This document summarizes cybersecurity trends from surveys conducted in 2016. It finds that 38% of organizations have a maturing application security program, while 41% cited public-facing web applications as the leading cause of breaches. Regarding cloud security, 79% of respondents are implementing or using cloud environments actively, with infrastructure as a service being the most popular service. The document also introduces Pactera's cybersecurity services capabilities, which include application security testing, secure development training, and third-party risk management.

1. 1© Pactera. Confidential. All Rights Reserved.
Cybersecurity &
Application Security Trend
Pactera Cybersecurity Services
August, 2016

2. ©Pactera.Confidential.AllRightsReserved.
2
Agenda
 Application Security Trend
 Cloud Security Trend
 DevOps Security (SecDevOps) Trend
 Introduce Pactera Cybersecurity Services

3. ©Pactera.Confidential.AllRightsReserved.
3
Application Security Survey
38% have a "maturing" Application Security program
40% have documented approaches and policies to which
third-party software vendors must adhere
41% named public-facing web applications as the
leading cause of breaches
Source: SANS 2016 Application Security Survey - 475 respondents

4. ©Pactera.Confidential.AllRightsReserved.
4
Critical Vulnerabilities Caused by Coding Issues
38%
Source: SANS 2016 Application Security Survey

5. ©Pactera.Confidential.AllRightsReserved.
5
Time to Patch Critical Application Vulnerabilities
Source: SANS 2016 Application Security Survey

6. ©Pactera.Confidential.AllRightsReserved.
6
Maturity of Application Security Programs from Survey
62.8%
Source: SANS 2016 Application Security Survey

7. ©Pactera.Confidential.AllRightsReserved.
7
Top Application Security Concerns
Source: SANS 2016 Application Security Survey
1. Lack of application security skills, tools, and
methods
2. Lack of funding and management buy-in
3. Silos between security, development and
business units
4. Identifying all applications in the portfolio
5. Fear of modifying production code (might
“break the app”)

8. ©Pactera.Confidential.AllRightsReserved.
8
Top Application Security Processes and Controls in Place
Source: SANS 2016 Application Security Survey
Most bang for the buck!
1. Train developers on application security
2. Perform periodic vulnerability scanning
3. Inventory and assess all applications
4. Commission penetration testing by a third-party
5. Use Internal Penetration Testing
6. Incorporate continuous vulnerability scanning
(dynamic scanning)

9. ©Pactera.Confidential.AllRightsReserved.
9
Application Security: Distribution of Malicious Attacks
Attack Types: DT, HTTP, RFI, Spam, SQLi, and XSS attacks
Source: 2016 Imperva Web Application Attack Report Ed. 6
2.5 times more Cross-Site Scripting attacks
3 times more SQL Injection attacks
3 out of 4 applications were targeted

10. ©Pactera.Confidential.AllRightsReserved.
10
Cloud Adoption
Source: CloudPassage 2016 Security Survey Report
79% of respondents are either in planning or trial stages, currently implementing or in
active production cloud environments

11. ©Pactera.Confidential.AllRightsReserved.
11
Top Cloud Service Delivery and Providers
Source: CloudPassage 2016 Security Survey Report

12. ©Pactera.Confidential.AllRightsReserved.
12
BARRIERS TO CLOUD ADOPTION
Source: CloudPassage 2016 Security Survey Report

13. ©Pactera.Confidential.AllRightsReserved.
13
Cloud Security Concerns
Source: CloudPassage 2016 Security Survey Report

14. ©Pactera.Confidential.AllRightsReserved.
14
Biggest Security Threats in Public Cloud
Source: CloudPassage 2016 Security Survey Report

15. ©Pactera.Confidential.AllRightsReserved.
15
Top Cloud Security Concerns
Source: CloudPassage 2016 Security Survey Report

16. ©Pactera.Confidential.AllRightsReserved.
16
DevOps Security (SecDevOps) - Pay Attention to Security
Conducting a security review process for
all major features but not slow down
development
Integrating security testing & controls into
SDLC - Dev, QA & Ops (include design
review, demo review, demo feedback)
Security is an integral part of
continuous delivery
High performers spend 50% less
time remediating security issues
Automate security testing process to
include testing the security requirements
App Security group made pre-approved, easy
to use libraries, packages, toolchains,
processes for developers and IT Ops to use
2016 State of DevOps Report – by Puppet + DORA
Results:

17. ©Pactera.Confidential.AllRightsReserved.
17
DevOps Security (SecDevOps) – continues.
2016 State of DevOps Report – by Puppet + DORA
• Security is an integral part of continuous delivery
• High performers spend 50% less time remediating security issues

18. Pactera Cybersecurity Services
Introduction

19. ©Pactera.Confidential.AllRightsReserved.
19Who’s Pactera - Serving Top Global Brands Across Key Industries
BFSI
Technology
Telecom
Manufacturing
& Retail
Others
North America & EU 42% Greater China 47% Asia Pacific 11%
35%
43%
8%
12%
2%
Source: Pactera, 2015 estimated revenue data

20. ©Pactera.Confidential.AllRightsReserved.
20Pactera: Exceptional Record of Security, Privacy and Quality
Security is a top priority for Pactera and our clients.
We are proud of our consistent track record of meeting and exceeding customer expectations
for security and quality among our facilities, people and processes.
Security
&Quality
ISO 9001
(1st China-based IT services firm to be ISO
certified)
1st China-based IT services firm to pass
SEI-CMM company-wide Level 5 in 2003
Personal Information Protection
Assessment (PIPA) certified in 2009
IAOP (Intl Association of Outsourcing
Professionals) Exclusive COP Partner in
China
Strict leverage of this methodology in
daily operations
ISO 27001 Certified Since 2006
Pass CMMI Level 5 in 2008
#1 in security infrastructure among Microsoft
Offshore Facilities (OFs) worldwide, 2011-12.
“Grade A” Microsoft Procurement 2012 ranking in
Service Quality & Satisfaction.

21. Pactera Cybersecurity Services Centers of Excellence (COE)
©Pactera.SECCOEConfidential.AllRightsReserved.
21
Cybersecurity COE is an experienced global team with security expertise to deliver
customer centric security services.

22. Pactera Cybersecurity Services Capabilities
©Pactera.SECCOEConfidential.AllRightsReserved.
22
Why
Pactera
Cybersecurity
Services?
Industry
Top
Security
Pros
Security
Software
Partner
Asia and
U.S. Elite
Teams
BFSI, Gov,
Healthcare,
Regulatory
Experience
Privacy
Experience
App Sec
Training
Provider
•Improve Threat Prevention, Detection, &
Response Capability
•Privacy Program Development & Consulting
Cybersecurity & Privacy Program Consulting
•Reduce Risk by Remediate Threats
•SecDevOps (Improve Security in DevOps)
Application Vulnerability / Penetration Testing
•Reduce Vulnerabilities via Secure Coding
Practice
Application Secure Coding Practice Training
•Manage Security Risks Posed by Suppliers
Third-party Supplier Security Risk Management

23. Client References
©Pactera.SECCOEConfidential.AllRightsReserved.
23
• For major financial institutions -
– Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure
– Performed application security assessments, provided recommendations for remediation to enhance protection
– Conducted security vulnerability assessments
– Participated in Cybersecurity Incident Response and root cause analysis
• For a Fortune 50 software firm -
– Perform information security consulting
– Application vulnerability assessment and management, regulatory compliance
– Ensuring Security Compliance for over 2000 applications through threat modeling, secure code review, vulnerability assessment, privacy
compliance processes in agile and DevOps environments
• For a major international airline and a leading mobile phone provider -
– Perform application vulnerability assessments in agile and DevOps environment
– Conduct web and mobile application penetration testing
• Ensure security weaknesses are identified and remediated
• Prevent leak of sensitive information
• For a major member loyalty program management firm –
– Perform Data Privacy Governance and ISO 27001 Certification program development
– Conduct security assessment, penetration testing / vulnerability assessment
– Help the client to attain ISO 27001 certification
• For a leading Australian Telco -
– Performed IT security maturity assessments and penetration testing service to its newly acquired entity in China
– Assist the client to construct a 2 years roadmap to increase the security maturity to the expected level

24. Q&A
Thank You
SecurityInfo@Pactera.com
www.Pactera.com
Kyle Lai
CISSP, CSSLP, CISA, CIPP/US/G
CISO, Head of Security Services
http://Linkedin.com/in/kylelai
@KyleOnCyber