SlideShare a Scribd company logo

Nsc42 the security phoenix

Download as PPTX, PDF
NSC42 Ltd
NSC42 Ltd

DEVSECOPS & Cloud security

Education
1 of 28
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes Cyber Security & Cloud Expo - North America @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Security Ops Security Phoenix – Visualization & Security Phoenix Tech Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Governance & Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ)
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core component of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 6 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 Image Credit Information is Beautiful
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The Crisis 8 DEV-OPS & SEC -> SEC - how to go from problem to enabler? Let’s see how security is reborn in DEV-OPS world Blending architecture DEV-OPS and Business/Risk
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 9 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design, Governance and Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 10 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design, Governance and Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 11 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code 3. Day in Day fix Vulnerabilities >> Set Thresholds: Bild vs Fix, Vulnerability trending Operate People & Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo DEVSECOPS - Fast and Confident 12 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate DEV Security Productio n Security
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 13 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate Risk/BIZ?
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Team Structure 14 Ap Se Job Qu Defec Bugs Am i still compliant with Overall Build vs FIX Targets ? Code 3rd parties Components (FOSS + Libraries) Deployment to prod Relies on the License to Operate Security Vulnerabilities Bugs& Errors NEWFeatures ThresholdsApplication Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds License to operate
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 15 Developer can operate fast and deploy as long as they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 16 Learning & Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 17 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design and Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 18 Example of a dashboard for Vulnerability Visualization DEV Security Productio n Security
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 19 Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Productio n Security SET Targets For Prod & DEV Vuln
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Operation 20 Secure Operate: What to do 1. OS & App – Patch 2. Framework – Scan & Patch 3. Libraries & Open source components 4. Code – From your DEV Pipeline 5. Libraries – from your Build/DEV DEV Security Productio n Security Hardware OS/Container Apps (3rd Party) Frameworks Libraries (3rd) / FOSS Code/Build
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design and Education
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Definition of security Impacting Change 23 Governanc e Functional Change OPS Test Small Change/ FIX/ Patching Small Change/ Bugfix/ Patching Sandbox/Prototyping Deployment Environment Functional Change - Any Change impacting the core functionalities of an application DEV-OPS PhaseDesign Phase Governance Delegated to the Champion(s) and Application owner(s) Governance on the Security DesignAuthority & Security Architects Iterations DEV Initial Design (Iterations) Functional Change
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 24 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education:
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 25 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Security at scale and pace Security is everybody’s job
Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42
Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 29
Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 30 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42

Recommended

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.DevOps.com
 
Upskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsUpskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsDevOps.com
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 
About StarForce Technologies
About StarForce TechnologiesAbout StarForce Technologies
About StarForce TechnologiesStarForce Technologies
 
Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Marc Lijour, OCT, BSc, MBA
 
DEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkDEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkFelipe Prado
 
Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Roberto Natella
 

Recommended

Nsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNsc42 security knights slayer of dragons 0-5_very_short_15m_share
Nsc42 security knights slayer of dragons 0-5_very_short_15m_shareNSC42 Ltd
 
Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.Your Code Isn’t Static. Your Processes Shouldn’t be Either.
Your Code Isn’t Static. Your Processes Shouldn’t be Either.DevOps.com
 
Upskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsUpskilling: Adapting Humans At The Speed of DevOps
Upskilling: Adapting Humans At The Speed of DevOpsDevOps.com
 
Linux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDLinux Foundation Live Webinar: Applying Governance to CI/CD
Linux Foundation Live Webinar: Applying Governance to CI/CDTiffany Jachja
 
About StarForce Technologies
About StarForce TechnologiesAbout StarForce Technologies
About StarForce TechnologiesStarForce Technologies
 
Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Cisco canada education @ advancing learning conference 2014
Cisco canada education @ advancing learning conference 2014Marc Lijour, OCT, BSc, MBA
 
DEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkDEF CON 27 - workshop - POLOTO - hacking the android apk
DEF CON 27 - workshop - POLOTO - hacking the android apkFelipe Prado
 
Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Safety Assurance and Certification: Current Practices, Challenges, and Brains...
Safety Assurance and Certification: Current Practices, Challenges, and Brains...Roberto Natella
 
T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Carlo Bonamico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
Culture of Security
Culture of SecurityCulture of Security
Culture of SecurityFlevy.com Best Practices
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyreggievarn
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensGert Molkens
 
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...Perforce
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...CA Technologies
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Aggregage
 
Cisco - The Security Scoop
Cisco - The Security ScoopCisco - The Security Scoop
Cisco - The Security ScoopDerek Lewis
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 

More Related Content

What's hot

T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security WorkshopHelmut Hummel
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Carlo Bonamico
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Carlo Bonamico
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLudovic Petit
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...NowSecure
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020JayTymchuk
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...Security Innovation
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyreggievarn
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensGert Molkens
 

What's hot (10)

T3DD12 Security Workshop
T3DD12 Security WorkshopT3DD12 Security Workshop
T3DD12 Security Workshop
 
Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015Continuous Security: Zap security bugs now Codemotion-2015
Continuous Security: Zap security bugs now Codemotion-2015
 
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
Is my Web Application secure? OWASP Top Ten Security Risks and Beyond...
 
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security ExcellenceLooking Forward… and Beyond - Distinctiveness Through Security Excellence
Looking Forward… and Beyond - Distinctiveness Through Security Excellence
 
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
 
Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020Charting a Career in Information Security - August 2020
Charting a Career in Information Security - August 2020
 
Culture of Security
Culture of SecurityCulture of Security
Culture of Security
 
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
White Paper: Leveraging The OWASP Top Ten to Simplify application security a...
 
ipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varneyipvm-certification-ip-networking-nigel-varney
ipvm-certification-ip-networking-nigel-varney
 
ipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkensipvm-certification-ip-cameras-gert-molkens
ipvm-certification-ip-cameras-gert-molkens
 

Similar to Nsc42 the security phoenix

Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNSC42 Ltd
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNSC42 Ltd
 
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...Perforce
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...CA Technologies
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Jason Jolley
 
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Aggregage
 
Cisco - The Security Scoop
Cisco - The Security ScoopCisco - The Security Scoop
Cisco - The Security ScoopDerek Lewis
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...NSC42 Ltd
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Decisions
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Denim Group
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...Michael Man
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Decisions
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Cloud Security Alliance, UK chapter
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNSC42 Ltd
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Eturnti Consulting Pvt Ltd
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesMighty Guides, Inc.
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Vince Garr
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation SecurityCisco Canada
 

Similar to Nsc42 the security phoenix (20)

Nsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 shareNsc42 - the security phoenix devsecops - risk-present_0_3 share
Nsc42 - the security phoenix devsecops - risk-present_0_3 share
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
 
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
Achieving Software Safety, Security, and Reliability Part 3: What Does the Fu...
 
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
The CA Technologies | Veracode Platform: A 360-Degree View of Your Applicatio...
 
Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!Alfresco Virtual DevCon 2020 - Security First!
Alfresco Virtual DevCon 2020 - Security First!
 
Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.Shift Left Security: Development Does Not Want to Own It.
Shift Left Security: Development Does Not Want to Own It.
 
Cisco - The Security Scoop
Cisco - The Security ScoopCisco - The Security Scoop
Cisco - The Security Scoop
 
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
Nsc42 - is the cloud secure - is easy if you do it smart Cybersecurity&Cloud ...
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 
Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...Enabling Developers in Your Application Security Program With Coverity and Th...
Enabling Developers in Your Application Security Program With Coverity and Th...
 
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
DSO-LG Oct 2019: Modern Software Delivery: Supply Chain Security Critical (Ch...
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
Csa UK agm 2019 - Nsc42 - is the cloud secure - is easy if you do it smart Fr...
 
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smartNsc42-CSA AGM is the cloud secure - is easy if you do it smart
Nsc42-CSA AGM is the cloud secure - is easy if you do it smart
 
Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....Agile Relevance in the age of Continuous Everything ....
Agile Relevance in the age of Continuous Everything ....
 
Building Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT PracticesBuilding Security Into Your Cloud IT Practices
Building Security Into Your Cloud IT Practices
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
 
Next Generation Security
Next Generation SecurityNext Generation Security
Next Generation Security
 

Recently uploaded

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Sakshi Ghasle
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdfssuser54595a
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 

Recently uploaded (20)

Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application ) Hybridoma Technology ( Production , Purification , and Application )
Hybridoma Technology ( Production , Purification , and Application )
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
18-04-UA_REPORT_MEDIALITERAСY_INDEX-DM_23-1-final-eng.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 

Nsc42 the security phoenix

  • 1. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) The Security Phoenix raises from DEV-OPS ashes Cyber Security & Cloud Expo - North America @FrankSEC42 From DEV-OPS Security raises in DEV-SEC-OPS-BIZ-RISK-GOV https://uk.linkedin.com/in/fracipo
  • 2. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) Agenda About the author Conclusions Q&A Security Phoenix – Security Ops Security Phoenix – Visualization & Security Phoenix Tech Evolution of DEVOPS in Security Phoenix Context @FrankSEC42 Security Phoenix – Governance & Education
  • 3. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.ukwww.nsc42.co.ukwww.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo About the Francesco 3 Francesco Cipollone Founder – NSC42 LTD I’m a CISO and a CISO Advisor, Cybersecurity Cloud Expert. Speaker, Researcher and Chair of Cloud security Alliance UK, Researcher and associate to ISC2. I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks Website Articles NSC42 LinkedIn Security is everybody’s job We need to make security cool and frictionless Copyright © NSC42 Ltd 2019 Email@FrankSec42 Fracipo Linkein
  • 4. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What the hek is DEV-SEC-OPS? 4 What kind of animal is the DEV-SEC-OPS? Integrate security into the OPS team (and add a spark of BIZ)
  • 5. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Anatomy of a phoenix 5 What Are the core component of Security Pheonix Secure Operate Secure Design Build & Test People & Education Governance & Risk mng
  • 6. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 6 2009/ 2010 2012 Microsoft Heartland US Military Aol TJMax 2013 2016 2017 2014 2015 2018 Sony PSN NHS Betfair Steam Deep Root IRS Anthem Dropbox Lastfm Blizzard Marriot Twitter MyHeritage Uber Quora.. Why fixing Security Vulnerabilities is everybody’s job? Equifax Myspace Twitter Yahoo Linkedin Friend Finder Dailymotion Mossack Fonseca JP Morgan Home Depo Ebay Yahoo(orignal) US Retailers Adobe UbiSoft Court Ventures 2012 2019 … …because we all get affected by it
  • 7. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Major Breaches 7 Image Credit Information is Beautiful
  • 8. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo The Crisis 8 DEV-OPS & SEC -> SEC - how to go from problem to enabler? Let’s see how security is reborn in DEV-OPS world Blending architecture DEV-OPS and Business/Risk
  • 9. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 9 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design, Governance and Education
  • 10. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 10 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design, Governance and Education
  • 11. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Core – Fast & Confident – Core Concepts 11 Going fast but with confidence (SEC) 1. Trust & Verify 2. License to operate/code 3. Day in Day fix Vulnerabilities >> Set Thresholds: Bild vs Fix, Vulnerability trending Operate People & Education
  • 12. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo DEVSECOPS - Fast and Confident 12 Trusted DEV-OPS team can operate at speed… as long as they have the license to operate DEV Security Productio n Security
  • 13. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify – Under the hood 13 Learning & Education Build vs FIX Target Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod nt to prod he License erate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Vulnerability Targets (Quarter) Phoenix Aggregator DB License to operate Risk/BIZ?
  • 14. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Team Structure 14 Ap Se Job Qu Defec Bugs Am i still compliant with Overall Build vs FIX Targets ? Code 3rd parties Components (FOSS + Libraries) Deployment to prod Relies on the License to Operate Security Vulnerabilities Bugs& Errors NEWFeatures ThresholdsApplication Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds License to operate
  • 15. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Trust & Verify Key concepts - Summary 15 Developer can operate fast and deploy as long as they have a license 1. Trust your developers and apply a ‘license to operate’ 2. Apply governance (light and heavy weight) 3. Visualize and keep everyone accountable 4. Make security resource available to the developers and document the fixes
  • 16. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Application Security Scanners Production Dashboard Development Dashboard Job Queue Defects Bugs New Features Am I compliant with Code Defects Target ? Am i still compliant with Overall Build vs FIX Targets ? Triage & Vulnerability Per applicationDay to day fix or build Code 3rd parties Components (FOSS + Libraries) Engeneers & Developers DEV-SEC-OPS Application Group (unit that works on one or more application) DEV Test Prod Deployment to prod Relies on the License to Operate Engeneers & Developers Application/ Product Owner Security Champion Security Architect Security Vulnerabilities Bugs& Errors NEWFeatures Thresholds Trust & Verify Framework 16 Learning & Education
  • 17. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 17 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design and Education
  • 18. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects 18 Example of a dashboard for Vulnerability Visualization DEV Security Productio n Security
  • 19. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Dashboard for Code Defects -> Under the hood 19 Repositories Build/Staging/UAT/ Test Environments Scanner for Code Scanner for Build Dashboards For SAST DEV Dashboard Scanner for Test Dashboard Build/ Test Production Prod Scnner Dashboards PROD Dashboards Development-Testing Production Scanner for prod Triage the vulnerabilities Scan At various Stages Scanners to Tickets or aggregators DEV Security Productio n Security SET Targets For Prod & DEV Vuln
  • 20. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Operation 20 Secure Operate: What to do 1. OS & App – Patch 2. Framework – Scan & Patch 3. Libraries & Open source components 4. Code – From your DEV Pipeline 5. Libraries – from your Build/DEV DEV Security Productio n Security Hardware OS/Container Apps (3rd Party) Frameworks Libraries (3rd) / FOSS Code/Build
  • 21. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo What do you get out of Security Phoenix? 22 1. Trust the Product team but keep them accountable: Trust & Verify & License to Operate 2. Visualize and Fix Vulnerability at scale and pace (DEV & Ops) 3. Security Design and Education
  • 22. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Definition of security Impacting Change 23 Governanc e Functional Change OPS Test Small Change/ FIX/ Patching Small Change/ Bugfix/ Patching Sandbox/Prototyping Deployment Environment Functional Change - Any Change impacting the core functionalities of an application DEV-OPS PhaseDesign Phase Governance Delegated to the Champion(s) and Application owner(s) Governance on the Security DesignAuthority & Security Architects Iterations DEV Initial Design (Iterations) Functional Change
  • 23. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Security Education in DEV-SEC-OPS 24 1. Awareness Training For your users 2. Craft Training based on the scanner (faults) data 3. Education on the job – What good looks like 4. Make the training entertaining (CTF and Rewards) Security Education Education:
  • 24. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Conclusion 25 - Trust And Verify - Vulnerability Management every day life - Automation vs people aspect – is a transformation - Data Driven Education - Governance at scale Security at scale and pace Security is everybody’s job
  • 25. Every 2 weeks 1.30 PM UK Time Cyber #MentoringMonday Podcast @FrankSEC42
  • 26. Cyber Security Awards 2020 Cloud Security Influencer of the Year Submission – 10 of May 2020 (TBD) Ceremony 4 July 2020 #CYSECAWARDS20https://cybersecurityawards.com/ https://cloudsecurityalliance.org.uk Submit: info@cybersecurityawards.com Info:
  • 27. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Q&A 29
  • 28. Copyright © NSC42 Ltd 2019 (content & Picture under Licence) www.nsc42.co.uk @FrankSEC42https://uk.linkedin.com/in/fracipo Contacts 30 Get in touch: https://uk.linkedin.com/in/fracipo Francesco.cipollone (at) nsc42.co.uk www.nsc42.co.uk Thank you WHEN YOU ARE CYBERSAFE WE ARE CYBERHAPPY @FrankSEC42

Editor's Notes

  1. Intro Thank you for being here and a thanks to Whitehall media for organizing this event What are we going to talk about? <pause?> … oh yes phenix and the death of infosec <pause?> …oh sorry you thought you would have a future as security people? Well yes and no… <smile & pause> Who has read harry potter here? Who knows here what is a phenix? And how does a phenix relate to infosec?? Today we are going to talk about how the infosec program is reborn under a rain of fire inside the dev-ops world
  2. Agenda for today Agenda for today - Author - Quick background - Evolution of DEVOPS in Security Phoenix - Security Phoenix – Visualization & Security Phoenix Tech - Security Phoenix – Security Ops - Security Phoenix – Governance & Education - Trust & Verify / License to operate Conclusions Q&A
  3. Quick background about Francesco…me…as you might have noticed my favorite colors are black and red. I’m a Cybersecurity Cloud Expert and CISO/Advisor. I’m an active Public Speaker, as you can see, researcher and Director of Events of Cloud security Alliance UK, Researcher and associate to ISC2.   I’ve been helping organizations define and implement cybersecurity strategies and protect their organizations against cybersecurity attacks I help international organization of different industries and sizes financial services, banking, Telco and thig gives me different prospective on the security problem   One important theme that I put in all the presentation is that that Security is everybody job and we will see why Also The key to success in security is to make it frictionless
  4. So what is DEV-OPS? Opening: So, what are we talking about? DEVOPS and Security. What the hek is devops? DEVOPS is a mythological beast… where you merge the development community with the operational community to have a single animal that is responsible of the lifecycle of their own application  Is continuous integration between DEVelopment and OPerationS (continuous integration) Why is so actual today? Because of the speed of delivery So how do we add another element in this picture (Sec) … Security Phoenix is where DEV-OPS reborn as a mythological animal with security at heart
  5. So what are the different part of a phoenix? With at their head people and education (head) Design (wing) Build & Test (wing) Operate is at the heart (heart) Guided by governance and risk management (tail) Can a bird fly without wings or with just one wing? Maybe but really badly Can a bird fly without a head? Don’t think so Can a bird have direction without a tail But ultimately security is about our people as they are our herald! Security is everybody’s job Let’s see why
  6. Why Is security Important Major breaches over the years…let’s think about the dark knights We can’t scale! We need more security people ! I’ll let this image sink in for a second. Those are just the major breaches over the years. Most of them were due to mistakes like unpatched systems, exposed databases, password guessing, brute force. What all those breaches have in common? Complex Nation state act – no Complex and intricated cyber attacks – Sometimes Missing the basics (e.g. patching ) and human error is the answer you are really searching for. By doing the basic right you will be better off than 80% of other organizations This explains why security is everyone's responsibility? Because we all get affected by it! https://blog.storagecraft.com/7-infamous-cloud-security-breaches/ https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ A lot of the breaches have similarities: Basic patching Server exposed without credentials
  7. Setting the context Just to let you know what the malicious actors have been up to: Just to give some prospective: Size of the breaches (orange interesting stories) https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  8. So how does security fit in DEV-OPS? Done badly the existing governance and controls get forced onto the new world Done correctly security becomes almost transparent So how do we do it correctly? With Security Phoenix! Security Function is reborn! Let’s analyze the phoenix
  9. What would you get out of the pillar? Trust of the developers – Embedding security in the DEV-OPS pods. Key enabler for doing this at scale? Trust & Verify and License to operate How to fix vulnerability at scale? The concept of Triage and Visualization Upskill and fill the gap in security: Keep people accountable: Security Governance Shift Left & Design – not talking much here
  10. So let’s see the people aspect: Trust & Verify and license to operate
  11. Problem that we are trying to solve>How to fix the problem at scale and at pace DEV-SEC-OPS Ultimately is all about our people & Education People are the first line of defiance for your business What are the key concept of Security Phoenix? Trust the team but verify (dashboards, build vs fix) License to operate: if you deploy quality code you have the license Fixing vulnerabilities as everyday life (sprint) Set thresholds (reduction of vulnerabilities and build vs fix)
  12. This new mode of operation shall rely on the ability of the team to demonstrate they can operate securely and at pace Transformation – License to Operate -> Trust your DEV-OPS but verify As long as the DEV-OPS team operate under the license Apply governance (light and heavy weight) Make security everybody’s responsibility but provide resource to guide (during transformation)
  13. The Whole concept relies on license to operate: if you promote good code, you good to go How to verify: Thresholds for reduction of vulnerabilities (Dashboards) Thresholds for Build VS fix Security Learning Code Scanners -> Output in Phoenix DB -> Thresholds Code Scanners -> Output in Jira ticket -> Threshold in Phoenix DB -> Build vs FIX tickets Learning platform -> Output in Phoenix DB -> team doing training? Teams triage and remediated locally to the pod People aspect: Risk management & BUZ – not yet automated If something can’t be updated/remediated than risk assessment (not covered here) Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
  14. The Pod Structure Dev + Engineers – DEV + OPS Sec Champions to show what good looks like App Owner to guide the business for new feature Sec Arch – To oversee the Design Part of application and review changes Monitoring – Appsec (day in day out Vuln Fixes Dashboard and trending – what vulnerability to fix first Build vs FIX - ensure the thresholds are healthy
  15. Trust your developers and apply a ‘license to operate’ -> this can be removed Apply governance (light and heavy weight) – faster for team that are compliant with security more scrutiny for team that are not Visualize and keep everyone accountable – give the product owner the ability to see if new vulnerabilities are getting introduced Make security resource available to the developers and document the fixes – produce internal reference for what security looks like for your org
  16. The Whole concept relies on license to operate: if you promote good code, you good to go How to verify: Thresholds for reduction of vulnerabilities (Dashbaords) Thresholds for Build VS fix Scanners output in jira Teams triage and remediated locally to the pod If something can’t be updated/remediated than risk assessment (not covered here) Application/Product owner (empowered by Pods and Security Champions) decide how many vulnerabilities to fix at every sprint
  17. Let’s see the visualization aspect behind the element discussed
  18. Thresholds example (DEV)
  19. Theme: Visualization helps both the teams working on the code and the application owner providing governance The tools ultimately are not as intelligent as a developer but only provide suggestion on how to prioritize vulnerabilities Scanners architecture Different Scan at different stages Divide DEV/Prod Scanners individual dashboards for false positives Aggregate the vulnerabilities in aggregators (e.g. Kennar) Scanners dashboards to mark false positives or risk accept but make sure there is a process behind it Triage of the vulnerabilities inside the scanners or feed into auto generation of thickets
  20. For operation – Scan/Monitor & Bugfix (nothing else than a change) Key thing here: Prioritize what to fix! Fixes will be in competition with feature! Is not all about security  OS & App – Scan and monitor – Rebuild frequently so you don’t have to worry Framework – Scan & Patch – Rebuild App with latest (release cadence) FOSS – open source components! Watch for Contributor account take over (refer to Netflix) Libraries & Open source components – Scan & rebuild with new libraries - Rebuild App with latest (release cadence) – RISK management if you can’t update or no update is available Code – From your DEV Pipeline – Those are your security code defect (internal or external bug bounty to detect which one is more dangerous
  21. For open source vulnerabilities it takes a long time to fix Why is that? Because rebuilding is not always immediate You say 0 days? I say normally a patch is between 16 and 94 days to be fixed… That leaves a lot of exposure to yourself
  22. So Let’s see the last aspect: Design and Education
  23. Security governance in dev-sec-ops – Challenging Definition of change: Small Changes vs security impacting changes Change control & Security education – security review closer to the Application PODs Initial design assessment Improvements: Pre approved services Patterns Standards into automation
  24. Educate the Users -> Report vulnerability Educate the Users -> Aware of social engineering Hands on and hands-off training (OWASP great resource)
  25. Security is hard and roles of the architect is changing No 1 solution fits all, tailor this model to your organization! Key concepts: Trust And Verify Vulnerability Management every day life Automation vs people aspect – is a transformation Data Driven Education Governance at scale Closing: Ultimately there is no 1 solution that fits all and look at the security transformation as a people transformation. You can’t automate people but you can make people’s life easier using tool. Don’t let the tool use you but use the tool to prioritize the work
  26. Q&A