SlideShare a Scribd company logo
1 of 44
Download to read offline
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
The Security Phoenix raises from DEV-OPS ashes
APPSEC California 2020
@FrankSEC42
From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV
https://uk.linkedin.com/in/fracipo
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
Agenda
About the author
Conclusions
Q&A
Security Phoenix – Scanners Triage and Visualizers
Security Phoenix – People & Trust + Verify
Evolution of DEVOPS in Security Phoenix
Context
@FrankSEC42
Security Phoenix – Maturity Matrix & Education
PUBLIC
Security Phoenix – Visibility Problem
Security Phoenix – The cake and traceability problem
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
About the Francesco
3
Francesco Cipollone
Founder – NSC42 LTD
I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and
Chair of Cloud security Alliance UK, Researcher and associate to ISC2.
I’ve been helping organizations define and implement cybersecurity strategies and protect
their organizations against cybersecurity attacks
Website Articles NSC42 LinkedIn
Security is everybody’s job
We need to make security cool and frictionless
Copyright © NSC42 Ltd 2019
Email@FrankSec42 Fracipo Linkein
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
What the hek is DEV-SEC-OPS?
4
What kind of animal is the DEV-SEC-OPS?
Integrate security into the OPS team (and add a spark of BIZ)
PUBLIC
DEV-OPS+
SEC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Anatomy of a phoenix
5
What Are the core pillars of Security Pheonix
Secure
Operate
Secure
Design Build & Test
People &
Education
Governance
& Risk mng
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 6
PUBLIC
Why do we worry about security?
The Problem Landscape
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Major Breaches
7
PUBLIC
2009/
2010
2012
Microsoft
Heartland
US Military
Aol
TJMax
2013
2016
2017
2014
2015
2018
Sony PSN
NHS
Betfair
Steam
Deep Root
IRS
Anthem
Dropbox
Lastfm
Blizzard
Marriot
Twitter
MyHeritage
Uber
Quora..
Why fixing Security Vulnerabilities is everybody’s job?
Equifax
Myspace
Twitter
Yahoo
Linkedin
Friend Finder
Dailymotion
Mossack Fonseca
JP Morgan
Home Depo
Ebay
Yahoo(orignal)
US Retailers
Adobe
UbiSoft
Court Ventures
2012
2019
…
…because we all get affected by it
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Major Breaches
8
PUBLIC
Image Credit Information is Beautiful
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 9
PUBLIC
From Dev to prod and cakes
The Visibility Problem
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Understanding the room you walk in – Asset Register
10
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
To understand shine a light
11
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Better to have full visibility
12
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 13
PUBLIC
The software security cake
The Problem Traceability Problem
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
So how we do it? Easy as baking a cake
14
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Road to Production: the cake analogy
15
The Objective of the various areas are
• Ingredients
• Recipe
• Stock List (asset Register)
Design Operate
The Objective of the various areas are
• Sell The cake
• Restock the cake on the shelf
Build/Test
The Objective of the various areas are
• Combine ingredients (libraries+Code)
• Bake the cake
• Test the cake
Security Design
Act as Health Inspector
• Verify Ingredients are not mouldy
• Verify Recipe does not contain poison
• Stock List (asset Register) – verify the component
used in the cake are genuine
Act as Health Inspector
• That the cake is made up of genuine ingredients
(from asset register)
• Test the cake for mould
Security Build & Test
Act as Health Inspector
• Verify Cake on the shop are made of genuine
ingredients (from asset register)
• Verify expiry data of Cake
• Test the cake for mould
Secure Operate
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Fixing Vulnerability the ABC…D
16
D – Respond/recover (Fix Vulnerability)
7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly)
C – Visualize Vulnerabilities (Display)
Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending,
B – Detect (Scan Code)
Select Team Leads and identify
security champions
Get security Scanners (SAST/DAST)
Onboard and teach how to triage
Create a Vulnerability Data lake
(results of the vulnerabilities)
A - IDentify (Software Asset Register)
Software you build (repositories) Software You buy
Trace Completeness across all the
application you have
Asset Register for
Vulnerability Data Lake
KPI Reporting &
Dashboard
Prioritizing & Vulnerability
Reduction
Outcome
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Vulnerability management Lifecycle
Discover
01 02
03
04
05
06
Vuln Mngmn
Lifecycle
Software Asset Register
Scan Code/Infra/network
Triage/
Assess
Triage & identify False
Positives
Tweak Scan Profiles
Prioritize
Visualize
Prioritize vuln
(Start Easy)
Network Location
Exploitability
…
Graph –
Up/down trending of prj
Build vs FIX
Time to Fix
Remediate/
Risk
Verify
Fix Code and redeploy
in test
Test implemented
Fix
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 18
PUBLIC
The Software Asset Register
The Appsec Lifecycle & Shift Left
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Asset Register Part A
19
DEV
Security
Production
Security
Scanning Vuln
SAST
Library
IAST
MAST Visualizing Vuln
Prod
DEV
BuildvsFix
VulnTrending
Risk
Remediation P
CodeFix
LibUpgrade
Patching
DAST
Resolution
NEWCode
NEWLib
Applied
Patches
Triaging Vuln
FalsePositives
Impact
Exploitability
NetLocation
AggregationLayer
API/AutomationLayer
Refine/Enrich
Risk Assess/Prioritize
API/AutomationLayer
Assets
Code YOU
Own
Approved
3rd
party Black
Box
Open Source
Approved
Approved
Libraries/Repo
Pipeline of ‘new’
Open Source
Approved
New Code
being
Considered
New Repo/
Libraries
Eval of 3rd
Party
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Git to People: Who does what where Visualizer
20
DEV
Security
Production
Security
git ls-tree -r -z --name-only HEAD -- update-
tools-mac.sh | xargs -0 -n1 git blame --line-
porcelain HEAD |grep "^author "|sort|uniq -
c|sort -nr
For Every Repo
List of committers
E-Mail/HR DB
Build vs FIX
&
Tickets
App scan?
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 21
PUBLIC
How to Embed DEV-SEC-OPS
The People & Technology part
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
What do you get out of Security Phoenix?
22
1. Visualize and Fix Vulnerability at scale and pace
(DEV & Ops)
2. Trust the Product team but keep them accountable:
Trust & Verify & License to Operate
3. Maturity & Recap
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects – Part B
23
DEV
Security
Production
Security
Scanning Vuln
SAST
Library
IAST
MAST Visualizing Vuln
Prod
DEV
BuildvsFix
VulnTrending
Risk
Remediation P
CodeFix
LibUpgrade
Patching
DAST
Resolution
NEWCode
NEWLib
Applied
Patches
Triaging Vuln
FalsePositives
Impact
Exploitability
NetLocation
AggregationLayer
API/AutomationLayer
Refine/Enrich
Risk Assess/Prioritize
API/AutomationLayer
Assets
Code YOU
Own
Approved
3rd
party Black
Box
Open Source
Approved
Approved
Libraries/Repo
Pipeline of ‘new’
Open Source
Approved
New Code
being
Considered
New Repo/
Libraries
Eval of 3rd
Party
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects -> Under the hood
24
PUBLIC
Repositories
Build/Staging/UAT/
Test Environments
Scanner for Code
Scanner for Build
Dashboards For
SAST
DEV Dashboard
Scanner for Test
Dashboard Build/ Test
Production
Prod Scnner Dashboards
PROD Dashboards
Development-Testing Production
Scanner for prod
Triage the
vulnerabilities
Scan At various
Stages
Scanners to
Tickets or
aggregators
DEV
Security
Production
Security
SET Targets For
Prod & DEV
Vuln
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects – Part C
25
DEV
Security
Production
Security
Scanning Vuln
SAST
Library
IAST
MAST Visualizing Vuln
Prod
DEV
BuildvsFix
VulnTrending
Risk
Remediation P
CodeFix
LibUpgrade
Patching
DAST
Resolution
NEWCode
NEWLib
Applied
Patches
Triaging Vuln
FalsePositives
Impact
Exploitability
NetLocation
AggregationLayer
API/AutomationLayer
Refine/Enrich
Risk Assess/Prioritize
API/AutomationLayer
Assets
Code YOU
Own
Approved
3rd
party Black
Box
Open Source
Approved
Approved
Libraries/Repo
Pipeline of ‘new’
Open Source
Approved
New Code
being
Considered
New Repo/
Libraries
Eval of 3rd
Party
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects
26
DEV
Security
Production
Security
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects
27
PUBLIC
Example of a dashboard for Vulnerability
Visualization
DEV
Security
Production
Security
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Dashboard for Code Defects - Part D fix
28
DEV
Security
Production
Security
Scanning Vuln
SAST
Library
IAST
MAST Visualizing Vuln
Prod
DEV
BuildvsFix
VulnTrending
Risk
Remediation P
CodeFix
LibUpgrade
Patching
DAST
Resolution
NEWCode
NEWLib
Applied
Patches
Triaging Vuln
FalsePositives
Impact
Exploitability
NetLocation
AggregationLayer
API/AutomationLayer
Refine/Enrich
Risk Assess/Prioritize
API/AutomationLayer
Assets
Code YOU
Own
Approved
3rd
party Black
Box
Open Source
Approved
Approved
Libraries/Repo
Pipeline of ‘new’
Open Source
Approved
New Code
being
Considered
New Repo/
Libraries
Eval of 3rd
Party
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Triaging Vulnerabilities
29
DEV
Security
Production
Security
Security
Scanners
Potential
Defects
Triage
Real
Defects Vuln Scoring
Is it a false
positive?
PODs
DEV
Sec Champion
Risk Person
Lead Appsec
Sec Arch
SupportFunctions
PODs
DEV
Sec Champion
Risk Person
Lead Appsec
Sec Arch
Support
Functions
OS
Framework
Library
Code
3rd
Party
DefectTypes
Prioritized
Vulnerabilities
Can they be fixed?
RiskWork Ticket
Yes No
Threat
Modelling
Prioritized Vulnerability (with
Context)
Compensating
Control
Increased Impact/
Probability
NoYesMitigation
BIA - Impact
Exploitability -
Likelyhood
PODs
DEV
Sec Champion
Risk person
Lead Appsec
Sec Arch
SupportFunctions
How exploitable?
Maturity Level
Maturity level
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
What do you get out of Security Phoenix?
30
1. Visualize and Fix Vulnerability at scale and pace
(DEV & Ops)
2. Trust the Product team but keep them accountable:
Trust & Verify & License to Operate
3. Maturity & Recap
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Trust & Verify Core – Fast & Confident – Core Concepts
31
Going fast but with confidence (SEC)
1. Trust & Verify
2. License to operate/code
>> Set Thresholds: Bild vs Fix, Vulnerability trending
People &
Education
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Trust & Verify – Under the hood
32
Learning &
Education
Build vs FIX
Target
Application
Security Scanners
Production Dashboard
Development Dashboard
Job Queue
Defects
Bugs
New
Features
Am I compliant with
Code Defects
Target ?
Triage &
Vulnerability
Per applicationDay to
day fix or build
Code
3rd parties
Components (FOSS +
Libraries)
Engeneers &
Developers
DEV-SEC-OPS Application Group (unit that
works on one or more application)
DEV
Test
Prod
nt to prod
he License
erate
Engeneers &
Developers
Application/
Product
Owner
Security Champion
Security
Architect
Security
Vulnerabilities
Bugs&
Errors
NEWFeatures
Thresholds
Vulnerability
Targets (Quarter)
Phoenix
Aggregator DB
License to
operate
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Trust & Verify Key concepts - Summary
33
Developer can operate fast and deploy if they have a license
1. Trust your developers and apply a ‘license to
operate’
2. Apply governance (light and heavy weight)
3. Visualize and keep everyone accountable
4. Make security resource available to the developers
and document the fixes PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Security Education in DEV-SEC-OPS
34
1. Awareness Training For your users
2. Craft Training based on the scanner (faults) data
3. Education on the job – What good looks like
4. Make the training entertaining (CTF and Rewards)
Security
Education
Education:
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 35
PUBLIC
Bringing all together
Maturity Model & Recap
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
What do you get out of Security Phoenix?
36
1. Visualize and Fix Vulnerability at scale and pace
(DEV & Ops)
2. Trust the Product team but keep them accountable:
Trust & Verify & License to Operate
3. Maturity & Recap
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
To Achieve High Maturity what do you do
37
PUBLIC
DEV
Security
Production
Security
Mat
urity Task
How
much
1 No Peer Review
1 No Code Scanning
1 No library update
1 No risk management
1 No visibility on vulnerabilities
1 No knowledge of pods
1 No team to pod mapping
1 No Documentation of Fixes
2 Peer Revew
2 Team to Pod to Stash recorded
2 Onboarded application on code scanners
2 Libray scanning
2 triage of vulnerabilities (base) - Consider only high medium and low
2 Manual Evaluation of team and Allocation of Licence to Operate
2 No SLA
2 No Documentaiton
2 Adoption Dashboard
3 Peer Review with Toolset
3 Updated Teams and asset register
3 Basic Triage of vulnerabilities
3 Code Scan with Pipeline Break & Basic SLA
3 Adoption Dashboard (advanced) Per A.C. and Per Region
3
Risk Assessment from code scanning with record in Risk management
Register
3
Automated Licence to operate: Code Scanning, Libraries, Internal
Training
4 Fix time of vulnerabilities recorded
4 T-Shirt Sizing of fixes and Adaptation of SLA based on fixes
4 Visualization of pod to fix
4 segmentation dev and prod
4 Fix ticket in Jira & Build vs Fix Concept
4 Fuzzing (basic with generic per app)
5
Automated Licence to operate: Code Scanning, Libraries, Internal
Training, Build Vs Fix
5 Automated Fuzzing & Library of tests
Level 1 Level 2 Level 3 Level 4 Level 5
Intial
Manage
d Defined
Quantitatively
Managed Optimized
Security Design
AS-IS->TO-
BE
Security Design
Governance AS-IS TO-BE
Security Build &
Test AS-IS TO-BE
Security Operate
AS-IS->
TO-BE
Appsec Security
Education AS-IS TO-BE
Application Security
Risk Management AS-IS TO-BE
Reporting
Frequency
KCI
Mat
rutiy
Build/Test
Prereq -> 0 Who is working on which repository Monthly
1 Team On-boarded on scanners (per pod) Monthly
1
Code Scanning Frequency per project (min 1 per
week)
Monthly
1 Dashboard for Scanners created Monthly
2 Number of vulnerabilities ticket recorded Weekly
2
Dashboard for vulnerabilities - Onboarded
Projects
Weekly
2 Vulnerability Fixed (quarter)
Monthly/
Quarterly
Checks
3
Project imported in Kennar and Enriched
Vulnerabilities (kennar)
Monthly
3 Projects breaching the Build vs Fix target
Monthly/
Quarter
Checks
4 Fixes per thematic in SLA Monthly
4 SLA for Fixes (breached/achieved) Monthly
4
Team Achieving Licence to operate and Out of
the licence
Monthly
5 Build vs fix Monthly
5 Licence to operate Monthly
Overall Maturity
Maturity Steps KCI
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Fixing Vulnerability the ABC…D
38
D – Respond/recover (Fix Vulnerability)
7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly)
C – Visualize Vulnerabilities (Display)
Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending,
B – Detect (Scan Code)
Select Team Leads and identify
security champions
Get security Scanners (SAST/DAST)
Onboard and teach how to triage
Create a Vulnerability Data lake
(results of the vulnerabilities)
A - IDentify (Software Asset Register)
Software you build (repositories) Software You buy
Trace Completeness across all the
application you have
Asset Register for
Vulnerability Data Lake
KPI Reporting &
Dashboard
Prioritizing & Vulnerability
Reduction
Outcome
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Application
Security Scanners
Production Dashboard
Development Dashboard
Job Queue
Defects
Bugs
New
Features
Am I compliant with
Code Defects
Target ?
Am i still compliant with Overall
Build vs FIX Targets ?
Triage &
Vulnerability
Per applicationDay to
day fix or build
Code
3rd parties
Components (FOSS +
Libraries)
Engeneers &
Developers
DEV-SEC-OPS Application Group (unit that
works on one or more application)
DEV
Test
Prod
Deployment to prod
Relies on the License
to Operate
Engeneers &
Developers
Application/
Product
Owner
Security Champion
Security
Architect
Security
Vulnerabilities
Bugs&
Errors
NEWFeatures
Thresholds
Trust & Verify Framework
39
Learning &
Education
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Conclusion
40
- Trust And Verify
- Vulnerability Management every day life
- Automation vs people aspect – is a transformation
- Data Driven Education
- Governance at scale
Does develops have a single solution?
Security is everybody’s job
PUBLIC
Every 2 weeks 1.30 PM UK Time
Cyber #MentoringMonday
Podcast
@FrankSEC42
PUBLIC
Cyber Security Awards 2020
Cloud Security Influencer of the Year
Submission – 10 of May 2020 (TBD)
Ceremony 4 July 2020
#CYSECAWARDS20
https://cybersecurityawards.com/
https://cloudsecurityalliance.org.uk
Submit: info@cybersecurityawards.com
Info: Francesco.Cipollone@cloudsecurityalliance.org.ukPUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Q&A
43
PUBLIC
Copyright © NSC42 Ltd 2019 (content & Picture under Licence)
www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo
Contacts
44
Get in touch:
https://uk.linkedin.com/in/fracipo
Francesco.cipollone (at) nsc42.co.uk
www.nsc42.co.uk
Thank you
WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY
@FrankSEC42
PUBLIC

More Related Content

What's hot

Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Carlo Bonamico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to  Simplify application security a...White Paper: Leveraging The OWASP Top Ten to  Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyreggievarn
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensGert Molkens
 

What's hot (10)

Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security Workshop
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to  Simplify application security a...White Paper: Leveraging The OWASP Top Ten to  Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
Culture of Security
Culture of SecurityCulture of Security
Culture of Security
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varney
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkens
 

Similar to The security phoenix - from the ashes of DEV-OPS Appsec California 2020

Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenixNSC42 Ltd
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Cloud Security Alliance, UK chapter
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeNowSecure
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Cristian Garcia G.
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetuppbink
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Amazon Web Services
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Black Duck by Synopsys
 
27.2.15 lab investigating a malware exploit
27.2.15 lab   investigating a malware exploit27.2.15 lab   investigating a malware exploit
27.2.15 lab investigating a malware exploitFreddy Buenaño
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Erkang Zheng
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospectiveSecurity Innovation
 

Similar to The security phoenix - from the ashes of DEV-OPS Appsec California 2020 (20)

Nsc42 the security phoenix
Nsc42 the security phoenixNsc42 the security phoenix
Nsc42 the security phoenix
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
 
Mobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the CodeMobile Penetration Testing: Episode III - Attack of the Code
Mobile Penetration Testing: Episode III - Attack of the Code
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
 
Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest
 
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
ITCamp 2018 - Tobiasz Koprowski - SECDEV(OPS). How to Brace Your IT Security.
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
Solnet dev secops meetup
Solnet dev secops meetupSolnet dev secops meetup
Solnet dev secops meetup
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow...
 
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
Open Source Insight: Black Duck Announces OpsSight for DevOps Open Source Sec...
 
27.2.15 lab investigating a malware exploit
27.2.15 lab   investigating a malware exploit27.2.15 lab   investigating a malware exploit
27.2.15 lab investigating a malware exploit
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
Overcoming the old ways of working with DevSecOps - Culture, Data, Graph, and...
 
App sec owasp from developers prospective
App sec owasp from developers prospectiveApp sec owasp from developers prospective
App sec owasp from developers prospective
 

Recently uploaded

MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfSpandanaRallapalli
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management SystemChristalin Nelson
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Celine George
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinojohnmickonozaleda
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxAshokKarra1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 

Recently uploaded (20)

Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
ACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdfACC 2024 Chronicles. Cardiology. Exam.pdf
ACC 2024 Chronicles. Cardiology. Exam.pdf
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Transaction Management in Database Management System
Transaction Management in Database Management SystemTransaction Management in Database Management System
Transaction Management in Database Management System
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
Incoming and Outgoing Shipments in 3 STEPS Using Odoo 17
 
FILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipinoFILIPINO PSYCHology sikolohiyang pilipino
FILIPINO PSYCHology sikolohiyang pilipino
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Karra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptxKarra SKD Conference Presentation Revised.pptx
Karra SKD Conference Presentation Revised.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptxFINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
FINALS_OF_LEFT_ON_C'N_EL_DORADO_2024.pptx
 

The security phoenix - from the ashes of DEV-OPS Appsec California 2020

  • 1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes APPSEC California 2020 @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo PUBLIC
  • 2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Scanners Triage and Visualizers Security Phoenix – People & Trust + Verify Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Maturity Matrix & Education PUBLIC Security Phoenix – Visibility Problem Security Phoenix – The cake and traceability problem
  • 3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein PUBLIC
  • 4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ) PUBLIC DEV-OPS+ SEC
  • 5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core pillars of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng PUBLIC
  • 6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 6 PUBLIC Why do we worry about security? The Problem Landscape
  • 7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 PUBLIC 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it
  • 8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 8 PUBLIC Image Credit Information is Beautiful
  • 9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 9 PUBLIC From Dev to prod and cakes The Visibility Problem
  • 10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Understanding the room you walk in – Asset Register 10
  • 11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To understand shine a light 11
  • 12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Better to have full visibility 12
  • 13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 13 PUBLIC The software security cake The Problem Traceability Problem
  • 14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo So how we do it? Easy as baking a cake 14
  • 15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Road to Production: the cake analogy 15 The Objective of the various areas are • Ingredients • Recipe • Stock List (asset Register) Design Operate The Objective of the various areas are • Sell The cake • Restock the cake on the shelf Build/Test The Objective of the various areas are • Combine ingredients (libraries+Code) • Bake the cake • Test the cake Security Design Act as Health Inspector • Verify Ingredients are not mouldy • Verify Recipe does not contain poison • Stock List (asset Register) – verify the component used in the cake are genuine Act as Health Inspector • That the cake is made up of genuine ingredients (from asset register) • Test the cake for mould Security Build & Test Act as Health Inspector • Verify Cake on the shop are made of genuine ingredients (from asset register) • Verify expiry data of Cake • Test the cake for mould Secure Operate PUBLIC
  • 16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 16 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC
  • 17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Vulnerability management Lifecycle Discover 01 02 03 04 05 06 Vuln Mngmn Lifecycle Software Asset Register Scan Code/Infra/network Triage/ Assess Triage & identify False Positives Tweak Scan Profiles Prioritize Visualize Prioritize vuln (Start Easy) Network Location Exploitability … Graph – Up/down trending of prj Build vs FIX Time to Fix Remediate/ Risk Verify Fix Code and redeploy in test Test implemented Fix
  • 18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 18 PUBLIC The Software Asset Register The Appsec Lifecycle & Shift Left
  • 19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Asset Register Part A 19 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Git to People: Who does what where Visualizer 20 DEV Security Production Security git ls-tree -r -z --name-only HEAD -- update- tools-mac.sh | xargs -0 -n1 git blame --line- porcelain HEAD |grep "^author "|sort|uniq - c|sort -nr For Every Repo List of committers E-Mail/HR DB Build vs FIX & Tickets App scan? PUBLIC
  • 21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 21 PUBLIC How to Embed DEV-SEC-OPS The People & Technology part
  • 22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
  • 23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part B 23 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 24 PUBLIC Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Production Security SET Targets For Prod & DEV Vuln
  • 25. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects – Part C 25 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 26. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 26 DEV Security Production Security PUBLIC
  • 27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 27 PUBLIC Example of a dashboard for Vulnerability Visualization DEV Security Production Security
  • 28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects - Part D fix 28 DEV Security Production Security Scanning Vuln SAST Library IAST MAST Visualizing Vuln Prod DEV BuildvsFix VulnTrending Risk Remediation P CodeFix LibUpgrade Patching DAST Resolution NEWCode NEWLib Applied Patches Triaging Vuln FalsePositives Impact Exploitability NetLocation AggregationLayer API/AutomationLayer Refine/Enrich Risk Assess/Prioritize API/AutomationLayer Assets Code YOU Own Approved 3rd party Black Box Open Source Approved Approved Libraries/Repo Pipeline of ‘new’ Open Source Approved New Code being Considered New Repo/ Libraries Eval of 3rd Party PUBLIC
  • 29. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Triaging Vulnerabilities 29 DEV Security Production Security Security Scanners Potential Defects Triage Real Defects Vuln Scoring Is it a false positive? PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch SupportFunctions PODs DEV Sec Champion Risk Person Lead Appsec Sec Arch Support Functions OS Framework Library Code 3rd Party DefectTypes Prioritized Vulnerabilities Can they be fixed? RiskWork Ticket Yes No Threat Modelling Prioritized Vulnerability (with Context) Compensating Control Increased Impact/ Probability NoYesMitigation BIA - Impact Exploitability - Likelyhood PODs DEV Sec Champion Risk person Lead Appsec Sec Arch SupportFunctions How exploitable? Maturity Level Maturity level PUBLIC
  • 30. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 30 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
  • 31. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 31 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code >> Set Thresholds: Bild vs Fix, Vulnerability trending People & Education PUBLIC
  • 32. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 32 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate PUBLIC
  • 33. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 33 Developer can operate fast and deploy if they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes PUBLIC
  • 34. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 34 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education: PUBLIC
  • 35. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo 35 PUBLIC Bringing all together Maturity Model & Recap
  • 36. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 36 1. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 2. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 3. Maturity & Recap PUBLIC
  • 37. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo To Achieve High Maturity what do you do 37 PUBLIC DEV Security Production Security Mat urity Task How much 1 No Peer Review 1 No Code Scanning 1 No library update 1 No risk management 1 No visibility on vulnerabilities 1 No knowledge of pods 1 No team to pod mapping 1 No Documentation of Fixes 2 Peer Revew 2 Team to Pod to Stash recorded 2 Onboarded application on code scanners 2 Libray scanning 2 triage of vulnerabilities (base) - Consider only high medium and low 2 Manual Evaluation of team and Allocation of Licence to Operate 2 No SLA 2 No Documentaiton 2 Adoption Dashboard 3 Peer Review with Toolset 3 Updated Teams and asset register 3 Basic Triage of vulnerabilities 3 Code Scan with Pipeline Break & Basic SLA 3 Adoption Dashboard (advanced) Per A.C. and Per Region 3 Risk Assessment from code scanning with record in Risk management Register 3 Automated Licence to operate: Code Scanning, Libraries, Internal Training 4 Fix time of vulnerabilities recorded 4 T-Shirt Sizing of fixes and Adaptation of SLA based on fixes 4 Visualization of pod to fix 4 segmentation dev and prod 4 Fix ticket in Jira & Build vs Fix Concept 4 Fuzzing (basic with generic per app) 5 Automated Licence to operate: Code Scanning, Libraries, Internal Training, Build Vs Fix 5 Automated Fuzzing & Library of tests Level 1 Level 2 Level 3 Level 4 Level 5 Intial Manage d Defined Quantitatively Managed Optimized Security Design AS-IS->TO- BE Security Design Governance AS-IS TO-BE Security Build & Test AS-IS TO-BE Security Operate AS-IS-> TO-BE Appsec Security Education AS-IS TO-BE Application Security Risk Management AS-IS TO-BE Reporting Frequency KCI Mat rutiy Build/Test Prereq -> 0 Who is working on which repository Monthly 1 Team On-boarded on scanners (per pod) Monthly 1 Code Scanning Frequency per project (min 1 per week) Monthly 1 Dashboard for Scanners created Monthly 2 Number of vulnerabilities ticket recorded Weekly 2 Dashboard for vulnerabilities - Onboarded Projects Weekly 2 Vulnerability Fixed (quarter) Monthly/ Quarterly Checks 3 Project imported in Kennar and Enriched Vulnerabilities (kennar) Monthly 3 Projects breaching the Build vs Fix target Monthly/ Quarter Checks 4 Fixes per thematic in SLA Monthly 4 SLA for Fixes (breached/achieved) Monthly 4 Team Achieving Licence to operate and Out of the licence Monthly 5 Build vs fix Monthly 5 Licence to operate Monthly Overall Maturity Maturity Steps KCI
  • 38. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Fixing Vulnerability the ABC…D 38 D – Respond/recover (Fix Vulnerability) 7 – Schedule Vuln Fixes (Jira) 7 – Fix Vuln & measure (quarterly) C – Visualize Vulnerabilities (Display) Reporting Dashboards (based on the maturity & KPI) Link the trending to Build vs FIX, Vuln trending, B – Detect (Scan Code) Select Team Leads and identify security champions Get security Scanners (SAST/DAST) Onboard and teach how to triage Create a Vulnerability Data lake (results of the vulnerabilities) A - IDentify (Software Asset Register) Software you build (repositories) Software You buy Trace Completeness across all the application you have Asset Register for Vulnerability Data Lake KPI Reporting & Dashboard Prioritizing & Vulnerability Reduction Outcome PUBLIC
  • 39. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 39 Learning & Education PUBLIC
  • 40. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 40 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Does develops have a single solution? Security is everybody’s job PUBLIC
  • 41. Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42 PUBLIC
  • 42. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20 https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info: Francesco.Cipollone@cloudsecurityalliance.org.ukPUBLIC
  • 43. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 43 PUBLIC
  • 44. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 44 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42 PUBLIC