WhiteSource CircleCI orb into your CI configuration - To gain insights into your software helping you make smarter decisions in working with open source components.

CI/CD pipeline security from start to finish with WhiteSource & CircleCI

WhiteSource

DevSecOps Everything You Need To Know

Centextech

It’s no secret that open source components form the backbone of today’s software, comprising between 60-80% of modern applications. But with this, comes the alarming rise in open source vulnerabilities – more than 3,500 open source vulnerabilities were reported in 2017 – that’s 60% higher than the previous year, and the trend continued in 2018. The question arises: how can DevOps teams ensure a visible and continuous delivery pipeline for software releases without letting security slow them down? Join WhiteSource’s Product Manager, Shiri Ivtsan, as she discusses: - The current state of open source vulnerabilities management; - The latest innovations in the open source security world; and - The best DevOps tools to protect organizations against open source vulnerabilities and ensure agility, visibility and control regarding their open source.

Open Source Security at Scale- The DevOps Challenge

WhiteSource

DevSecOps, The Good, Bad, and Ugly

4ndersonLin

Application Security at DevOps Speed - DevOpsDays Singapore 2016

Stefan Streichsbier

Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...

Franklin Mosley

Thanks to the cloud and open source tools, DevOps teams have access to unprecedented infrastructure and scale. But that also means they can be approached by some of the most nefarious actors on the Internet, as they risk the security of their business with every application deployment. Perimeter-class security is no longer viable in such a distributed environment, so now companies need to adapt to more micro-level security. This merging of DevOps and security operations – a concept called DevSecOps – is one of the most important new developments in security and IT deployment. In this session, our expert will discuss how teams are now collaborating as peers to achieve optimal security.

DevSecOps: Minimizing Risk, Improving Security

Franklin Mosley

The best DevSecOps practices are built alongside strong DevOps practices. However, DevSecOps processes and tooling are often decided within a security silo, rather than by a DevSecOps collective. Security ends up more integrated and efficient than in the past, but the approach is still “bolt-on” and not ultimately streamlined. Collaboration between security and other DevOps groups around roadmaps and sharing of resources can lead to greater efficiency and innovation, while better supporting the value stream. This talk will discuss foundational considerations when building a DevSecOps practice. You will learn about the top prerequisites for a successful DevSecOps practice – most of which are provided by groups other than security; and we’ll discuss case studies, both from organizations who have embraced DevOps as a foundation for DevSecOps, and those who haven’t. Attendees will walk away with questions to ask their counterparts in DevOps to understand current DevOps maturity and where security can leverage existing and planned DevOps resources to enable effective DevSecOps.

DevSecOps without DevOps is Just Security

Kevin Fealey

by Twistlock With containers, teams worldwide are deploying faster than ever before. But traditional security practices are slow and manual - leaving many users a choice between strong security or DevOps speed. In this talk, we'll outline how adopting a new 'cloud native' approach to security lets you recognize all the benefits of containerized deployment - and enjoy stronger protection than ever before.

Security at the Speed of Software - Twistlock

Amazon Web Services

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

SecureSoftwareDevOn SecureSoftwareDevOn

DevSecOps for you Full Stack

Ron Nixon

Automating Security Compliance on AWS with DevSecOps

Tushar Gupta

What's hot (20)

DevSecOps

Introduction to DevSecOps

Why Security Engineer Need Shift-Left to DevSecOps?

Integrate Security into DevOps - SecDevOps

DevSecOps Beginners Guide : How to secure process in DevOps with OpenSource

DevSecOps : an Introduction

Bringing Security Testing to Development: How to Enable Developers to Act as ...

The Challenges of Scaling DevSecOps

CI/CD pipeline security from start to finish with WhiteSource & CircleCI

DevSecOps Everything You Need To Know

Open Source Security at Scale- The DevOps Challenge

DevSecOps, The Good, Bad, and Ugly

Application Security at DevOps Speed - DevOpsDays Singapore 2016

The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...

DevSecOps: Minimizing Risk, Improving Security

DevSecOps without DevOps is Just Security

Security at the Speed of Software - Twistlock

Introducing DevSecOps by Madhu Akula - Software Security Bangalore - May 27 2...

DevSecOps for you Full Stack

Automating Security Compliance on AWS with DevSecOps

Similar to Dev week cloud world conf2021

4-lessons-of-security-leaders-for-2022.pdf

Jose R

Respresenting Cyber Defense Community (cdef.id) to present and share my view on Secure DevOps / DevSecOps. Through this presentation, I shared several insights about: 1. How to balance the risk and controls in the "great shift left" paradigm (agile) 2. DevOps activities 3. How to seamlessly integrate security into DevOps 4. How to "shift left" the security" 5. Get started with Secure DevOps / DevSecOps 6. Case Study about DevSecOps implementation For further discussion, especially how to secure digital and agile transformation in your organization, don't hesitate to contact me :)

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Eryk Budi Pratama

Discussion 1 Recommend three countermeasures that could enhance the information security measures of an enterprise. Justify your recommendations. 1. Upon extensive review of existing IT EBK and what new measures needed to be taken, Homeland Security came to the conclusion that a comprehensive approach information security including the steps of manage, design, implement, and evaluate would best serve to safeguard against future threats. Manage: calls for the oversight of security programs to come from the highest levels of chains of command with constant focus on “ensuring its currency with changing risk and threat” (2007, p. 9). Design: calls for analyzing a program to assess what types of “procedures and processes” will best direct its successful execution. Implement: refers to how programs and policies are instituted within the company. Evaluate: this final step calls for a final critique of the new program or policy’s successful ability to [achieve] its purpose (2007, p. 9). 2. Homeland Security also recommended a “Competency and Functional Framework for IT Workplace Development” that placed strong emphasis on a clear chain of command and communication with clear job titles and IT employee roles being placed into a group of Executive, Functional or Corollary employees (2007, p. 17). 3. The report stressed the primary role of “the IT Security Compliance Professional is . . . overseeing, evaluating, and supporting compliance issues pertinent to the organization” (Homeland Security, 2007, p.16). Thus, the report logically concluded that IT professionals must know and be able to properly define terms such as evaluation, compliance and assessment in order to properly perform their duties (p. 14). Propose three cybersecurity benefits that could be derived from the development of a strategic governance process. Select the benefit you find most important and explain why. The National Computing Centre points out that there are numerous benefits to having a rigorous strategic governance process in place. Among them, increased transparency and accountability which leads to an “improved transparency of IT costs, IT process, [and] IT portfolio (2005, p. 6). This increased transparency and accountability also leads to an “improved understanding of overall IT costs and their input to ROI cases” which in turn often brings about “an increased return on investment/stakeholder value” (p. 6). Finally, the authors point to the fact that with increased transparency comes increased accountability and companies avoid “unnecessary expenditures” (p. 7). Discussion 2 Categorize the roles described by the Information Technology Security Essential Body of Knowledge (EBK), in terms of executive, functional, and corollary competencies. Select two of these roles that you believe enhance the security countermeasures of an organization the most and justify your response. As mentioned previously, Homeland Security’s 2007 report emphasized the importance of properly .

Discussion 1Recommend three countermeasures that could enhance.docx

elinoraudley582231

Security of the future - Adapting Approaches to What We Need

simplyme12345

Today’s software applications are often security-critical, making security testing an essential part of a software quality program. Unfortunately, most testers have not been taught how to effectively test the security of the software applications they validate. Join Jeff Payne as he shares what you need to know to integrate effective security testing into your everyday software testing activities. Learn how software vulnerabilities are introduced into code and exploited by hackers. Discover how to define and validate security requirements. Explore effective test techniques for assuring that common security features are tested. Learn about the most common security vulnerabilities and how to identify key security risks within applications and use testing to mitigate them. Understand how to security test applications—both web- and GUI-based—during the software development process. Review examples of how common security testing tools work and assist the security testing process. Take home valuable tools and techniques for effectively testing the security of your applications going forward.

Security Testing for Testing Professionals

TechWell

Five Essential Enterprise Architecture Practices to Create the Security-Aware...

UBM_Design_Central

How to Secure your Fintech Solution - A Whitepaper by RapidValue

RapidValue

Five Essential Enterprise Architecture Practices to Create the Security-Aware...

UBM_Design_Central

In today's tech-era, the internet will always remain the second sustaining factor for life after oxygen. We are much affiliated with the proceedings of websites as we continue to live in this modern technology-driven era. We are continuously utilizing the internet and feeding our information on computers and phones. Works that used to take several hours or days can be done with one click now. All these processes have been possible because of cybersecurity analyst specialists. But we are aware of the fact that every credential bears some advantages and negative points. The information fed on computers increases the rate of cybercrimes. Any company or an individual can fall victim to these perpetrators. It is hazardous not only for an organization but also for the nation

How to Become a Cyber Security Analyst in 2021..

Sprintzeal

Selecting an App Security Testing Partner: An eGuide

HCLSoftware

Procuring an Application Security Testing Partner is crucial for safeguarding digital assets. An Application Security Testing Partner specializes in conducting comprehensive assessments using keywords like vulnerability scanning, penetration testing, code review, and threat modeling. Their expertise ensures your applications are fortified against cyber threats, providing peace of mind in an increasingly interconnected digital landscape. Learn More: https://hclsw.co/ftpwvz

Procuring an Application Security Testing Partner

HCLSoftware

Evident.io helps modern IT and DevOps teams implement and maintain security within the AWS shared responsibility model by enabling IT, Security, Engineering, and Operations with a continuous global view of security risk and actionable intelligence to rapidly remediate and secure AWS deployments. Hear how one of their customers combined the detection and analysis of misconfigurations, vulnerabilities, and risk with guided remediation and audit capabilities to gain visibility of their security environment, automate processes and meet compliance requirements. Eddie Borrero, Chief Information Security Officer, Robert Half International Phil Rodrigues, Security Solution Architect, AWS Craig Dent, Solutions Architect, Evident.io

Best practices for automating cloud security processes with Evident.io and AWS

Amazon Web Services

Building Security Into Your Cloud IT Practices

Mighty Guides, Inc.

7 Experts on Implementing Microsoft 365 Defender

Mighty Guides, Inc.

PTX12_Presentation_George Delikouras AIA

George Delikouras

In the world of software development, DevOps has become a popular methodology that emphasizes collaboration between development and operations teams to enable faster and more reliable software delivery. However, implementing DevOps securely is crucial to protecting sensitive data and maintaining regulatory compliance. In this blog post, we'll discuss the top 10 best practices for implementing DevOps security.

10 Best Practices for Implementing DevOps Security

Dev Software

Dave Tyson Profile for CISO Insights

ciso_insights

Fortify-Application_Security_Foundation_Training.pptx

YoisRoberthTapiadeLa

Fortify-Application_Security_Foundation_Training.pptx

VictoriaChavesta

10 things to get right for successful dev secops

Mohammed Ahmed

Similar to Dev week cloud world conf2021 (20)

4-lessons-of-security-leaders-for-2022.pdf

Protecting Agile Transformation through Secure DevOps (DevSecOps)

Discussion 1Recommend three countermeasures that could enhance.docx

Security of the future - Adapting Approaches to What We Need

Security Testing for Testing Professionals

Five Essential Enterprise Architecture Practices to Create the Security-Aware...

How to Secure your Fintech Solution - A Whitepaper by RapidValue

Five Essential Enterprise Architecture Practices to Create the Security-Aware...

How to Become a Cyber Security Analyst in 2021..

Selecting an App Security Testing Partner: An eGuide

Procuring an Application Security Testing Partner

Best practices for automating cloud security processes with Evident.io and AWS

Building Security Into Your Cloud IT Practices

7 Experts on Implementing Microsoft 365 Defender

PTX12_Presentation_George Delikouras AIA

10 Best Practices for Implementing DevOps Security

Dave Tyson Profile for CISO Insights

Fortify-Application_Security_Foundation_Training.pptx

10 things to get right for successful dev secops

Recently uploaded

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...

WSO2

WSO2Con2024 - Software Delivery in Hybrid Environments

WSO2

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

Shane Coughlan

WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...

WSO2

WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...

WSO2

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...

Bert Jan Schrijver

WSO2CON 2024 Slides - Unlocking Value with AI

WSO2

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

WSO2

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal.

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

masabamasaba

WSO2Con2024 - Low-Code Integration Tooling

WSO2

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

Philip Schwarz

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

masabamasaba

WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!

WSO2

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...

WSO2

WSO2Con2024 - Unleashing the Financial Potential of 13 Million People

WSO2

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

SelfMade bd

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration

WSO2

Azure Native Qumulo scales elastically for common High Performance Compute (HPC) workloads based on application requirements for: Financial Services, Automotive, Genomics / Life Sciences, Media and Entertainment, Energy, Oil and Gas, and more. Performance can be increased (and elastically decreased) much higher than the examples shown here. These slides offer a glimpse into ANQ's HPC capabilities, although at a smaller scale. We invite YOU to do your own testing (with a free ANQ trial) and work with us to test your HPC workloads in Azure.

AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf

ryanfarris8

WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...

WSO2

WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...

WSO2

Recently uploaded (20)

WSO2Con2024 - Facilitating Broadband Switching Services for UK Telecoms Provi...

WSO2Con2024 - Software Delivery in Hybrid Environments

OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...

WSO2CON 2024 - IoT Needs CIAM: The Importance of Centralized IAM in a Growing...

WSO2CON 2024 - Unlocking the Identity: Embracing CIAM 2.0 for a Competitive A...

Devoxx UK 2024 - Going serverless with Quarkus, GraalVM native images and AWS...

WSO2CON 2024 Slides - Unlocking Value with AI

WSO2CON 2024 - WSO2's Digital Transformation Journey with Choreo: A Platforml...

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...

WSO2Con2024 - Low-Code Integration Tooling

Direct Style Effect Systems -The Print[A] Example- A Comprehension Aid

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

WSO2CON 2024 - Not Just Microservices: Rightsize Your Services!

WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...

WSO2Con2024 - Unleashing the Financial Potential of 13 Million People

Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...

WSO2CON2024 - Why Should You Consider Ballerina for Your Next Integration

AzureNativeQumulo_HPC_Cloud_Native_Benchmarks.pdf

WSO2Con2024 - Simplified Integration: Unveiling the Latest Features in WSO2 L...

WSO2Con2024 - From Blueprint to Brilliance: WSO2's Guide to API-First Enginee...

Dev week cloud world conf2021

1. As DevExec AreYou Doing Enough For Security? Archana Joshi Head –Transformation, LTI Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with

2. 2 Let’s us meet the characters in our story CEO CIO Legal Director InfoSec Director Dev Director

3. 3 …. And ask them the same question What are you doing about cyber security? CEO CIO Legal Director InfoSec Director Dev Director One of the top agenda Proactive investments Being secure is our culture Strengthening Cloud Security & Application Security Compliance checks Investing in Digital Forensics Security lapse liability 3rd party coverage DevSecOps Risk based DAST, SAST

4. 4 Alert !!!! Security Breach !!!! Root Cause: Application using an open source utility was hacked

5. 5 Now ask them the same question How can we prevent such breach in future? CEO CIO Legal Director InfoSec Director Dev Director I am setting up a committee with external experts to help us with next steps My team needs to come together It’s not just us – we have partners too We need to work together I should provide stringent security norms We need to work together I don’t understand this focus for opensource We need to work together My app team faces the brunt.There are networks too We need to work together

6. 6 2 months after the incident…. ask them the same question How are you measuring effectiveness of cyber security CEO CIO Legal Director InfoSec Director Dev Director I get weekly report on any breaches We are also running an awareness campaign Mean time to receover from security Kubernetes cluster monitoring % Adoption of DevSecOps No. of builds to production with security clearances Risk assessment profile No. of third party assessments meeting the legal guidelines No. of security compliances defects No. of developers undergone secure coding practices session

7. 7 Is there a better way to handle this? Can we truly achieve “continuous security”

8. 8 Infrastructure Applications Data Compliance StaticTesting DynamicTesting Network Security Endpoint Security Cloud Security Data Encryption Access Credentials Loss Prevention Cloud Data Regula -tions Open Source / 3rd Party

9. 9 Security Pod & Roles CISO – CIO pair Extreme Automation Inbuilt Dev Practices Integrated OKR and metrics Follow the motto of Centralize – But Decentralize

10. 10 Security Pod & Roles Security Architect Security Ambassador / Product Mgr SRE with security focus CISO – CIO pair Common security governance Active Legal involvement Extreme Automation Open source tagging via pipeline Operations monitoring includes security parameters Inbuilt Dev Practices Security as a code Secure coding insights via AI interventions Integrated OKR and metrics Threshold setting for central involvement Security Debt as part of sprint goals Follow the motto of Centralize – But Decentralize

11. 11 Security is at the heart of success of development

12. THANK YOU https://www.linkedin.com/in/arcjoshi Note:The views expressed in the presentation are solely of the presenter and do not represent those of the company /clients she is associated with

Dev week cloud world conf2021

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Dev week cloud world conf2021

Similar to Dev week cloud world conf2021 (20)

More from Archana Joshi

More from Archana Joshi (13)

Recently uploaded

Recently uploaded (20)

Dev week cloud world conf2021