This document discusses different types of security assessments:
1) Technical security testing assesses security flaws through vulnerability assessments, network penetration testing, web application testing, and source code analysis.
2) Security process assessments evaluate weaknesses in security processes by reviewing frameworks like NIST CSF and COBIT.
3) Security audits involve compliance checks both internally and externally to verify proper security controls are in place.
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
Governance, Risk, & Compliance (GRC) is more than a catchy acronym – it is an approach to business culture. GRC is a three-legged stool that is necessary to effectively manage and steer the organization. This presentation will provide an introduction to GRC and discuss the collaboration and sharing of information, assessments, metrics, risks, policies, training, and losses across business roles and processes. GRC helps identify interrelationships in today’s complex and distributed business environment.
State of Security Operations 2016 report of capabilities and maturity of cybe...at MicroFocus Italy ❖✔
As businesses continue to adopt new cloud and mobile functionality rapidly, we find the
edges of the network even more blurred, and our definitions of data ownership and breach
responsibility continue to evolve. Staffing and training continue to be the foremost challenge
of the modern SOC. This is paving the way to hybrid staffing models and hybrid infrastructures
that require less in-house expertise. As a result, highly skilled security team members can then
be utilized for a more specialized hunt and analytics-focused work.
There is no question this year has been both an exciting and challenging time to be in the field
of cyber security. On one hand, it is disheartening to see the continued decline in the maturity
and effectiveness of security operations, while, on the other, I know that we are in the middle
of an exciting and transformative change in our field. You can feel it. We must go where the
data leads us, and we believe that is to widen our definition of security operations to leverage
analytics, data science, Big Data, and shared intelligence to become more effective in protecting
today’s digital enterprise.
Today, the delegation of risk decisions to the IT team
cannot be the only solution and has to be a shared
responsibility. The board and business executives are
expected to incorporate the management of cyber risk
as part of their business strategy since they are
accountable to stakeholders, regulators and
customers. For the CROs, CISOs, and Security and Risk
Management Professionals to be on the same page,
there has to be a single source of truth for
communicating the impact that cyber risk has on
business outcomes, in a language that everyone can
understand.
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
How to measure your cybersecurity performanceAbhishek Sood
In order for organizations to stay competitive, they must always be improving. This too is true for their cybersecurity.
Being able to properly harvest and digest cybersecurity benchmarking information is critical for today’s CIOs. If you realize that your cybersecurity is not at the level it should be, evaluating it properly can help you raise appropriate resources to fix the issues.
Discover how to get the full picture of your organization's security performance compared to your peers. Learn why benchmarking is so critical for today's CIOs and how to clearly communicate benchmarking data to your board.
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.
(Source: RSA USA 2016-San Francisco)
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/3iSww5L
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Definition of the current global market for Managed Security Services (MSSPs) and a guide to those looking to purchase a service in the future. The presentation also touches on the implications of GDPR on the MSS market.
SOC as a Service manages and monitors your logs, devices, network and assets for internal IT teams. It provides skills to combat cybersecurity threats. Get now! - https://mdr.comodo.com/soc-as-a-service.php?afid=10110
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
Almost every business decision requires executives and managers to balance risk and reward, and efficiency in that process is essential to an enterprise’s success. Too often though, IT risk (business risk related to the use of IT) is overlooked.
While other business risks such as market, credit and operational risks have long been incorporated into the decision-making processes, IT risk has usually been relegated to technical specialists outside the boardroom, despite falling under the same risk category as other business risks: failure to achieve strategic objectives.
This session intends to address business risks related to the use of IT, looking at industry standards, frameworks and best practices, as well as focusing on real world examples and specific plans on how to implement IT Risk Management on every level of your company.
How to measure your cybersecurity performanceAbhishek Sood
In order for organizations to stay competitive, they must always be improving. This too is true for their cybersecurity.
Being able to properly harvest and digest cybersecurity benchmarking information is critical for today’s CIOs. If you realize that your cybersecurity is not at the level it should be, evaluating it properly can help you raise appropriate resources to fix the issues.
Discover how to get the full picture of your organization's security performance compared to your peers. Learn why benchmarking is so critical for today's CIOs and how to clearly communicate benchmarking data to your board.
Integrating Cybersecurity into Supply Chain Risk ManagementPriyanka Aash
Cyber–supply chain risks pose a new set of challenges for businesses (loss of critical IP, unwanted functionality in products) which jeopardize brand reputation and shareholder value. This session will present case study research from NIST on cutting-edge practices and tools that today’s industry leaders in supply chain risk management are deploying to secure their supply chains from end to end.
(Source: RSA USA 2016-San Francisco)
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
How To Present Cyber Security To Senior Management Complete DeckSlideTeam
This template is useful in presenting cybersecurity plan to higher authority. Cybersecurity officer will present it to top level management. It will help in determining the roles and responsibilities of senior management and executives who are responsible in handling risks. Firm will also optimize its cybersecurity risk framework. Firm will assess the current concerns that are impeding cybersecurity in terms of increase in cybercrimes, data breach and exposure and amount spent on settlements. It will also analyze firm its current cybersecurity framework. Firm will categorize various risk and will assess them on parameters such as risk likelihood and severity. The IT department will also improve their incident handling mechanism. Cybersecurity contingency plan will be initiated by firm. In this plan, firm will build an alternate site for backup maintenance. Backup site selection will be done by keeping certain parameters into consideration such as cost for implementation, duration, location, etc. The other plan essentials include business impact assessment, vital record maintenance, recovery task list maintenance, etc. The template also includes information regarding the role of personnel in terms of role and responsibilities of line managers, senior managers and executives in risk management. It also includes information related to the role of top management in ensuring effective information security governance. The information regarding the budget required for the cybersecurity plan implementation is also provided with staff training cost. https://bit.ly/3iSww5L
How close is your organization to being breached | Safe SecurityRahul Tyagi
Traditional methods are certainly limited in
their capabilities and this is easily proven by
the multitude of breaches businesses were a
victim of, across the globe. The 2020 Q3 Data
Breach QuickView Report revealed that the
number of records exposed in 2020 has
increased to 36 billion globally. The report
stated that there were 2,953 publicly
reported breaches in the first three quarters
of 2020 itself! 2020 is already named the
“worst year on record” by the end of Q2 in
terms of the total number of records
exposed. With the growing sophistication of
cyber-attacks and global damages related
to cybercrime reaching $6 trillion by 2021, we
need a solution that simplifies
cybersecurity.
To know more about breach probability visit : www.safe.security
Definition of the current global market for Managed Security Services (MSSPs) and a guide to those looking to purchase a service in the future. The presentation also touches on the implications of GDPR on the MSS market.
SOC as a Service manages and monitors your logs, devices, network and assets for internal IT teams. It provides skills to combat cybersecurity threats. Get now! - https://mdr.comodo.com/soc-as-a-service.php?afid=10110
Manoj purandare - Stratergy towards an Effective Security Operations Centre -...Manoj Purandare ☁
Effective Security Operations Centre SOC building - by Manoj Purandare. This article tries to give a strategy towards building am effective SOC using its 4 major points steps and 11 effective steps recipe - for Organisation's / Govt's safety and security
What is the NIST Cybersecurity Framework?
Why YOU should care?
How would I apply it?
Would you drive BLINDFOLDED?
A false sense of security?
Without a Security Framework…
Why Cyber Security Framework?
How would I measure my effectiveness?
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
I developed "Cyber Security 101: Training, awareness, strategies for small to medium sized business" for the second annual Small Business Summit on Security, Privacy, and Trust, co-hosted by ADP in New Jersey, October 2013.
I'm preparing for the CISSP next week and also speaking for ISACA, so created this deck to help my peers with some concepts that appear in CISM/ CISSP and ITIL practitioner exams
This comprehensive guide delves into the essential types of testing used in cybersecurity to ensure the resilience of digital systems against malicious attacks. From vulnerability assessments and penetration testing to social engineering and security audits, each testing method is examined in detail, providing insights into their purpose, methodology, and significance in safeguarding against cyber threats. Whether you're a cybersecurity professional seeking to deepen your knowledge or a novice looking to understand the fundamentals, this guide offers valuable insights into the world of cybersecurity testing. for more cybersecurity knowledge visit https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/#
Reorganizing Federal IT to Address Today's ThreatsLumension
New reports show U.S. government servers are faced with 1.8 billion cyber attacks every month. View this technical presentation on ‘Reorganizing Federal IT to Address Today’s Threats’ by Richard Stiennon, analyst with IT Harvest and author of Surviving Cyber War, and Paul Zimski, VP of Solution Strategy with Lumension, as they examine:
*Today’s threats targeting government IT systems
*How federal IT departments can be reorganized to improve security and operations
*What key endpoint security capabilities should be implemented
Get expert insight and recommendations on improving your approach to securing IT systems from today’s sophisticated threats.
Vulnerability Assessment and Penetration Testing (VAPT) are two distinct but complementary cybersecurity practices used to identify and address security weaknesses in an organization's IT infrastructure, applications, and networks. Both are crucial components of a robust cybersecurity strategy.
Vulnerability Assessment:
Vulnerability Assessment (VA) involves the systematic scanning and analysis of systems, networks, and applications to identify potential security vulnerabilities.
Automated tools are commonly used for vulnerability scanning to efficiently discover known security weaknesses and misconfigurations.
The assessment results in a detailed report outlining the identified vulnerabilities, their severity levels, and potential impacts.
VA is a proactive process, helping organizations prioritize and address vulnerabilities before malicious actors can exploit them.
It is an essential element for maintaining compliance with industry standards and regulations.
Penetration Testing:
Penetration Testing (PT), also known as ethical hacking, involves simulating real-world cyber-attacks on an organization's systems and applications.
Skilled cybersecurity professionals, known as penetration testers or ethical hackers, conduct these tests.
The main objective of penetration testing is to identify and exploit vulnerabilities and weaknesses that may not be detectable by automated scanning tools.
PT goes beyond vulnerability assessment, as it attempts to determine the actual impact and risks associated with successful exploitation.
It provides valuable insights into an organization's security posture and the effectiveness of existing security controls.
https://lumiversesolutions.com/vapt-services/
Risk management is the process of analyzing exposure to risk and determining how to best handle such exposure.
Issues important to top management typically receive lot of attention from many quarters. Since top management cares about risk management, a number of popular IT risk-management frameworks have emerged.
This slide deck highlights the continued growth and evolution of Core Security Technologies and helps introduce an entirely new product for enterprise security testing andmeasurement - CORE INSIGHT Enterprise.
Information Systems and Networks are subjected to electronic attacks. When
network attacks hit, organizations are thrown into crisis mode. From the IT department to
call centers, to the board room and beyond, all are fraught with danger until the situation is
under control. Traditional methods which are used to overcome these threats (e.g. firewall,
antivirus software, password protection etc.) do not provide complete security to the system.
This encourages the researchers to develop an Intrusion Detection System which is capable
of detecting and responding to such events. This review paper presents a comprehensive
study of Genetic Algorithm (GA) based Intrusion Detection System (IDS). It provides a
brief overview of rule-based IDS, elaborates the implementation issues of Genetic Algorithm
and also presents a comparative analysis of existing studies.
Vulnerability Assessment and Penetration Testing: Safeguarding Digital AssetsAhad
Vulnerability assessment and penetration testing are indispensable tools in the fight against cyber threats. By partnering with trusted cybersecurity providers like Ahad Cybersecurity, organizations can leverage the latest technologies and methodologies to identify, assess, and mitigate potential vulnerabilities, ensuring the security and integrity of their digital assets.
A web application penetration testing service is an ethical hacking service that helps identify security vulnerabilities in web applications. It is also known as a web app pen test or simply a penetration test. The goal is to find all the possible ways that an attacker could gain access to sensitive data or disrupt the normal functioning of the application.
Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
Paying forward, this deck summarizes key concepts we need to be successful in IT Operations and security, focus is cryptographic controls and their relationship to cryptographic exploits. Please refer to the Networking and Security deck to better understand reference to layers and their associated protocols.
You won''t see an image here, but you can download a study module I made for myself. If you'd like some help preparing for the CISSP, here's some study games I made to help me pass. Wishing you the best of luck.
Controlling Risk in Virtualized Environments session discusses practical education and Information Technology approaches providing strategies for effective risk management in Virtualization and Cloud adoption. The topic will cover key cloud concepts & terminology, cloud and virtualization project components and their implications in Information Technology Service Management (ITSM), as well as security and legal aspects in governance. The discussion will be interactive.
Leveraging guidelines proposed in the CompTIA Cloud™ and ITpreneurs Virtualization Essentials™ curriculum, this hour will also outline steps organization should take to increase their success rate of implementing cloud computing, improve in-house cloud competencies, and decrease dependence on external consultants and services.
Discussion points include:
Service Management - (ITIL):
Cloud computing as a set of technologies and an approach to IT service delivery.
Governance – (COBIT): Detailing ways that risks should be mitigated such that investments generate value.
Information Security- (ISO/IEC 27001):
"Risk Management or Governance" through specific "Policy" where information security ensures that information in the cloud is safe and secure.
Participants in this class will be provided with the ING Cloud Case Study, which they may find useful in preparing for their own Corporate Cloud Strategy
Green Programs Reduce GHG Green House Gas, Green Impact Throughout ICT and IT Service Management
IT solutions aim towards improving the efficient use of computing resources while enabling business services. Green IT simply adds a dimension that reduces the environmental impact of these same solutions while addressing the Triple Bottom Line. EnterpriseGRC Solutions uses Facilitated Compliance Management FCM to enable a successful Green Office Plan and to implement Control Objectives for Sustainable Business, COSB
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
3. The Mission: Resilience
What are our critical assets?
Who is responsible for them?
Is everyone involved in cyber-resilience? Do they have the
knowledge and autonomy to make good decisions?
Are we prepared for when there is a successful attack?
Will there be a tried and tested process to follow or will cyber
attack throw our organization into complete chaos?
3
4. Types of Security Assessment
Technical Security Testing (ONE)
Security Process Assessment (TWO)
Security Audit (THREE)
4
5. Audit Velocity increases Maturity
Approach: Find a flaw, fix
a flaw
Approach: Find a lot of
flaws and keep a list
Approach: align
vulnerability metrics into
a continual service
improvement model
5
6. Root Cause Analysis
What is the root cause for any failure
Example: “metrics indicate 80% of malicious code infections are
attributed to vulnerable versions of Java”
What were the steps to create the finding?
What are the expectations as a result of this finding?
What is the measure of Security Program health?
6
8. Vulnerability Assessment
Scanning systems looking for a set of vulnerabilities
(a list)
Looks for common and known vulnerabilities
Uses a scanning tool
Performed in house and by third party
Let’s look at common and recommended scanning tools.
Source is OWASPVulnerability Scanning Tools - OWASP
8
9. Penetration Tests
Red Team Exercises or Ethical Hacking – (Yes, I’m compelled to talk about blue
team, but not yet.)
We know we have flaws - pen test seeks to exploit them
Simulates attacker (does not cause harm)
Output: Identification of susceptible assets (sites)
In short: As good as the people who perform them and as valuable as the
reduced risk on the items that get remediated
A red team is an independent group that challenges an organization to improve its
effectiveness. The United States intelligence community (military and civilian) has red
teams that explore alternative futures and write articles as if they were foreign world
leaders.
Red team - Wikipedia, the free encyclopedia
12
10. Penetration Testing – Operations Evaluation
War Dialing (looking for modems – especially plugged into older
enterprise hardware)
Sniffing – Wireshark -Configuring a monitor port on a managed
switch - network tap
Eavesdropping
Radiation monitoring
Dumpster diving
Social Engineering
http://www.lawtechnologytoday.org/2015/03/information-security-threat-
social-engineering-and-the-human-element/
You typically insert a network tap inline between two nodes in a
network, such as between your firewall and your first switch. $$$ Not
typically in audit budget
13
11. Security Process Review (two)
Looking for weaknesses and vulnerabilities
Security Assessment Report
Deficient Security Posture
Technology
People
Process
14
12. Security Process
Process is more than policy, although we start with
policy
What are two great frameworks for establishing
necessary procedure and work product to show that
the processes are effective?
Cobit5 and NIST Cybersecurity Framework
http://www.nist.gov/cyberframework/upload/cybersec
urity-framework-021214.pdf
National Institute of Standards and Technology, U.S.
Department of Commerce (Not copyrightable in the
United States.)
15
16. Cobit 5: Process Area Assessment
APO12: Manage Risk, “Continually identify, assess and
reduce IT-related risk within levels of tolerance set by
enterprise executive management.”
APO13: Manage Security, “Define, operate and
monitor a system for information security
management.”
DSS05: Manage Security Services, “Protect enterprise
information to maintain the level of information
security risk acceptable to the enterprise in
accordance with the security policy. Establish and
maintain information security roles and access
privileges and perform security monitoring.”
20
17. Assessment (two) v. Audit (three)
Security assessment is comprehensive review of
systems and applications performed by trained
security professionals (CISSP/ CCIE/ CCNA/ CISM)
Security assessments normally include use of
testing tools and goes beyond automated scanning
Involves thoughtful review of the threat
environment, current and future risk, and value
definition of the targeted environments
The output of assessment is a report addressed to
management with recommendations in both
technical and non technical language
21
18. Auditing Security Assessment & Verification
Compliance checks
Internal and external
Frequency of review
Standard of due care
Internal Audit typically performs assessment for
internal audience
External Audits are performed for external investors
and as part of third party due diligence requirements
Third Party review is emphasized to avoid “conflict of
interest”
22
19. Security Audit – Raising the right Bar
Cloud Security Alliance Control Matrix – Cloud
Operational Security
Controls Domain and Controls Matrix (98 Controls with
Mappings)
Value – architecture, portability and interoperability; physical,
network, compute, storage, applications, and data, differentiates
service provider versus tenants
United States NIST Publication 200, NIST SP 800-54
rev4 – (mentioned earlier)
PCI-DSS – The Payment Card Industry Data Standard
Associated to credit card processing – however should be
true in general – 12 tenants
23
20. What are the “Related Metrics” from Manage Risk APO12
Continually identify, assess
and reduce IT-related risk
within levels of tolerance
set by enterprise executive
management.
Integrate the management
of IT-related enterprise risk
with overall ERM, and
balance the costs and
benefits of managing IT-
related enterprise risk.
Related Metrics
Degree of visibility and
recognition in the current
environment
Number of loss events with
key characteristics captured
in repositories
Percent of audits, events and
trends captured in
repositories
Percent of key business
processes included in the risk
profile
Completeness of attributes
and values in the risk profile
Percent of risk management
proposals rejected due to
lack of consideration of other
related risk
Number of significant
incidents not identified and
included in the risk
management portfolio
Percent of IT risk action plans
executed as designed
Number of measures not
reducing residual risk
*Align, Plan and Organize
24
21. What are the “Related Metrics” from Manage Security APO13
Define, operate and
monitor a system for
information security
management.
Keep the impact and
occurrence of
information security
incidents within the
enterprise’s risk appetite
levels.
Related Metrics
Number of key security
roles clearly defined
Number of security
related incidents
Level of stakeholder
satisfaction with the
security plan throughout
the enterprise
Number of security
solutions deviating from
the plan
Number of security
solutions deviating from
the enterprise
architecture
Number of services with
confirmed alignment to
the security plan
Number of security
incidents caused by non-
adherence to the
security plan Number of
solutions developed
with confirmed
alignment to the security
plan
*Align, Plan and Organize
25
22. What are the “Related Metrics” from Manage Security Services DSS05
Protect enterprise
information to maintain
the level of information
security risk acceptable to
the enterprise in
accordance with the
security policy. Establish
and maintain information
security roles and access
privileges and perform
security monitoring.
Minimize the business
impact of operational
information security
vulnerabilities and
incidents.
Related Metrics
Number of vulnerabilities
discovered
Number of firewall
breaches
Percent of individuals
receiving awareness
training relating to use of
endpoint devices
Number of incidents
involving endpoint devices
Number of unauthorized
devices detected on the
network or in the end-
user environment
Average time between
change and update of
accounts
Number of accounts (vs.
number of authorized
users/staff)
Percent of periodic tests
of environmental security
devices
Average rating for physical
security assessments
Number of physical
security-related incidents
Number of incidents
relating to unauthorized
access to information
* Deliver, Service and Support
26
23. Technical Security Testing (one)
Goal: assess risk by discovering flaws that
persist in systems and applications
Technical testing is looking for security flaws, specifically impacts to
confidentiality, integrity or availability, ways to steal, alter or destroy
information
Vulnerability Assessments are looking for weakness
Penetration testing adds human factor
Code review includes errors that make it susceptible, e.g. to buffer overflow,
SQL insertion, etc.
Phishing is to see what users do when presented with typical malicious email
scenarios
Password assessments evaluate password settings and practices, (sometimes as
a part of scanning)
27
24. Threat Vectors – Attack surface
Methods attackers use to touch or exploit vulnerabilities
A systems attack surface represents all of the ways in
which an attacker could attempt to introduce data to
exploit a vulnerability
If you look at a list of vulnerabilities, you get too much
information, so we have to start by analyzing our network, our
data, evaluating our assets and their attack surface, then their
vulnerabilities to known threats
One way to reduce risk is to minimize the attack vectors
Once we know those vectors, we remediate prioritized threats
by reducing the likelihood of exploiting vulnerabilities
28
25. Shift in attack vectors:
Server Side v. Client Side Attacks
Attacks against a listening service are called “Server-side
attacks”
TCP server side attacks are initiated by an attacker (client)
Client-side attacks work in reverse, where victim initiates
the traffic, usually by clicking on a link or email.
We have to understand the environment from the
perspective of an adversary.
We use threat modelling and ask “Who is the adversary
and what does the adversary want to accomplish?”
29
26. STRIDE – Microsoft Privacy Standard
(MPSD) in response to FIPS
Spoofing v. Authentication
Tampering v. Integrity
Repudiation v. Non-Repudiation
Information Disclosure v. Confidentiality
Denial of Service v. Availability
Elevation of Privilege v. Authorization
30
27. How they get us drives how we protect
against them
External or internal actor is able to
perform host discovery
Live systems can be discovered via
ARP, ICMP, TCP, UDP traffic, IPv6
neighbor discovery, Sniffing packets
and reviewing contents
Any person with administrative
privilege to network and systems can
perform these functions
Many general users can perform
some of these functions
Perform
reconnaissance
Network
enumeration
Port
scanning
Determine
version of OS
and services
Determine
vulnerable
service versions
Exploit
vulnerabilities
31
28. Attackers shouldn’t know our weaknesses
before we do – We should do something
about our weaknesses
Vulnerability assessment determines weakness across our actual
attack surface or threat vectors
Tools to run (OWASP) Nessus, Nexpose, OpenVas, Retina
Once vulnerable systems are identified, procedures to perform
limited exploits can involve use of:
The MetaSploit Framework (metasploit)
Core Impact (coresecurity)
Immunity Canvas (immunitysec.com)
For Linux, Backtrack and Kali
34
29. What do you call a person who uses attack
tools without permission?
inmate
Penetration testing is a
process of HIRING or
assigning a whitehat to
penetrate an application,
system or network
Business Process,
Scope
Reconnaissance
Port scanning,
VA
Exploitation
Post Exploitation
35
30. Source Code Review – White Box (v.
Blackbox) Testing
Cheaper and Safer to whitebox b/c the effort to “Fuzz” code from
blackbox has high probability of impacting systems, is expensive and
time consuming
Code review discovers security vulnerabilities by inspecting the source
code of a target application.
Certain C Functions are commonly associated to buffer overflow
“-get(), strcpy(),strcat()”
Compilers usually include security checks, but they need to be run by
policy and results need to be understood.
Compiled code review should be “blackbox”
36
31. Fuzzing is Blackbox – sends unexpected inputs
Automated cramming, exploits poorly
constructed interface constraints
Web Application Testing
HTTP Interception Proxy
Code Analysis
Beyond the proxy, Dynamic web application
scanners code attempt to automate assess the
security of customer web apps
37
32. Questions?
Reach out on LinkedIn and we can continue the dialogue.
Good luck in your studies. Hope this was helpful.
39
Editor's Notes
How is this possible? What missing?
STRIDE
Spoofing v. Authentication
Tampering v. Integrity
Repudiation v. Non-Repudiation
Information Disclosure v. Confidentiality
Denial of Service v. Availability
Elevation of Privilege v. Authorization
Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
Process, Purpose, Metrics
Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.
Let’s put on our Auditor hats. What can we use from Cobit 5 to assess the maturity of the security program in the context of the business and organization.