[이찬우 강사] Security plus saas security assessment_2021.04

•

0 likes•223 views

Lee Chanwoo

이찬우 강사, Securityplus, Cloudcomputing, Saas security assessment, Risk assessment, practical point of view

Internet

2021 SecurityPlus
SaaS Security Assessment
(From a practical point of view)
이 찬 우

In short,
Customer should consider security in SDLC.

Source Link : https://www.information-age.com/public-cloud-revenue-to-grow-6-3-in-2020-gartner-123490499/
The SaaS market is growing rapidly

Source Link : https://www.bmc.com/blogs/saas-growth-trends/
What are the biggest companies?

Source Link : https://snazlan.wordpress.com/2016/12/09/topic-0020-assessment-vs-evaluation/

10
Preparation → Assessment → F/up → Evaluation

11
“Can refer to various references for SaaS security assessment.”
Preparation
2021 SecurityPlus
SaaS Security Assessment
✓ KISA, Cloud Service Information Security Guide(SaaS)
✓ KISA, Cloud Vulnerability Analysis Guide
✓ SK Infosec, Cloud Security Guide
✓ CIS Benchmark for Cloud Services
✓ Vendor, Reference Architecture Guide for SaaS
Copyright 2021. Chanwoo Lee All rights reserved.
“Must develop our own framework.”

Source Link : https://www.bettercloud.com/monitor/saas-operations-management/
SaaS Management Reference Architecture

13
“Can derive your requirements through a security assessment.”
Assessment
2021 SecurityPlus
SaaS Security Assessment
✓ Service : Business and background
✓ Data : Legal and Privacy
✓ Architecture : Design and Configuration
✓ Application : Vendor and Product
✓ Authority : Accounts and Authentication
✓ Security Control : Data Leakage and Malware
✓ Monitoring : Log feeding and Integration
✓ Stakeholder : Role and Responsibility
Copyright 2021. Chanwoo Lee All rights reserved.
“Must analyze various use cases.”

Source Link : https://securityboulevard.com/2019/04/penetration-testing-for-saas-companies/
SaaS Security Reference Architecture

15
“Must implement the requirements you have derived.”
F/up
2021 SecurityPlus
SaaS Security Assessment
[Data]
✓ Personal Information protection
✓ SSL/TLS Encryption
✓ Data and password Encryption
✓ Data Retention
✓ Tenant Restriction
✓ Sharing and Download permission disable
✓ Upload File Scanning
✓ Validation of file extension
Copyright 2021. Chanwoo Lee All rights reserved.

16
“Must implement the requirements you have derived.”
F/up
2021 SecurityPlus
SaaS Security Assessment
[Access]
✓ SSO/SAML Integration
✓ IP Restriction
✓ Multi-Factor Authentication
✓ Guest Access Control
✓ Session Timeout
✓ Concurrent-session Control
✓ Minimizing Pre-defined roles and permissions
Copyright 2021. Chanwoo Lee All rights reserved.

17
“Must implement the requirements you have derived.”
F/up
2021 SecurityPlus
SaaS Security Assessment
[Etc]
✓ Log management
✓ SIEM integration
✓ Management of API Key, Plug-in, Third-Party Program
✓ Application Configuration Analysis
Copyright 2021. Chanwoo Lee All rights reserved.
“Must discuss with stakeholders in advance.”

Source Link : https://www.hubspot.com/pricing/
SaaS Pricing Model(Subscription)

Source Link : https://www.atlassian.com/ko/software/jira
Issue Tracking system(Ex. JIRA)

20
“Must get visibility and evaluate periodically.”
Evaluation
2021 SecurityPlus
SaaS Security Assessment
✓ Is the Assessment process operating as designed?
✓ What are the ways to improve the Assessment process?
✓ Has the security level of our company increased through
the Assessment process?
✓ Did you miss anything in the Assessment process?
✓ What are the problems you are facing while Assessment
process?
✓ What can you create after solving those problems?
Copyright 2021. Chanwoo Lee All rights reserved.
“Must evaluate on a paper and evidence basis.”

Source Link : https://docs.servicenow.com/
Dashboard(Ex. ServiceNow)

Source Link : https://congruentagile.com/2020/03/16/less-sprint/
Review and Retrospective

24
Wrap-up
Customer should
consider security
in SDLC.
Customer Need to
develop their own
framework.

Changing people through technology
Chanwoo Lee | Richard
Blog blog.naver.com/jg706
Facebook www.facebook.com/jg706
Slideshare www.slideshare.net/jg706
Linkedin www.linkedin.com/in/jg706
Youtube www.youtube.com/channel/UC5Hs9p5_euXJbaf5E7Hx7Ag
jg719411@nate.com | 010-4772-0130

This document provides an overview of Microsoft's Cybersecurity Reference Architectures (MCRA). It begins with an introduction to MCRA and related topics like Zero Trust. It then discusses implementation considerations for architects, technical managers, CIOs, and CISOs. The document outlines various security roles and provides guidance on security strategy, programs, and initiatives. It also lists several Microsoft and third-party resources for security documentation, benchmarks, frameworks, and more. Finally, it discusses key principles for a Zero Trust approach and how Microsoft products can help implement Zero Trust architectures across networks, applications, endpoints, identities, data, and infrastructure.

Endpoint Detection & Response - FireEye

Prime Infoserv

This document summarizes a presentation given by Ranjit Sawant of FireEye. The presentation covered the following key points: 1) Attackers are increasingly leveraging COVID-19 themes in cyber attacks, with malicious emails related to COVID-19 increasing fourfold in March 2020. However, these emails still represent a small percentage of overall malicious emails detected. 2) FireEye Endpoint Security provides capabilities to detect and respond to advanced threats, going beyond just malware to track indicators of compromise, behavior, and attacker techniques across the attack lifecycle. 3) The presentation included a war story example of how FireEye Endpoint Security was used to investigate and respond to a sophisticated nation-state attacker targeting an Asian bank.

2022 Vulnerability Statistics Report.pdf

ssuserc3d7ec1

This document provides statistics on vulnerabilities from assessments performed in 2021 using the Edgescan platform. It finds that 20.4% of full stack vulnerabilities were high or critical risk. Web applications had more critical vulnerabilities but also more low risk issues than the network layer. The average time to remediate vulnerabilities across the full stack was 57.5 days, with critical issues taking longer to fix on the web application/API layer (47.6 days) than the device/host layer (61.4 days). Industries like healthcare had shorter remediation times than public administration and manufacturing. The report aims to demonstrate the state of security based on Edgescan's vulnerability assessments and identify trends.

Introduction à la sécurité informatique

Yves Van Gheem

DTS Solution - Building a SOC (Security Operations Center)

Shah Sheikh

This document discusses building a cyber security operations center (CSOC). It covers the need for a CSOC, its core components including security information and event management (SIEM), and integrating components like monitoring, alerting, and reporting. Key aspects that are important for a successful CSOC are people, processes, and technology. The roles and skills required for people in the CSOC and training needs are outlined. Developing standardized processes, procedures and workflows that align with frameworks like ISO are also discussed.

SplunkLive! Customer Presentation--ServiceNow

Splunk

ServiceNow is an enterprise IT cloud company that transforms IT by automating and managing IT across organizations. It has over 2300 customers and 2100 employees. Justin Dolly is the CISO of ServiceNow. Previously, ServiceNow's security tools were disparate and information was difficult to access. ServiceNow now collects over 400GB of data daily with Splunk, using it as their SIEM to provide threat identification, event correlation, and compliance reporting across the enterprise. Events detected by Splunk trigger actions that push data into ServiceNow, where a security team analyzes events and elevates potential incidents for investigation.

Building a Next-Generation Security Operations Center (SOC)

Sqrrl

So, you need to build a Security Operations Center (SOC)? What does that mean? What does the modern SOC need to do? Learn from Dr. Terry Brugger, who has been doing information security work for over 15 years, including building out a SOC for a large Federal agency and consulting for numerous large enterprises on their security operations. Watch the presentation with audio here: http://info.sqrrl.com/sqrrl-october-webinar-next-generation-soc

Automation: The Wonderful Wizard of CTI (or is it?)

MITRE ATT&CK

The document describes MITRE's Threat Report Automated Mapper (TRAM) tool, which uses machine learning to automatically map cyber threat reports to MITRE ATT&CK techniques. TRAM aims to streamline the process of analyzing reports and adding information to ATT&CK, though challenges remain around prediction accuracy and identifying new techniques. The document outlines TRAM's development process and discusses balancing automation with human analysis to better integrate cyber threat intelligence into ATT&CK.

This document discusses Mandiant's incident response methodology and technology. It covers their evolution of incident response approaches over time from disk forensics to memory forensics to live response. Mandiant's current approach involves hunting across endpoints and networks using indicators of compromise to identify compromised systems. They deploy network and host sensors to gain visibility and conduct deep analysis using tools like Mandiant Incident Response and Network Traffic Analysis Platform. The document also outlines Mandiant's incident response services and how they help organizations understand risk, identify compromises, and prepare for future incidents.

Cyber Security Emerging Threats

isc2dfw

Michael Saylor is the executive director of Cyber Defense Labs at UT Dallas. The document discusses current cyber security trends and emerging threats. Recent trends in 2013 included an increase in attacks with web and social engineering components as well as politically motivated DDoS attacks. Mobile devices and applications are increasingly being targeted, as are advanced persistent threats from groups like China's APT1. Emerging threats discussed include the potential for increased cyber crime and terrorism from groups funded by drug cartels and foreign states. The document recommends best practices for organizations like user education, monitoring, encryption, and frequent security assessments.

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...

Edureka!

Risk Analysis Of Banking Malware Attacks

Marco Morana

Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Sébastien Rabaud

Profiling your Java Application

Victor Rentea

The biggest challenge in performance tuning is identifying the root cause of the bottleneck. Once you find it, the fix often becomes trivial. However, this detective work takes patience, skills, and effort, so we often attempt to guess the cause, by trying out tentative fixes. The result: messy code, waste of time and money, and frustration. During this talk you will learn how to correctly zoom in on the bottleneck using three levels of profiling: distributed tracing with Zipkin, metrics with Micrometer, and profiling with the Java Flight Recorder already built into your JVM. We’ll focus on the latter and learn how to read a flame graph to trace some common issues of backend systems like connection/thread pool starvation, time-consuming aspects, hot methods, and lock contention, even if these occur in library code you did not write.

Secure software development presentation

Mahdi Dolati

The document discusses web application security and secure development. It covers common web attacks like SQL injection and cross-site scripting. It then provides solutions to these attacks such as validating user input, using parameterized queries, and encoding output. It emphasizes the importance of baking security into the entire development process through training, threat modeling, secure coding practices, and security testing.

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE - ATT&CKcon

From MITRE ATT&CKcon Power Hour October 2020 By: Aunshul Rege, Associate Professor, Temple University, @prof_rege Rachel Bleiman, PhD Student/NSF Graduate Research Assistant, Temple University, @rab1928 This presentation from the MITRE ATT&CKcon Power Hour session on October 9, 2020, explores the application of the MITRE ATT&CK® and PRE-ATT&CK matrices in cybercrime education and research. Specifically, Rege and Bleiman demonstrate the mapping of the PRE-ATT&CK matrix to social engineering case studies as an experiential learning project in an upper-level cybercrime liberal arts course. It thus allows students to understand the alignment process of threat intelligence to the PRE-ATT&CK framework and also learn about its usefulness/limitations. The talk also discusses the mapping of the ATT&CK matrix, tactics, techniques, software, and groups for two cybercrime datasets created by collating publicly disclosed incidents: (i) critical infrastructure ransomware (CIRW) incidents, and (ii) social engineering (SE) incidents. For the CIRW dataset, 39% of the strains mapped onto the ATT&CK software. For the SE dataset, 49% of the groups and 65% of the techniques map on to the MITRE framework. This helps the researchers identify the framework's usefulness/limitations and also helps our datasets connect to richer information that may not otherwise be available in the publicly disclosed incidents.

PRA et PCA : plans de reprise et de continuité d'activité

Christophe Casalegno

SOC Lessons from DevOps and SRE by Anton Chuvakin

Anton Chuvakin

Swift-cyber-attacks.pptx

AmineRached2

This document discusses cyber attacks on the SWIFT global financial messaging network. It begins by providing background on SWIFT and explaining that cyber attacks on the network are a growing concern. It then describes different types of SWIFT attacks, including unauthorized fund transfers, data theft, malware infections, and others. Notable past attacks are discussed, such as the 2016 Bangladesh Bank heist where $81 million was stolen. The document stresses that coordinated prevention and response strategies are needed across borders to safeguard systems from these sophisticated cyber threats.

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions

Shawn Tuma

Everyone should now understand that no bank or financial institution is immune from cyber risk. Many are now ready to move forward with improving their cyber risk posture but do not know what to do next or how to prioritize their resources. Recognizing that cybersecurity is an overall business risk issue that must be properly managed to comply with many laws and regulations governing banks and financial institutions, this presentation will provide a strategy for how to better understand and manage such risks by: (1) Providing an overview of the legal and regulatory framework; (2) Examining the most likely real-world risks; and (3) Providing strategies for how to manage such risks, including cyber insurance and the development and implementation of an appropriate cyber risk management program (which is not as difficult as it sounds). Shawn E. Tuma, cybersecurity and data privacy attorney at Spencer Fane, LLP, delivered the presentation titled Cybersecurity: Cyber Risk Management for Banks & Financial Institutions (and Attorneys Who Represent Them) at the Southwest Association of Bank Counsel 42nd Annual Convention on September 20, 2018 (formerly, Texas Association of Bank Counsel).

ATT&CK Updates- ATT&CK's Open Source

MITRE ATT&CK

Jared Ondricek leads software development for ATT&CK. Recent updates include adding ICS content to the website, improving detection objects and campaigns pages, custom links and SVG export in Navigator, authentication and other improvements in Workbench, transitioning the TAXII server to STIX 2.1 and OpenAPI, merging the Python library with other scripts, and planning to centralize GitHub documentation. Future work includes further Workbench, TAXII, and Python improvements along with a centralized GitHub landing page.

Understanding Cyber Kill Chain and OODA loop

David Sweigert

The document discusses using an attacker's tactics and techniques to design effective cybersecurity defenses. It provides examples of mapping security controls and tools to different stages of common attack models like the Lockheed Martin Kill Chain. This allows an organization to see where in the attack cycle they have visibility and can disrupt threats. The document advocates taking a strategic, intelligence-driven approach to cyber defense by understanding adversaries' full operations in order to implement controls earlier in the attack cycle.

Security patterns and model driven architecture

bdemchak

This document provides an overview of security patterns and model driven architecture. It summarizes three papers on using security patterns to model security requirements. The document discusses how security patterns can be used to address the common problem of irregular and haphazard application of security measures leading to insecure systems. It describes Cheng's approach of revising the security pattern template to allow formal verification of requirements. Rosado's approach is also summarized, which presents a standardized security pattern template and evaluates several common security patterns. The document provides context on how security patterns can help capture expertise to facilitate secure systems design.

Automating the mundanity of technique IDs with ATT&CK Detections Collector

MITRE ATT&CK

From ATT&CKcon 3.0 By Marcus LaFerrera and Ryan Kovar, Splunk Since the release of MITRE ATT&CK, vendors and governmental bodies have begun mapping their security blogs, whitepapers, and threat intel reports to ATT&CK TTPs, which is incredible! Vendors have then begun mapping their detections to those mapped TTPs, which is even more awesome! What is not awesome is dissecting a piece of prose for all of the specific embedded ATT&CK technique IDs and then mapping them to your detections to determine coverage. Over the last year, the team at Splunk has spent more time doing this than they would like to admit, so they wrote a tool to do it for them and want to share it with the world. Join the Splunk team as they tell the world about ATT&CK Detections Collector (ADC). ADC is an open-source python tool that will allow you to extract MITRE technique IDs from a third-party URLs and output them into a file. If you use Splunk, the team even maps them to their existing (previously mapped) detection corpus. They even added the ability to export them into a navigator json for fun, profit, or (at least) better visualization!

An introduction to SOC (Security Operation Center)

Ahmad Haghighi

The document discusses building a security operations center (SOC). It defines a SOC as a centralized unit that deals with security issues on an organizational and technical level. It monitors, assesses, and defends enterprise information systems. The document discusses whether to build an internal SOC or outsource it. It also covers SOC technologies, personnel requirements, and the five generations of SOCs. It provides resources for learning more about designing and maturing a SOC.

FireEye Portfolio

Prime Infoserv

FireEye provides cybersecurity products and services including threat intelligence, security consulting, incident response, and security technologies. The document outlines FireEye's offerings including threat intelligence subscriptions, security products like network security and email security, security services like incident response and expertise on demand, and consulting services from Mandiant. FireEye differentiates itself through its threat intelligence capabilities which leverage insights from responding to breaches and its security technologies.

COBIT®5 - Foundation

Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker

July 31, 2020 - CSA LA event slides

SoCalLAAdmin

This document discusses managing misconfigurations in DevOps and infrastructure as code (IaC). It notes that rapid cloud service growth and learning curves can lead to misconfigurations and lack of visibility. The top 5 areas where AWS configurations fail conformance checks are EC2, EBS, S3, resource groups, and CloudFormation templates. Continuous monitoring and remediation tools are needed to detect and fix misconfigurations to reduce security incidents by 80%. Hands-on experience with tools like Cloud Conformity is offered to analyze IaC and live environments against best practices.

Cloud computing elisheba wiggins

Elisheba Wiggins

This document provides an overview of cloud computing. It discusses the different service models of cloud computing including Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). The document outlines some tips for getting started with each service model and highlights key considerations like security, costs, and customization options. It also discusses challenges of cloud computing and debunks some common myths. The future of cloud computing is presented as continuing rapid growth with the global market expected to increase to $241 billion by 2020.

What's hot

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

MITRE - ATT&CKcon

The Internal Signs of Compromise

FireEye, Inc.

Cyber Security Emerging Threats

isc2dfw

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...

Edureka!

Risk Analysis Of Banking Malware Attacks

Marco Morana

Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]Sébastien Rabaud

Profiling your Java Application

Victor Rentea

Secure software development presentation

Mahdi Dolati

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

MITRE - ATT&CKcon

PRA et PCA : plans de reprise et de continuité d'activité

Christophe Casalegno

SOC Lessons from DevOps and SRE by Anton Chuvakin

Anton Chuvakin

Swift-cyber-attacks.pptx

AmineRached2

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions

Shawn Tuma

ATT&CK Updates- ATT&CK's Open Source

MITRE ATT&CK

Understanding Cyber Kill Chain and OODA loop

David Sweigert

Security patterns and model driven architecture

bdemchak

Automating the mundanity of technique IDs with ATT&CK Detections Collector

MITRE ATT&CK

An introduction to SOC (Security Operation Center)

Ahmad Haghighi

FireEye Portfolio

Prime Infoserv

COBIT®5 - Foundation

Mirosław Dąbrowski C-level IT manager, CEO, Agile, ICF Coach, Speaker

What's hot (20)

MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...

The Internal Signs of Compromise

Cyber Security Emerging Threats

Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...

Risk Analysis Of Banking Malware Attacks

Politiques Sécurité de l'Information - [SCASSI] [Club 27001] [TLS] [2013]

Profiling your Java Application

Secure software development presentation

Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research

PRA et PCA : plans de reprise et de continuité d'activité

SOC Lessons from DevOps and SRE by Anton Chuvakin

Swift-cyber-attacks.pptx

Cybersecurity: Cyber Risk Management for Banks & Financial Institutions

ATT&CK Updates- ATT&CK's Open Source

Understanding Cyber Kill Chain and OODA loop

Security patterns and model driven architecture

Automating the mundanity of technique IDs with ATT&CK Detections Collector

An introduction to SOC (Security Operation Center)

FireEye Portfolio

COBIT®5 - Foundation

Similar to [이찬우 강사] Security plus saas security assessment_2021.04

July 31, 2020 - CSA LA event slides

SoCalLAAdmin

Cloud computing elisheba wiggins

Elisheba Wiggins

Finance Technologies: Buy or Rent

ScottMadden, Inc.

This document discusses Software as a Service (SaaS) and when it may be preferable to traditional on-premise software for finance technologies. It finds that SaaS offers lower upfront costs, faster implementation, and easier upgrades than on-premise options. However, concerns include data security, customization limitations, and reliance on internet connectivity. SaaS maturity varies by application, with ERP becoming more cloud-based and specialized finance functions often having proven SaaS solutions. Companies should consider SaaS when requirements can be met, costs are lower over time, and legal/security issues are addressed by the vendor.

Build a complete security operations and compliance program using a graph dat...

Erkang Zheng

Attackers think in graphs; defenders operate with lists. That’s why attackers win. What if we could have a graph-based, data-driven security and compliance platform that can: · intelligently analyze my environment, · automatically keep up with the constant changes, · help us understand and navigate that complexity, and · manage compliance in a data-driven, continuous way. This presentation describes how my security team built our security operations and automate compliance evidence collection using a graph database. There are also actual screenshots from the JupiterOne platform showing the discovery of thousands of assets from connected AWS accounts and other cloud providers; the configuration analysis of these resources; the query and search with graphs to visualize the relevant relationships; as well as the alerts, findings, and compliance mapping. All without the need for additional 3rd party solutions.

Multi cloud governance best practices - AWS, Azure, GCP

Faiza Mehar

Up 2011-ken huang

Ken Huang

The document discusses several initiatives and standards for cloud identity management including OASIC IDCloud, OpenGroup Jericho, CSA's Trusted Cloud Initiative, Simple Cloud Identity Management (SCIM), and NSTIC. It provides an overview of each, including their goals and focus areas such as use cases, interoperability profiles, and recommendations around identity provisioning, authentication, federation, and access control. The document also outlines why traditional identity and access management is insufficient for the cloud and why cloud providers and consumers need improved identity management.

Cloud Seeding

Trish McGinity, CCSK

This document provides an overview of IT/Network Operations concepts and strategies to improve cloud production. It begins with Joe Dietz introducing himself as a Network Security Professional and listing his current certifications. It then discusses various local user groups and events related to cloud security. The document covers topics such as selecting public vs private clouds, choosing cloud providers and applications, operational considerations, and approaches to connecting networks to the cloud such as extending datacenters or enabling edge services. It emphasizes that moving to the cloud still requires planning and not all applications are good candidates. The summary concludes by mentioning related reading on hybrid cloud services and tools.

Codeless Security for the Apps You Buy & Build on AWS

CloudLock

Comparing cloud-computing-providers-11-factors-to-consider-profit bricks-ebook

ProfitBricks

The document outlines 11 criteria to consider when evaluating Infrastructure as a Service cloud computing providers: 1) References from past customers about reliability, quality of service, and support. 2) Details of the Service Level Agreement and compensation for downtime. 3) Documentation, ease of setup, and first impressions. 4) Performance metrics like storage input/output and network bandwidth.

Security that works with, not against, your SaaS business

CloudPassage

The document discusses security challenges for software-as-a-service (SaaS) businesses and how CloudPassage's Halo platform addresses them. Cloud-based development complicates traditional security approaches. Halo automates security controls across cloud infrastructures to enhance visibility, simplify compliance, and support agile development without slowing it down. Case studies show how Halo has helped large companies secure their transition to SaaS-based models and secure acquisitions built in public clouds.

(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...

Amazon Web Services

This session tells the story of how security-minded enterprises provide end-to-end protection of their sensitive data in AWS. Learn about the enterprise security architecture design decisions made by Fortune 500 organizations during actual sensitive workload deployments, as told by the AWS security solution architects and professional service security, risk, and compliance team members who lived them. In this technical walkthrough, we share lessons learned from the development of enterprise security strategy, security use-case development, end-to-end security architecture and service composition, security configuration decisions, and the creation of AWS security operations playbooks to support the architecture.

Secure development 2014

Ariel Evans

The document discusses how the CIO can help deliver value through embracing new technologies and processes related to agile development, mobile, cloud, big data, and security. It provides examples of how IT is changing to focus on systems of engagement that are personalized, social, and analytics-driven. The document advocates involving information security early in the development process through representative in development teams and establishing security budgets at the start of projects to help improve organizational processes and security.

Geting cloud architecture right the first time linthicum interop fall 2013

David Linthicum

The document discusses best practices for cloud architecture. It notes that many current cloud systems lack proper architecture and do not meet expectations due to issues like inefficient resource utilization, outages, lack of security and tenant management. Common mistakes made are not understanding how to scale architectures, deal with tenants, implement proper security, or use services correctly. The document provides guidance on developing a solid cloud architecture, including determining business needs, designing with services in mind, creating security and governance plans, and migrating only components that provide value to the cloud. It emphasizes focusing on core services like data, transactions and utilities, and building for tenants rather than individual users.

Lightning Workshop London

Keir Bowden

(SACON) Anant Shrivastava - cloud pentesting

Priyanka Aash

The document discusses cloud pentesting techniques. It provides an agenda for a cloud pentesting training session that includes an introduction to cloud computing, the major cloud vendors and their product offerings, differences between cloud and conventional pentesting, exploring attack surfaces in Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). It discusses techniques such as exploiting metadata APIs, abusing cloud storage, attacking identity and access management services. The document also contains disclaimers and information about the speaker.

Webinar–That is Not How This Works

Synopsys Software Integrity Group

During a recent webinar, Jonathan Knudsen presented: "That's Not How This Works: All Development Should Be Secure." Development teams are pressured to push new software out quickly. But with speed comes risk. Anyone can write software, but if you want to create software that is safe, secure, and robust, you need the right process. Webinar attendees will learn: • Why traditional approaches to software development usually end in tears and heartburn • How a structured approach to secure software development lowers risk for you and your customers • Why automation and security testing tools are key components in the implementation of a secure development life cycle For more information, please visit our website at www.synopsys.com/software-integrity.html

Best Practices for Your CMP RFP or RFI

RightScale

Migrating to Cloud? 5 motivations and 10 key security architecture considerat...

Yew Weisin

1) The document discusses key considerations for developing a secure cloud migration strategy, including strategic alignment, security management and governance, access management, data classification and management, encryption, monitoring and reporting, and identity and access management. 2) It identifies 10 key security architecture considerations for cloud migration: division of responsibility, multi-tenancy, data classification and management, encryption and key management, monitoring and reporting, access management, business continuity, risk assessment, change management, and security as a service. 3) The document emphasizes that access management is one of the most critical security areas for cloud, and identity and access management as a service and cloud access security brokers are growing trends to help govern cloud services.

Spring Cloud Stream: What's New in 2.x—and What's Next?

VMware Tanzu

Microservices architecture redefined the concept of a modern application as a set of independent, distributed, and loosely coupled services running in the cloud. Spring Cloud Stream is a framework for building these services and connecting them with shared messaging systems. In this hands-on session, we’ll look at some of the new features and enhancements that are already part of the 2.0 line, and discuss what we’re working on and what to expect. Presenter : Oleg Zhurakousky, Pivotal

Cloud Computing and Security - by KLC Consulting

kylelai

Here is the presentation about the cloud computing fundamentals, what it is, what it take to go to cloud computing environment, what questions to ask before you jump into cloud computing, what risk and security measures you should understand. Afterviewing this presentation you should have basic understanding about cloud computing and cloud security. This presentation also provides cloud computing and security resources and links for more informations on cloud computing security.

Similar to [이찬우 강사] Security plus saas security assessment_2021.04 (20)

July 31, 2020 - CSA LA event slides

Cloud computing elisheba wiggins

Finance Technologies: Buy or Rent

Build a complete security operations and compliance program using a graph dat...

Multi cloud governance best practices - AWS, Azure, GCP

Up 2011-ken huang

Cloud Seeding

Codeless Security for the Apps You Buy & Build on AWS

Comparing cloud-computing-providers-11-factors-to-consider-profit bricks-ebook

Security that works with, not against, your SaaS business

(SEC311) Architecting for End-to-End Security in the Enterprise | AWS re:Inve...

Secure development 2014

Geting cloud architecture right the first time linthicum interop fall 2013

Lightning Workshop London

(SACON) Anant Shrivastava - cloud pentesting

Webinar–That is Not How This Works

Best Practices for Your CMP RFP or RFI

Migrating to Cloud? 5 motivations and 10 key security architecture considerat...

Spring Cloud Stream: What's New in 2.x—and What's Next?

Cloud Computing and Security - by KLC Consulting

More from Lee Chanwoo

AI_introduction and requirements(2024.05.12).pdf

Lee Chanwoo

[이찬우 강사] bithumb_Privacy_Lecture(2021.12)

Lee Chanwoo

[이찬우 강사] Information security and digital sex crime_lecture(2020.09)

Lee Chanwoo

[이찬우 강사] Hyundai hcn busan_4th_indusry(2020.02.13)

Lee Chanwoo

[이찬우 강사] Persons with disabilities education(2020.02.05)

Lee Chanwoo

[이찬우 강사] Study on isms-p integration issues and major defects(20181017)

Lee Chanwoo

[이찬우 강사] Osstem implant information security education_final version(20181011)

Lee Chanwoo

[이찬우 강사] Sua_mentoring_career war vs employment battle_final_version(20180901)

Lee Chanwoo

[이찬우 강사] Korea it information security academy public seminar presentation_st...

Lee Chanwoo

[이찬우 강사] Korea it information security academy dongyang mirae university job ...

Lee Chanwoo

[이찬우 강사] Hsp 4th industry innovation and financial security fn(20180721)

Lee Chanwoo

[이찬우 강사] Global convergence forum security of crypto currency exchange 20180714

Lee Chanwoo

[이찬우 강사] Ing life information security education 20180625 final version

Lee Chanwoo

[이찬우 강사] Gyeonggi Institute of Science & Technology Promotion_employee inform...

Lee Chanwoo

Cyber resilience 201705

Lee Chanwoo

사이버 보안 트렌드_이찬우_2018020309_최종발표버전

Lee Chanwoo

Isaca knowledge concert 금융보안 발표자료 이찬우(2017.07.17)_final

Lee Chanwoo

2016 sua 발표스터디 이찬우

Lee Chanwoo

2016 레몬세미나 발표자료 이찬우 final

Lee Chanwoo

This document discusses three key aspects of customizing security that everyone should know. It discusses (1) creating one's own security framework, (2) realizing threats and what is known, and (3) distinguishing between important and unimportant security issues in an increasingly complex IT environment. The document emphasizes the importance of having an accurate concept, broadening one's insights, and defining what is necessary versus optional in one's security approach.

2016 산업보안 공모전 일반부 장려상

Lee Chanwoo

More from Lee Chanwoo (20)