SlideShare a Scribd company logo
6 Steps for Securing Offshore Development
Agile Outsourcing Conference 2014
@
Delft, Netherlands
Marudhamaran Gunasekaran
• Security Expert @ Prowareness, Bangalore
• Information Security
• Secure Programming Practices
• Compliance (ISO 27001)
• Ec-Council Certified Security Analyst (Ethical hacker), Professional Scrum
Master
• Open source enthusiast - Writes a lot of code, hacks applications
• OWASP Zed Attack Proxy contributer
Who’s presenting?
Security?
Security
Feeling
Reality
Wisdom
No panacea /silver bullet solution
Trade offs
Ignorance is no excuse
Security – Lion and Rabbit Analogy
Security – Rabbit’s Good trade off
Security – Rabbit’s Good trade off– Make family
Security – Bad trade off : RIP rabbit
Threat = Potential violation of security
Risk = Perceived threat X value of asset X loss incurred
Threat / Risk
Set of activities undertaken to protect systems from known/unknown threats
and attacks
State of being protected from known/unknown threats and attacks
Security
Perfect Security?
http://infosanity.files.wordpress.com/2010/06/dilbert-securitycia.gif
Security Triangle
• Unlimited access
• Physical security & Data loss
Loss of Control
• Exposing intranet to internet
• Intrusions
Network complexity
• Uncomprehensive security policies
• Procedures & no audits
Policies and
Procedures
6 Risks categories - Outline
• Data breaches
• Breach of confidentiality
Intellectual Property
Issues
• Security bugs
• Legacy software
Software Quality
• Malicious Insiders
• Social Engineering Baits
Insider Threats
6 Risks categories - Outline
Loss of control
Unlimited privileged to access internal systems
• Apply principle of least privilege for development teams offshore and for
everybody else as well
• Just in time and time bound access for critical production/deployment
systems intercepted with manual approval [more workflow?]
Unrestricted data access
• Identify roles, define accesses for roles
• Implement Access control lists for file systems, directory access protocols
and other assets
Loss of control
Physical security breaches
• Audit the offshore premises for poor security controls
• Access cards and preferably biometric access - regularly audited by IT
• Securing the trashes – shredders to combat dumpster diving
Data loss
• Ensure data is backed up every night – at secure locations
• Apply snapshot technologies for virtual machine operating systems and
network
• RAID or deduplication backup
Overreacting to Risk
I understand the natural human disgust
reaction, but do these people actually
think that their normal drinking water is
any more pure? That a single human is
that much worse than all the normal birds
and other animals? A few ounces
distributed amongst 38 million gallons is
negligible.
- Bruce Schneier
https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
Network complexity
Exposing intranet to the internet
• Implement a Virtual Private Network
• State of the art / status quo encryption and hashing for VPN
passphrase and tunnels
• Plan and implement a DMZ (demilitarized zone) for offshore
connections
• SSL/TLS everywhere to prevent MiTM (Man in the Middle) attacks
and sniffing
Network complexity
Network intrusions
• Assume a breach, implement network controls with intrusion
isolations and containment
• Strict intrusion prevention rules and firewall traffic monitoring
• [IDS/IPS]
• Implement strict password policies with good complexity and
expiry
Linked password attack and hashes
Security policies and procedures
Uncomprehensive security policies and no audits
• Review the security policies and conduct a review, hire a consultant if
required
• Outline and require custom security policies at offshore. Base it on ISO
27001, HIPAA, PCI-DSS or other standards pertaining to the field of
operation.
• In case of doubt, ask the offshoring partner for security recommendations
• Verify if the offshoring partner has a dedicated team or a Center Of
Excellence for Information Security with certified professionals [CEH,
OSCP, CISSP, and similar certifications]
Security policies and procedures
No Malware protection
• Ensure presence of a client-server based malware protection system
with updated rule sets
• Ensure Intrusion Prevention Systems/Intrusion Detection Systems are
updated with latest rule sets
• Ensure the systems at offshore are updated regularly with security
patches for software and operating systems both
Intellectual property issues
Data breaches
• Identify data that needs to be protected and claim responsibility for
data
• Ensure removable drives/media are disabled at offshore
• Filter/Anonymize production data before transferring to development
teams offshore
• Sanitize/Shred all media before disposing of
Intellectual property issues
Breach of trust and confidentiality
• Sign Non Disclosure Agreements with the offshoring partner
• Define levels of access based on the confidentiality level of data
• Ensure a clean desk policy
Software Quality
Security bugs
• Train the developers/QAs to write secure code
• Write guidelines for writing secure code
• Integrate security tools at development builds for early feedback
Security bugs
http://news.techworld.com/security/3331283/barclays-97-percent-of-data-breaches-still-due-to-sql-injection/
Security bugs
Software Quality
Legacy Software
• Rewrite/Migrate/Refresh the technology
• Keeps your systems up to date with patches
Sony PSN hack
Insider threats
Malicious Insiders
• Conduct rigorous background checks on offshore employees
• Trust employees only with enough access to perform the tasks
they are supposed to do
• Strict transparent monitoring of new employee activities, and
limited access during probation period [blacklisting later in case of
an incident]
Insider threats
Social Engineering Baits
• Educate employees on information security policies and security risks
• Provide email access without requiring VPNs
• Educate employees on configuring personal wifi networks
• Educate employees on social engineering aided attacks like email
phishing, phone phishing, baiting, tailgating, clickjacking and similar
attacks
• Converse with employees offshore to gauge and improve security
awareness
1000% secure?
Evolution of technology
=
Evaluation of threats
=
Risks increases
How good are we at Mitigate the risks
Is it worth the trade off?
Prowareness Security Labs
{find}
• Penetration testing applications and networks
{fix}
• Security Consulting
{comply}
• Secure development practices
{prevent}
• Security training and development
Thanks!
Presentation Brochures are close by!

More Related Content

What's hot

The Convergence of IT, Operational Technology and the Internet of Things (IoT)
The Convergence of IT, Operational Technology and the Internet of Things (IoT)The Convergence of IT, Operational Technology and the Internet of Things (IoT)
The Convergence of IT, Operational Technology and the Internet of Things (IoT)
Jackson Shaw
 
Build or Buy ?
Build or Buy ?Build or Buy ?
Build or Buy ?
Ambareesh Kulkarni
 
A cloud readiness assessment framework
A cloud readiness assessment frameworkA cloud readiness assessment framework
A cloud readiness assessment framework
Carlo Colicchio
 
Enterprise Architecture Management - Endlich agil!
Enterprise Architecture Management - Endlich agil!Enterprise Architecture Management - Endlich agil!
Enterprise Architecture Management - Endlich agil!
Christopher Schulz
 
Final thesis: Technological maturity of future energy systems
Final thesis: Technological maturity of future energy systemsFinal thesis: Technological maturity of future energy systems
Final thesis: Technological maturity of future energy systems
Nina Kallio
 
Guidewire PaaS
Guidewire PaaSGuidewire PaaS
Guidewire PaaS
dipak sahoo
 
APN Overview and Best Practices for Partnering with AWS
APN Overview and Best Practices for Partnering with AWSAPN Overview and Best Practices for Partnering with AWS
APN Overview and Best Practices for Partnering with AWS
Amazon Web Services
 
The Blueprint for Change: How the Best Are Succeeding in Transformation
The Blueprint for Change: How the Best Are Succeeding in TransformationThe Blueprint for Change: How the Best Are Succeeding in Transformation
The Blueprint for Change: How the Best Are Succeeding in Transformation
MuleSoft
 
Ctrls-Company Presentation
Ctrls-Company PresentationCtrls-Company Presentation
Ctrls-Company Presentation
CTRLS
 
Making the Case for Integration Platform as a Service (iPaaS)
Making the Case for Integration Platform as a Service (iPaaS)Making the Case for Integration Platform as a Service (iPaaS)
Making the Case for Integration Platform as a Service (iPaaS)
Axway
 
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise CloudAccenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
accenture
 
The Future of Mainframe Data is in the Cloud
The Future of Mainframe Data is in the CloudThe Future of Mainframe Data is in the Cloud
The Future of Mainframe Data is in the Cloud
Precisely
 
Company profile
Company profileCompany profile
Company profile
Maxim Shvidkiy
 
Journey to Cloud - Enabling the Digital Enterprise - Accenture
Journey to Cloud - Enabling the Digital Enterprise - AccentureJourney to Cloud - Enabling the Digital Enterprise - Accenture
Journey to Cloud - Enabling the Digital Enterprise - Accenture
Amazon Web Services
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Craig Martin
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
Amazon Web Services
 
Augmenting IT strategy with Enterprise architecture assessment
Augmenting IT strategy with Enterprise architecture assessmentAugmenting IT strategy with Enterprise architecture assessment
Augmenting IT strategy with Enterprise architecture assessment
Prashanth Panduranga
 
DevSecOps: The DoD Software Factory
DevSecOps: The DoD Software FactoryDevSecOps: The DoD Software Factory
DevSecOps: The DoD Software Factory
scoopnewsgroup
 
The truth about "You build it, you run it!"
The truth about "You build it, you run it!"The truth about "You build it, you run it!"
The truth about "You build it, you run it!"
Uwe Friedrichsen
 
Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...
Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...
Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...
BIS Research Inc.
 

What's hot (20)

The Convergence of IT, Operational Technology and the Internet of Things (IoT)
The Convergence of IT, Operational Technology and the Internet of Things (IoT)The Convergence of IT, Operational Technology and the Internet of Things (IoT)
The Convergence of IT, Operational Technology and the Internet of Things (IoT)
 
Build or Buy ?
Build or Buy ?Build or Buy ?
Build or Buy ?
 
A cloud readiness assessment framework
A cloud readiness assessment frameworkA cloud readiness assessment framework
A cloud readiness assessment framework
 
Enterprise Architecture Management - Endlich agil!
Enterprise Architecture Management - Endlich agil!Enterprise Architecture Management - Endlich agil!
Enterprise Architecture Management - Endlich agil!
 
Final thesis: Technological maturity of future energy systems
Final thesis: Technological maturity of future energy systemsFinal thesis: Technological maturity of future energy systems
Final thesis: Technological maturity of future energy systems
 
Guidewire PaaS
Guidewire PaaSGuidewire PaaS
Guidewire PaaS
 
APN Overview and Best Practices for Partnering with AWS
APN Overview and Best Practices for Partnering with AWSAPN Overview and Best Practices for Partnering with AWS
APN Overview and Best Practices for Partnering with AWS
 
The Blueprint for Change: How the Best Are Succeeding in Transformation
The Blueprint for Change: How the Best Are Succeeding in TransformationThe Blueprint for Change: How the Best Are Succeeding in Transformation
The Blueprint for Change: How the Best Are Succeeding in Transformation
 
Ctrls-Company Presentation
Ctrls-Company PresentationCtrls-Company Presentation
Ctrls-Company Presentation
 
Making the Case for Integration Platform as a Service (iPaaS)
Making the Case for Integration Platform as a Service (iPaaS)Making the Case for Integration Platform as a Service (iPaaS)
Making the Case for Integration Platform as a Service (iPaaS)
 
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise CloudAccenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
Accenture Cloud Platform: Control, Manage and Govern the Enterprise Cloud
 
The Future of Mainframe Data is in the Cloud
The Future of Mainframe Data is in the CloudThe Future of Mainframe Data is in the Cloud
The Future of Mainframe Data is in the Cloud
 
Company profile
Company profileCompany profile
Company profile
 
Journey to Cloud - Enabling the Digital Enterprise - Accenture
Journey to Cloud - Enabling the Digital Enterprise - AccentureJourney to Cloud - Enabling the Digital Enterprise - Accenture
Journey to Cloud - Enabling the Digital Enterprise - Accenture
 
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
Risk-driven and Business-outcome-focused Enterprise Security Architecture Fra...
 
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
An Overview of Best Practices for Large Scale Migrations - AWS Transformation...
 
Augmenting IT strategy with Enterprise architecture assessment
Augmenting IT strategy with Enterprise architecture assessmentAugmenting IT strategy with Enterprise architecture assessment
Augmenting IT strategy with Enterprise architecture assessment
 
DevSecOps: The DoD Software Factory
DevSecOps: The DoD Software FactoryDevSecOps: The DoD Software Factory
DevSecOps: The DoD Software Factory
 
The truth about "You build it, you run it!"
The truth about "You build it, you run it!"The truth about "You build it, you run it!"
The truth about "You build it, you run it!"
 
Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...
Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...
Cybersecurity in Automotive Connected Vehicles and Growing Security Vulnerabi...
 

Viewers also liked

Dedicated Offshore Development Centers: a popular trend in outsourcing
Dedicated Offshore Development Centers: a popular trend in outsourcingDedicated Offshore Development Centers: a popular trend in outsourcing
Dedicated Offshore Development Centers: a popular trend in outsourcing
Softheme
 
Offshore development center
Offshore development centerOffshore development center
Offshore development center
Dimitri Bekinin
 
Offshore development center (odc) setup up by faichi solutions - Case Study
Offshore development center (odc) setup up by faichi solutions - Case StudyOffshore development center (odc) setup up by faichi solutions - Case Study
Offshore development center (odc) setup up by faichi solutions - Case Study
Faichi Solutions
 
Establishing an offshore development center ver4d
Establishing an offshore development center   ver4dEstablishing an offshore development center   ver4d
Establishing an offshore development center ver4d
Mark Werwath
 
ODC setup services
ODC setup servicesODC setup services
ODC setup services
Satish Bhagwat
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Angeloluca Barba
 
Offshore IT Projects - Best Practices
Offshore IT Projects - Best PracticesOffshore IT Projects - Best Practices
Offshore IT Projects - Best Practices
Vasantha Gullapalli
 
Top 10 dos and donts in agile offshoring
Top 10 dos and donts in agile offshoringTop 10 dos and donts in agile offshoring
Top 10 dos and donts in agile offshoring
Ove Holmberg
 
Governing your realm to ensure your customers are consistently delighted with...
Governing your realm to ensure your customers are consistently delighted with...Governing your realm to ensure your customers are consistently delighted with...
Governing your realm to ensure your customers are consistently delighted with...
sharedserviceslink.com
 
Eastern Melbourne Agile Meetup - Challenge Constraints
Eastern Melbourne Agile Meetup - Challenge ConstraintsEastern Melbourne Agile Meetup - Challenge Constraints
Eastern Melbourne Agile Meetup - Challenge Constraints
Nish Mahanty
 
Managing Offshore Software Development
Managing Offshore Software DevelopmentManaging Offshore Software Development
Managing Offshore Software Development
bicer
 
Harnessing Agile Development In Distributed Environment Dusan K Part
Harnessing Agile Development In Distributed Environment   Dusan K PartHarnessing Agile Development In Distributed Environment   Dusan K Part
Harnessing Agile Development In Distributed Environment Dusan K Part
Dusan Kocurek
 
Distributed Agile Development
Distributed Agile DevelopmentDistributed Agile Development
Distributed Agile Development
Carlos Garcia
 
Lessons learned from scaling Agile to distributed, offshore teams
Lessons learned from scaling Agile to distributed, offshore teamsLessons learned from scaling Agile to distributed, offshore teams
Lessons learned from scaling Agile to distributed, offshore teamssrondal
 
Agile Case Study With Cliffnotes
Agile Case Study With CliffnotesAgile Case Study With Cliffnotes
Agile Case Study With Cliffnotes
Nish Mahanty
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...Altoros
 
Who is scrum.org
Who is scrum.orgWho is scrum.org
Who is scrum.org
Martin Hinshelwood
 
Scrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_Sharma
Scrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_SharmaScrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_Sharma
Scrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_Sharma
Scrum Bangalore
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
20140724 psm i - scrum.org
20140724   psm i - scrum.org20140724   psm i - scrum.org
20140724 psm i - scrum.org
Alessandro Grillo
 

Viewers also liked (20)

Dedicated Offshore Development Centers: a popular trend in outsourcing
Dedicated Offshore Development Centers: a popular trend in outsourcingDedicated Offshore Development Centers: a popular trend in outsourcing
Dedicated Offshore Development Centers: a popular trend in outsourcing
 
Offshore development center
Offshore development centerOffshore development center
Offshore development center
 
Offshore development center (odc) setup up by faichi solutions - Case Study
Offshore development center (odc) setup up by faichi solutions - Case StudyOffshore development center (odc) setup up by faichi solutions - Case Study
Offshore development center (odc) setup up by faichi solutions - Case Study
 
Establishing an offshore development center ver4d
Establishing an offshore development center   ver4dEstablishing an offshore development center   ver4d
Establishing an offshore development center ver4d
 
ODC setup services
ODC setup servicesODC setup services
ODC setup services
 
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca BarbaEvolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
Evolutionary ATM & Cyber Security - Selex ES - Angeloluca Barba
 
Offshore IT Projects - Best Practices
Offshore IT Projects - Best PracticesOffshore IT Projects - Best Practices
Offshore IT Projects - Best Practices
 
Top 10 dos and donts in agile offshoring
Top 10 dos and donts in agile offshoringTop 10 dos and donts in agile offshoring
Top 10 dos and donts in agile offshoring
 
Governing your realm to ensure your customers are consistently delighted with...
Governing your realm to ensure your customers are consistently delighted with...Governing your realm to ensure your customers are consistently delighted with...
Governing your realm to ensure your customers are consistently delighted with...
 
Eastern Melbourne Agile Meetup - Challenge Constraints
Eastern Melbourne Agile Meetup - Challenge ConstraintsEastern Melbourne Agile Meetup - Challenge Constraints
Eastern Melbourne Agile Meetup - Challenge Constraints
 
Managing Offshore Software Development
Managing Offshore Software DevelopmentManaging Offshore Software Development
Managing Offshore Software Development
 
Harnessing Agile Development In Distributed Environment Dusan K Part
Harnessing Agile Development In Distributed Environment   Dusan K PartHarnessing Agile Development In Distributed Environment   Dusan K Part
Harnessing Agile Development In Distributed Environment Dusan K Part
 
Distributed Agile Development
Distributed Agile DevelopmentDistributed Agile Development
Distributed Agile Development
 
Lessons learned from scaling Agile to distributed, offshore teams
Lessons learned from scaling Agile to distributed, offshore teamsLessons learned from scaling Agile to distributed, offshore teams
Lessons learned from scaling Agile to distributed, offshore teams
 
Agile Case Study With Cliffnotes
Agile Case Study With CliffnotesAgile Case Study With Cliffnotes
Agile Case Study With Cliffnotes
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
 
Who is scrum.org
Who is scrum.orgWho is scrum.org
Who is scrum.org
 
Scrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_Sharma
Scrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_SharmaScrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_Sharma
Scrum_Blr 11th meet up 13 dec-2014 - Introduction to SAFe - Nagesh_Sharma
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
 
20140724 psm i - scrum.org
20140724   psm i - scrum.org20140724   psm i - scrum.org
20140724 psm i - scrum.org
 

Similar to Six steps for securing offshore development

Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
hack33
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNicholas Davis
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcingNicholas Davis
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
fajjarrehman
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
Uditha Bandara Wijerathna
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
GovCloud Network
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hackingDesmond Devendran
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
frcarlson
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
KashfUlHuda1
 
Review of Information Security Concepts
Review of Information Security ConceptsReview of Information Security Concepts
Review of Information Security Concepts
primeteacher32
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
Port of seattle security presentation david morris
Port of seattle security presentation   david morrisPort of seattle security presentation   david morris
Port of seattle security presentation david morrisEmily2014
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
Joshua Prince
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5   session 2 - st dev con 2016 - security iot best practicesTrack 5   session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
ST_World
 
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric VanderburgInformation Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Eric Vanderburg
 
Praetorian secure encryption_services_overview
Praetorian secure encryption_services_overviewPraetorian secure encryption_services_overview
Praetorian secure encryption_services_overview
Brent Bernard, CISSP & PCI-QSA
 
Preatorian Secure partners with Cipher loc - New Encryption Technology
Preatorian Secure partners with Cipher loc -  New Encryption Technology Preatorian Secure partners with Cipher loc -  New Encryption Technology
Preatorian Secure partners with Cipher loc - New Encryption Technology
Austin Ross
 
Praetorian secure encryption_services_overview
Praetorian secure encryption_services_overviewPraetorian secure encryption_services_overview
Praetorian secure encryption_services_overview
Brent Bernard, CISSP & PCI-QSA
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...MongoDB
 

Similar to Six steps for securing offshore development (20)

Invited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open SourceInvited Talk - Cyber Security and Open Source
Invited Talk - Cyber Security and Open Source
 
Network Security, Change Control, Outsourcing
Network Security, Change Control, OutsourcingNetwork Security, Change Control, Outsourcing
Network Security, Change Control, Outsourcing
 
Network security, change control, outsourcing
Network security, change control, outsourcingNetwork security, change control, outsourcing
Network security, change control, outsourcing
 
Power Grid Communications & Control Systems
Power Grid Communications & Control SystemsPower Grid Communications & Control Systems
Power Grid Communications & Control Systems
 
Linux Security best Practices with Fedora
Linux Security best Practices with FedoraLinux Security best Practices with Fedora
Linux Security best Practices with Fedora
 
110307 cloud security requirements gourley
110307 cloud security requirements gourley110307 cloud security requirements gourley
110307 cloud security requirements gourley
 
Material best practices in network security using ethical hacking
Material best practices in network security using ethical hackingMaterial best practices in network security using ethical hacking
Material best practices in network security using ethical hacking
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Review of Information Security Concepts
Review of Information Security ConceptsReview of Information Security Concepts
Review of Information Security Concepts
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Port of seattle security presentation david morris
Port of seattle security presentation   david morrisPort of seattle security presentation   david morris
Port of seattle security presentation david morris
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
Track 5 session 2 - st dev con 2016 - security iot best practices
Track 5   session 2 - st dev con 2016 - security iot best practicesTrack 5   session 2 - st dev con 2016 - security iot best practices
Track 5 session 2 - st dev con 2016 - security iot best practices
 
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric VanderburgInformation Security Lesson 13 - Advanced Security - Eric Vanderburg
Information Security Lesson 13 - Advanced Security - Eric Vanderburg
 
Praetorian secure encryption_services_overview
Praetorian secure encryption_services_overviewPraetorian secure encryption_services_overview
Praetorian secure encryption_services_overview
 
Praetorian_Secure_EncryptionServices_Overview
Praetorian_Secure_EncryptionServices_OverviewPraetorian_Secure_EncryptionServices_Overview
Praetorian_Secure_EncryptionServices_Overview
 
Preatorian Secure partners with Cipher loc - New Encryption Technology
Preatorian Secure partners with Cipher loc -  New Encryption Technology Preatorian Secure partners with Cipher loc -  New Encryption Technology
Preatorian Secure partners with Cipher loc - New Encryption Technology
 
Praetorian secure encryption_services_overview
Praetorian secure encryption_services_overviewPraetorian secure encryption_services_overview
Praetorian secure encryption_services_overview
 
Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...Understanding Database Encryption & Protecting Against the Insider Threat wit...
Understanding Database Encryption & Protecting Against the Insider Threat wit...
 

More from gmaran23

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
gmaran23
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Prevention
gmaran23
 

More from gmaran23 (16)

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharma
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Prevention
 

Recently uploaded

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Product School
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 

Recently uploaded (20)

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 

Six steps for securing offshore development

  • 1. 6 Steps for Securing Offshore Development Agile Outsourcing Conference 2014 @ Delft, Netherlands
  • 2. Marudhamaran Gunasekaran • Security Expert @ Prowareness, Bangalore • Information Security • Secure Programming Practices • Compliance (ISO 27001) • Ec-Council Certified Security Analyst (Ethical hacker), Professional Scrum Master • Open source enthusiast - Writes a lot of code, hacks applications • OWASP Zed Attack Proxy contributer Who’s presenting?
  • 3. Security? Security Feeling Reality Wisdom No panacea /silver bullet solution Trade offs Ignorance is no excuse
  • 4. Security – Lion and Rabbit Analogy
  • 5. Security – Rabbit’s Good trade off
  • 6. Security – Rabbit’s Good trade off– Make family
  • 7. Security – Bad trade off : RIP rabbit
  • 8. Threat = Potential violation of security Risk = Perceived threat X value of asset X loss incurred Threat / Risk
  • 9. Set of activities undertaken to protect systems from known/unknown threats and attacks State of being protected from known/unknown threats and attacks Security
  • 12. • Unlimited access • Physical security & Data loss Loss of Control • Exposing intranet to internet • Intrusions Network complexity • Uncomprehensive security policies • Procedures & no audits Policies and Procedures 6 Risks categories - Outline
  • 13. • Data breaches • Breach of confidentiality Intellectual Property Issues • Security bugs • Legacy software Software Quality • Malicious Insiders • Social Engineering Baits Insider Threats 6 Risks categories - Outline
  • 14. Loss of control Unlimited privileged to access internal systems • Apply principle of least privilege for development teams offshore and for everybody else as well • Just in time and time bound access for critical production/deployment systems intercepted with manual approval [more workflow?] Unrestricted data access • Identify roles, define accesses for roles • Implement Access control lists for file systems, directory access protocols and other assets
  • 15. Loss of control Physical security breaches • Audit the offshore premises for poor security controls • Access cards and preferably biometric access - regularly audited by IT • Securing the trashes – shredders to combat dumpster diving Data loss • Ensure data is backed up every night – at secure locations • Apply snapshot technologies for virtual machine operating systems and network • RAID or deduplication backup
  • 16. Overreacting to Risk I understand the natural human disgust reaction, but do these people actually think that their normal drinking water is any more pure? That a single human is that much worse than all the normal birds and other animals? A few ounces distributed amongst 38 million gallons is negligible. - Bruce Schneier https://www.schneier.com/blog/archives/2014/04/overreacting_to_1.html
  • 17. Network complexity Exposing intranet to the internet • Implement a Virtual Private Network • State of the art / status quo encryption and hashing for VPN passphrase and tunnels • Plan and implement a DMZ (demilitarized zone) for offshore connections • SSL/TLS everywhere to prevent MiTM (Man in the Middle) attacks and sniffing
  • 18. Network complexity Network intrusions • Assume a breach, implement network controls with intrusion isolations and containment • Strict intrusion prevention rules and firewall traffic monitoring • [IDS/IPS] • Implement strict password policies with good complexity and expiry
  • 20. Security policies and procedures Uncomprehensive security policies and no audits • Review the security policies and conduct a review, hire a consultant if required • Outline and require custom security policies at offshore. Base it on ISO 27001, HIPAA, PCI-DSS or other standards pertaining to the field of operation. • In case of doubt, ask the offshoring partner for security recommendations • Verify if the offshoring partner has a dedicated team or a Center Of Excellence for Information Security with certified professionals [CEH, OSCP, CISSP, and similar certifications]
  • 21. Security policies and procedures No Malware protection • Ensure presence of a client-server based malware protection system with updated rule sets • Ensure Intrusion Prevention Systems/Intrusion Detection Systems are updated with latest rule sets • Ensure the systems at offshore are updated regularly with security patches for software and operating systems both
  • 22. Intellectual property issues Data breaches • Identify data that needs to be protected and claim responsibility for data • Ensure removable drives/media are disabled at offshore • Filter/Anonymize production data before transferring to development teams offshore • Sanitize/Shred all media before disposing of
  • 23. Intellectual property issues Breach of trust and confidentiality • Sign Non Disclosure Agreements with the offshoring partner • Define levels of access based on the confidentiality level of data • Ensure a clean desk policy
  • 24. Software Quality Security bugs • Train the developers/QAs to write secure code • Write guidelines for writing secure code • Integrate security tools at development builds for early feedback
  • 27. Software Quality Legacy Software • Rewrite/Migrate/Refresh the technology • Keeps your systems up to date with patches
  • 29. Insider threats Malicious Insiders • Conduct rigorous background checks on offshore employees • Trust employees only with enough access to perform the tasks they are supposed to do • Strict transparent monitoring of new employee activities, and limited access during probation period [blacklisting later in case of an incident]
  • 30. Insider threats Social Engineering Baits • Educate employees on information security policies and security risks • Provide email access without requiring VPNs • Educate employees on configuring personal wifi networks • Educate employees on social engineering aided attacks like email phishing, phone phishing, baiting, tailgating, clickjacking and similar attacks • Converse with employees offshore to gauge and improve security awareness
  • 31. 1000% secure? Evolution of technology = Evaluation of threats = Risks increases How good are we at Mitigate the risks Is it worth the trade off?
  • 32. Prowareness Security Labs {find} • Penetration testing applications and networks {fix} • Security Consulting {comply} • Secure development practices {prevent} • Security training and development