continuous security
play

Continuous security nl.linkedin.com/kimvanwilgen - PowerPoint PPT Presentation

Feb 07, 2024 •284 likes •796 views

Continuous security nl.linkedin.com/kimvanwilgen kimvanwilgen@gmail.com Kim van Wilgen | Schuberg Philis www.kimvanwilgen.com @kimvanwilgen September 2017 Cybercriminals accessed the personal data of 145.5M consumers 209K credit card

  1. Continuous security nl.linkedin.com/kimvanwilgen kimvanwilgen@gmail.com Kim van Wilgen | Schuberg Philis www.kimvanwilgen.com @kimvanwilgen

  2. September 2017 Cybercriminals accessed the personal data of 145.5M consumers 209K credit card credentials were taken $ 300M was paid to victims and $275M in fines Continuous security @kimvanwilgen | www.kimvanwilgen.com

  3. Open invitation • Forced browsing to get millions of results • Type admin / admin as username and password • Usage of http instead of https • Linking to phishing sites in their tweets • Alerts by security researchers were ignored • 30 days until notification, selling shares in the meantime Continuous security @kimvanwilgen | www.kimvanwilgen.com

  4. Continuous security @kimvanwilgen | www.kimvanwilgen.com

  5. 20 20 19 20 Hello world Head of IT Head of Customer director Klaverblad software Schuberg Philis 14 17 80 18 Verzekeringen development ANVA Continuous security @kimvanwilgen | www.kimvanwilgen.com

  6. Schuberg Philis Mission critical digital transformations Financially independent Started in 2001 300 team members (Dec 2018) EUR 60m revenue Market Quality leader in Business Critical IT Outsourcing Single KPI 100% customer satisfaction 6

  7. Our customers 7

  8. 8

  9. Why focus on security? Continuous security @kimvanwilgen | www.kimvanwilgen.com

  10. Focus shifted to speed…and nothing else Continuous security @kimvanwilgen | www.kimvanwilgen.com

  11. Constant change Continuous security @kimvanwilgen | www.kimvanwilgen.com

  12. Everything is connected into the heart of your business Continuous security @kimvanwilgen | www.kimvanwilgen.com

  13. Autonomous teams Continuous security @kimvanwilgen | www.kimvanwilgen.com

  14. Changing roles Continuous security @kimvanwilgen | www.kimvanwilgen.com

  15. Security in an agile world Continuous security @kimvanwilgen | www.kimvanwilgen.com

  16. Security should support the delivery of value Continuous security @kimvanwilgen | www.kimvanwilgen.com

  17. Continuous security @kimvanwilgen | www.kimvanwilgen.com

  18. “If you are doing DevOps without security, you are doing it wrong” Thiago de Faria – Head of solutions engineering, LINKIT Continuous security @kimvanwilgen | www.kimvanwilgen.com

  19. Secure Defensible coding infrastructure Situational Supporting way awareness of working DecSecOps model Continuous security @kimvanwilgen | www.kimvanwilgen.com

  20. Secure Defensible coding infrastructure Situational Supporting way awareness of working DecSecOps model Continuous security @kimvanwilgen | www.kimvanwilgen.com

  21. Integration in the pipeline: Automate everyting Continuous security @kimvanwilgen | www.kimvanwilgen.com

  22. SAST Static Analyses Security Testing Tools:https://www.owasp.org/index.php/Source_Code_ Analysis_Tools We use SonarQube + Find problems early in lifecycle, detailed feedback, scalable - Limited scope, configuration out of scope, false positives & negatives Continuous security @kimvanwilgen | www.kimvanwilgen.com

  23. DAST Dynamic Application Security Testing Tools: https://www.owasp.org/index.php/Category:Vulnerability_Scanning _Tools We use Nessus, Sentinel and ZAP + Tests the application at runtime, realistic view - More complex, harder to track, needs a running instance (late feedback, limitedly scalable, slow) Continuous security @kimvanwilgen | www.kimvanwilgen.com

  24. Continuous security @kimvanwilgen | www.kimvanwilgen.com Dependency checks Eliminate known vulnerabilities Vulnerable libraries We use Jfrog Xray Alternatives • SonaType • OWASP dependency checker • Semmle (variant analysis) 24

  25. Licensing threat assessment Continuous security @kimvanwilgen | www.kimvanwilgen.com

  26. Evil user stories As a Malicious Hacker, I want to gain access to all repositories so that I can look for vulnerabilities and secrets and destroy their entire business. Continuous security @kimvanwilgen | www.kimvanwilgen.com

  27. Secure Defensible coding infrastructure Situational Supporting way awareness of working DecSecOps model Continuous security @kimvanwilgen | www.kimvanwilgen.com

  28. Immutable infrastructure Continuous security @kimvanwilgen | www.kimvanwilgen.com

  29. @kimvanwilgen | www.kimvanwilgen.com Continuous security One of the benefits of using containers, especially in microservices-based applications, is they make it easier to secure applications via runtime immutability — or never- changing — and applying least-privilege principles that limit what a container can do. Tsvi Korren - Chief Solutions Architect at Aqua Security

  30. Continuous security @kimvanwilgen | www.kimvanwilgen.com Immutable infrastructure mindset • Scan infrastructure scripts against the security policy • Configuration and patches are code changes • Apply least privilege principles • Apply pervasive visibility • Systematic workload re-provisioning – difficult to persist across rebuilds Source: Gartner report on cloud security

  31. Continuous security @kimvanwilgen | www.kimvanwilgen.com Testing the infrastructure Compare the infrastructure with CIS best practices, eg admin account, encryption and patch level • Hardening your system with feedback in the pipeline • Auditable approval process of deviations through pull request @securityteam

  32. Secure Defensible coding infrastructure Situational Supporting way awareness of working DecSecOps model Continuous security @kimvanwilgen | www.kimvanwilgen.com

  33. Have security champions Continuous security @kimvanwilgen | www.kimvanwilgen.com

  34. Don’t eliminate all risk Continuous security @kimvanwilgen | www.kimvanwilgen.com

  35. Alignment of security and business value Continuous security @kimvanwilgen | www.kimvanwilgen.com

  36. Learn and adapt first before you break the build Continuous security @kimvanwilgen | www.kimvanwilgen.com

  37. Continuous security @kimvanwilgen | www.kimvanwilgen.com Application Security Verification Standard Unrelevant / Sast / Dast / RAST / other Train for risks we can’t automate

  38. Fix your vulnerabilities Continuous security @kimvanwilgen | www.kimvanwilgen.com

  39. I’ve added over a 100 security rules in SonarQube and sent the top 10 screwups to the team. We sat down and discussed them. They are more aware now. I enabled a dependency check. We had 550 vulnerabilities. We solved more than half by removing an obsolete dependency in the test framework for Opera testing. We ran some critical upgrades. Now we have 17. Continuous security @kimvanwilgen | www.kimvanwilgen.com

  40. Security upfront Continuous security @kimvanwilgen | www.kimvanwilgen.com

  41. Secure Defensible coding infrastructure Situational Supporting way awareness of working DecSecOps model Continuous security @kimvanwilgen | www.kimvanwilgen.com

  42. Automate security Check for logical flaws manually, educate and features and scan against raise context awareness bugs and vulnerabilities

  43. Train for the basics Continuous security @kimvanwilgen | www.kimvanwilgen.com

  44. Contextual awareness Continuous security @kimvanwilgen | www.kimvanwilgen.com

  45. Hack yourself first too Chaos Engineering: Make rare events regular Continuous security @kimvanwilgen | www.kimvanwilgen.com

  46. Continuous security @kimvanwilgen | www.kimvanwilgen.com “Think as an offender will show the real threats of your application and grow awareness from finding out how easy it is.” Troy Hunt, MVP for developer security and creator of ‘Have I been PWNED”

  47. “Did you check the cake for hard and sharp objects before bringing this inside?” Red teaming Continuous security @kimvanwilgen | www.kimvanwilgen.com

  48. Continuous security @kimvanwilgen | www.kimvanwilgen.com Trusted source and lowering our fences

  49. Config as code Immutability SAST Test against DAST CIS config Defensible Dep.check Secure CDN Licensing infrastructure coding SIEM Evil stories Supporting SecLead Situational Train Value based Raise way of awareness Start small awareness working Adapt to context Hack yourself Fix issues Red teaming Detect change Version control DecSecOps model Continuous security @kimvanwilgen | www.kimvanwilgen.com

  50. Continuous security @kimvanwilgen | www.kimvanwilgen.com Sources https://sdtimes.com/developers/gartners-guide-to-successful-devsecops/ https://cybersecurity.isaca.org/static-assets/documents/State-of-Cybersecurity-part- 2-infographic_res_eng_0517.pdf https://www.sans.org/reading-room/whitepapers/critical/continuous-security- implementing-critical-controls-devops-environment-36552 10 Things to Get Right for SuccessfulDevSecOps, Gartner, 2017, IDG00341371 https://www.gartner.com/doc/reprints?id=1-4TI72Y2&ct=180320&st=sb https://www.thoughtworks.com/radar/techniques https://www.mmc.com/content/dam/mmc-web/Global-Risk-Center/Files/MMC- Cyber-Handbook_2016-web-final.pdf Reimagining Security and IT Resilience for a Cloud-Native DevSecOps World, Gartner, 2018

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT

Continuous Security in DevOps https://jvehent.github.io/continuous-security-talk/?print-pdf#/ CONTINUOUS SECURITY CONTINUOUS SECURITY IN THE DEVOPS WORLD IN THE DEVOPS WORLD JULIEN VEHENT JULIEN VEHENT MOZILLA SECURITY MOZILLA SECURITY

724 views • 49 slides
#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and

#MicroFocusCyberSummit Shifting Security Left Bringing security into continuous integration and delivery Brenton Scott Witonski <>< , Acxiom Brandon Spruth, Target Lucas von Stockhausen, Fortify #MicroFocusCyberSummit WHY ARE YOU

711 views • 44 slides
Continuous Application Security Testing Presented by:

Continuous Application Security Testing Presented by:

W14 Security Testing Wednesday, October 23rd, 2019 3:00 PM Continuous Application Security Testing Presented by: Josh Gibbs

306 views • 4 slides
NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and

353 views • 31 slides
Continuous Probability 3 2 Continuous Probability Motivation I Sometimes you cant model

Continuous Probability 3 2 Continuous Probability Motivation I Sometimes you cant model

Continuous Probability 3 2 Continuous Probability Motivation I Sometimes you cant model things discretely. Random real numbers. Points on a map. Time. Probability space is continuous . What is an event in continuous probability?

75 views • 7 slides
CRA Cyber-Security Collaborative Research Alliance: MACRO: Models for Enabling Continuous

CRA Cyber-Security Collaborative Research Alliance: MACRO: Models for Enabling Continuous

CRA Cyber-Security Collaborative Research Alliance: MACRO: Models for Enabling Continuous Reconfigurability of Secure Missions Prof. Patrick McDaniel Initial Feedback Meeting ARL - Adelphi, MD October 15th, 2013 CRA: Models for Enabling

435 views • 7 slides
Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like -

Continuous Kubernetes Security @sublimino and @controlplaneio Im: - Andy - Dev-like - Sec-ish - Ops-y Is this Kubernetes cluster secure? EPIC FAIL GIF How secure is Kubernetes? What this Kubernetes talk is about Common Pwns

1.18k views • 113 slides
Continuous Security Monitoring Techniques for Energy Delivery Systems Adam Hahn, Armin Rahimi,

Continuous Security Monitoring Techniques for Energy Delivery Systems Adam Hahn, Armin Rahimi,

Continuous Security Monitoring Techniques for Energy Delivery Systems Adam Hahn, Armin Rahimi, Mathew Merrick, Kudrat Kaur Washington State University CREDC Industry Workshop March 27-29, 2017 Funded by the U.S. Department of Energy and the

488 views • 17 slides
. ..? Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map

. ..? Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map

Continuous Improvement Toolkit Interviews . ..? Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing Deciding & Selecting Planning & Project Management* Risk PDPC Decision Balance Sheet

414 views • 10 slides
Chapter 5 Continuous Random Variables Continuous Probability Distributions Continuous Probability

Chapter 5 Continuous Random Variables Continuous Probability Distributions Continuous Probability

Chapter 5 Continuous Random Variables Continuous Probability Distributions Continuous Probability Distribution areas under curve correspond to probabilities for x Area A corresponds to the probability that x lies between a and b Do you see

633 views • 28 slides
CONTINUOUS IMPROVEMENT PROCESS 1 Continuous Improvement 2016 ESSA replaces NCLB

CONTINUOUS IMPROVEMENT PROCESS 1 Continuous Improvement 2016 ESSA replaces NCLB

VERMONT STATE PLAN OVERVIEW SESSION 1: INTRODUCTION TO EQR, ESSA AND CONTINUOUS IMPROVEMENT What is EQS? What is ESSA? How will life be different under ESSA? Continuous Improvement vs Accountability CONTINUOUS IMPROVEMENT PROCESS 1

529 views • 25 slides
1 Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing

1 Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing

Continuous Improvement Toolkit Best Practices 1 Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing Selecting & Decision Making Planning & Project Management* Risk PDPC Break-even Analysis

764 views • 24 slides
Continuous Delivery of Debian packages Michael Prokop Terminology Continuous Integration

Continuous Delivery of Debian packages Michael Prokop Terminology Continuous Integration

Continuous Delivery of Debian packages Michael Prokop Terminology Continuous Integration well known from software development Continuous Deployment Q/A criteria says OK? Ship/deploy! Continuous Delivery release whenever

526 views • 48 slides
Continuous Distributions 1.8-1.9: Continuous Random Variables 1.10.1: Uniform Distribution

Continuous Distributions 1.8-1.9: Continuous Random Variables 1.10.1: Uniform Distribution

Continuous Distributions 1.8-1.9: Continuous Random Variables 1.10.1: Uniform Distribution (Continuous) 1.10.4-5 Exponential and Gamma Distributions: Distance between crossovers Prof. Tesler Math 283 Fall 2015 Prof. Tesler Continuous

473 views • 24 slides
Continuous Distributions 1.8-1.9: Continuous Random Variables 1.10.1: Uniform Distribution

Continuous Distributions 1.8-1.9: Continuous Random Variables 1.10.1: Uniform Distribution

Continuous Distributions 1.8-1.9: Continuous Random Variables 1.10.1: Uniform Distribution (Continuous) 1.10.4-5 Exponential and Gamma Distributions: Distance between crossovers Prof. Tesler Math 283 Fall 2019 Prof. Tesler Continuous

489 views • 33 slides
Continuous Improvement Toolkit Graphical Analysis Continuous Improvement Toolkit .

Continuous Improvement Toolkit Graphical Analysis Continuous Improvement Toolkit .

Continuous Improvement Toolkit Graphical Analysis Continuous Improvement Toolkit . www.citoolkit.com The Continuous Improvement Map Managing Deciding & Selecting Planning & Project Management* Risk PDPC Decision Balance Sheet

547 views • 37 slides
Feasibility study of TULIP: a TUrning LInac for Protontherap LInac for Protontherapy ICTR ICTR-

Feasibility study of TULIP: a TUrning LInac for Protontherap LInac for Protontherapy ICTR ICTR-

Feasibility study of TULIP: a TUrning LInac for Protontherap LInac for Protontherapy ICTR ICTR- -PHE 2012 Conference PHE 2012 Conference 28.02.2012 A. Degiovanni U. Amaldi, M. Garlasch, K. Kraus, P. Magagnin, U. Oelfke, P. Posocco, P.

193 views • 16 slides
THE KEY TO Psalm 4:7 "You have filled my heart with greater joy than when their grain and

THE KEY TO Psalm 4:7 "You have filled my heart with greater joy than when their grain and

THE KEY TO Psalm 4:7 "You have filled my heart with greater joy than when their grain and new wine abound." Psalm 4:8 I will lie down and sleep in peace, for you alone, O LORD, make me dwell in safety. Psalm 100:1-2 A psalm. For

544 views • 29 slides
Torsion-free abelian groups in (descriptive) set theory Arctic set theory workshop 4, Kilpisj

Torsion-free abelian groups in (descriptive) set theory Arctic set theory workshop 4, Kilpisj

Torsion-free abelian groups in (descriptive) set theory Arctic set theory workshop 4, Kilpisj arvi Filippo Calderoni University of Turin Set theory and abelian groups Set theoretic methods are the main tools to prove some results on

929 views • 46 slides
Text analytics, NLP, and accounting research 2019 November 15 Dr. Richard M. Crowley

Text analytics, NLP, and accounting research 2019 November 15 Dr. Richard M. Crowley

Text analytics, NLP, and accounting research 2019 November 15 Dr. Richard M. Crowley rcrowley@smu.edu.sg http://rmc.link/ 1 Foundations 2 . 1 What is text analytics? Extracting meaningful information from text This could be as simple

685 views • 26 slides
Human-Computer Interaction Round 8 From Tapworthy 1 3/7/2012 Today Universal design

Human-Computer Interaction Round 8 From Tapworthy 1 3/7/2012 Today Universal design

3/7/2012 Human-Computer Interaction Round 8 From Tapworthy 1 3/7/2012 Today Universal design highlights Exercise Graphic design Exercise discussion Mid-term course evaluations Research papers I7: Design Due in two

708 views • 35 slides
Radiation, Magnetic Fields and Turbulence E. Falgarone LERMA, ENS & Observatoire de Paris

Radiation, Magnetic Fields and Turbulence E. Falgarone LERMA, ENS & Observatoire de Paris

Radiation, Magnetic Fields and Turbulence E. Falgarone LERMA, ENS & Observatoire de Paris Gyration radius of particle (mass Am p , energy per nucleon E n ) in a magnetic field B : R = 3 . 3 10 12 cm E n (GeV) B ( G) A Protons in the ISM

422 views • 38 slides
2D and 3D visualization of OpenStreetMap Data Candan Eyll Kilsedar 1 , Jakub Balhar 2 , Maria

2D and 3D visualization of OpenStreetMap Data Candan Eyll Kilsedar 1 , Jakub Balhar 2 , Maria

2D and 3D visualization of OpenStreetMap Data Candan Eyll Kilsedar 1 , Jakub Balhar 2 , Maria Antonia Brovelli 1 , Patrick Hogan 3 1 Politecnico di Milano, Department of Civil and Environmental Engineering, Milano, Italy, 2 Gisat s.r.o., Prague,

328 views • 16 slides
Analytic modeling of subhalo evolution and annihilation boost Shinichiro Ando U. Amsterdam /

Analytic modeling of subhalo evolution and annihilation boost Shinichiro Ando U. Amsterdam /

Halo Substructure and Dark Matter Searches Madrid, 27 June 2018 Analytic modeling of subhalo evolution and annihilation boost Shinichiro Ando U. Amsterdam / U. Tokyo Annihilation boost L ( M ) = [1 + B sh ( M )] L host ( M ) 1 Z dmdN B

606 views • 39 slides

More recommend