SlideShare a Scribd company logo

SAP Concur’s Cloud Journey

Download as PPTX, PDF
S
SBWebinars

This document discusses a presentation about the journey of migrating applications to the cloud while securing them. It describes challenges with application security and how traditional security tools are not sufficient for modern development environments. It advocates for integrating security into the entire software development lifecycle using an approach called DevSecOps. Specific examples are provided about how SAP Concur integrated Contrast Security's application security platform into their processes and cloud migration to AWS to help shift security left.

Technology
1 of 29
• Rory McEntee, Director of App Sec, SAP Concur • Scott Ward, Principal Solutions Architect, Amazon Web Services • Jeff Williams, Co-Founder & CTO, Contrast Security A Journey of Chutes & Ladders Real World Ups and Downs of Migrating to the Cloud & Securing Applications
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL THE AVERAGE APPLICATION IS EXTREMELY VULNERABLE 71% unused Libraries 26.7Vulnerabilities 2Vulnerabilities 8% USED Libraries 21% Custom Code Source: www.helpnetsecurity.com
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 3 Source: http://www.ptsecurity.com YOU ARE UNDER ATTACK
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 4CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL APPSEC MEETS MODERN SOFTWARE: IMPOSSIBLE ECONOMICS HUGE RISK Specialized security staff More code, faster applicationstorunthebusiness time Security tools budget
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 1.Establish work flow 2.Ensure instant feedback 3. Culture of experimentation 1.Establish security work flow 2. Ensure instant security feedback 3. Build a security culture DEVOPS DEVSECOPS DEVSECOPS IS VERY PROMISING
About SAP Concur Rory McEntee, Director, Product Security
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL The Start Increased Velocity Security Challenge Secure by Design And it Continues Our Journey
Business Drivers • Improve security posture • Maximize developer time with meaningful findings Technology drivers • Ease of use is paramount • SDLC workflow fit is important • Ability to automate and scale • Reduce the surprise factor Economic Driver • Total cost of ownership is important Key Drivers
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL Limitations of Static & Dynamic tools in a Modern DevOps World • Code Scanning • Whitebox testing • Point in-time SAST DAST Traditional legacy approaches are not enough in today’s environment • From the Outside • Blackbox testing • Expertise required for test creation
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL Provide An Easy Way To Write Secure Code Greater Accuracy Integrations Ability To Scale Inventory and Secure the Software Supply Chain Holistic View Custom Code & Libraries Why We Chose Contrast Security for IAST
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL Shifting Security Further to the Left within the SDLC “Shift Left”
CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL • Threat Modeling • Security Testing • Triaging • Developer Education • Governance & Compliance Security • Scope • Design • Code • Test • Release Development Collaborative Culture Shared (security) Responsibility
There’s No Silver Bullet to Security
Automate with deeply integrated security services Scale with superior visibility and control Largest network of security partners and solutions Inherit global security and compliance controls Highest standards for privacy and data security Move Fast & Stay Secure
Business Imperatives Competing forces Development Build it faster Operations Keep it stable Security Make it secure D E V O P S BUILD TEST DISTRIBUTE MONITOR Developer s Users D E V S E C O P S BUILD TEST DISTRIBUTE MONITOR Developer s Users SECURITY 15 Why DevSecOps
16 Pre Commit Commit Acceptance Deploy  Continuous Compliance  Threat modeling Initial *AST inside IDE Code review “Break the build“ Compile/build checks SCA Container security Additional *AST Unit test Secure infra build Functional testing SCA *AST Unit testing Security attacks Detailed *AST Fuzzing, Pen Tests Provision runtime environment Config management RASP SECURITY COMPLIANCE CI/CD DEVOPS Security & Compliance of the Code in the Pipeline Security & Compliance of the Code in the Pipeline
Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud AWS Customers control their own security policy Shared Responsibility Model
Cloud & Security Migration Journey High Points ANDMove fast Stay secure
Recap
Next Steps • CONCUR: https://www.concur.com • AWS: https://aws.amazon.com/security/ • Contrast Security: https://www.contrastsecurity.com/contrast-community-edition https://aws.amazon.com/marketplace/pp/B07T9GRPPG
Q&A
Thank You
Chutes & Ladders PLACEHODER SLIDE Rory to help provide content  Key Stakeholders  Compliance & Regulations  Shared Security Responsibility
Architecture & Roadmap Contrast Security TeamServer deployed in AWS
Steps to Success – Implementation Roadmap Train • Lunch and Learn • Onsite Training • KPIs and Reporting • Vulnerability Management Workflow with CTE • Current & Future state workflow mapping Scale • CI/CD integration • Automatic ticket creation • Instrument Chorus DT and TMC services • Leverage OSS • Developer Training Systematize • CI/CD integration • Vulnerability Management for the next apps • Deliver Policy Compliance Reporting • Developer Training Replicate • Onboard next in line apps • OSS • Developer Training Jun May Apr Build • TeamServer Implementation • Single Sign On • CTE App on Faraday cloud instrumented • Jira Integration • Launch Internal Collateral Mar Done
Maybe slide About Concur’s journey to AWS comes here?
Contrast and Faraday Post provisioner • Downloads Contrast .NET agent from Artifactory • Sets up config files • Runs Contrast .NET agent installer
Contrast and Faraday Post provisioner • Downloads Contrast .NET agent from Artifactory • Sets up config files • Runs Contrast .NET agent installer
29 4. SECURE BY DESIGN

Recommended

Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Akamai Technologies
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Introduction to Cobalt
Introduction to CobaltIntroduction to Cobalt
Introduction to CobaltCobalt
 
Don't Let Legacy CDNs Hold You Back
Don't Let Legacy CDNs Hold You BackDon't Let Legacy CDNs Hold You Back
Don't Let Legacy CDNs Hold You BackCloudflare
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleAlert Logic
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
 

Recommended

Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Kona Site Defender Product Brief - Multi-layered defense to protect websites ...
Kona Site Defender Product Brief - Multi-layered defense to protect websites ...Akamai Technologies
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationAppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Web Application Firewall - Web Application & Web Services Security integrated...
Web Application Firewall - Web Application & Web Services Security integrated...Thomas Malmberg
 
AppSec in a World of Digital Transformation
AppSec in a World of Digital Transformation AppSec in a World of Digital Transformation
AppSec in a World of Digital TransformationDenim Group
 
Introduction to Cobalt
Introduction to CobaltIntroduction to Cobalt
Introduction to CobaltCobalt
 
Don't Let Legacy CDNs Hold You Back
Don't Let Legacy CDNs Hold You BackDon't Let Legacy CDNs Hold You Back
Don't Let Legacy CDNs Hold You BackCloudflare
 
CSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleCSS17: Dallas - Thawing the Frozen Middle
CSS17: Dallas - Thawing the Frozen MiddleAlert Logic
 
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...
Black Hat 2014: Don’t be a Target: Everything You Know About Vulnerability Pr...Skybox Security
 
San Francisco Startup Day - Keynote: Mackenzie Kosut
San Francisco Startup Day - Keynote: Mackenzie KosutSan Francisco Startup Day - Keynote: Mackenzie Kosut
San Francisco Startup Day - Keynote: Mackenzie KosutAmazon Web Services
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Sebastian Taphanel CISSP-ISSEP
 
Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Sebastian Taphanel CISSP-ISSEP
 
Risk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewRisk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewSkybox Security
 
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentManaging Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentAlgoSec
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieHelen Rogers
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyCloudflare
 
Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Ammar Hasayen
 
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...Amazon Web Services
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps Uleska
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev opsTom Stiehm
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
F5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSF5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSMarco Essomba
 
The New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaThe New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaTriNimbus
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
 
So You Want to be Well-Architected?
So You Want to be Well-Architected?So You Want to be Well-Architected?
So You Want to be Well-Architected?Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkAmazon Web Services
 
ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 

More Related Content

What's hot

San Francisco Startup Day - Keynote: Mackenzie Kosut
San Francisco Startup Day - Keynote: Mackenzie KosutSan Francisco Startup Day - Keynote: Mackenzie Kosut
San Francisco Startup Day - Keynote: Mackenzie KosutAmazon Web Services
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Sebastian Taphanel CISSP-ISSEP
 
Risk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewRisk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewSkybox Security
 
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentManaging Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentAlgoSec
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresSBWebinars
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieHelen Rogers
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyCloudflare
 
Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Ammar Hasayen
 
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...Amazon Web Services
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps Uleska
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev opsTom Stiehm
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixDenim Group
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceTom Stiehm
 
F5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSF5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSMarco Essomba
 
The New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaThe New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaTriNimbus
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Denim Group
 
So You Want to be Well-Architected?
So You Want to be Well-Architected?So You Want to be Well-Architected?
So You Want to be Well-Architected?Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkAmazon Web Services
 

What's hot (20)

San Francisco Startup Day - Keynote: Mackenzie Kosut
San Francisco Startup Day - Keynote: Mackenzie KosutSan Francisco Startup Day - Keynote: Mackenzie Kosut
San Francisco Startup Day - Keynote: Mackenzie Kosut
 
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
Developing a Rugged Dev Ops Approach to Cloud Security (Updated)
 
Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017Evident io Continuous Compliance - Mar 2017
Evident io Continuous Compliance - Mar 2017
 
Risk Analytics: One Intelligent View
Risk Analytics: One Intelligent ViewRisk Analytics: One Intelligent View
Risk Analytics: One Intelligent View
 
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud EnvironmentManaging Effective Security Policies Across Hybrid and Multi-Cloud Environment
Managing Effective Security Policies Across Hybrid and Multi-Cloud Environment
 
Deploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving InfrastructuresDeploying Secure Modern Apps in Evolving Infrastructures
Deploying Secure Modern Apps in Evolving Infrastructures
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam Caskie
 
A Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud JourneyA Different Approach to Securing Your Cloud Journey
A Different Approach to Securing Your Cloud Journey
 
Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019Windows Advance Threats - BSides Amman 2019
Windows Advance Threats - BSides Amman 2019
 
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
DevOps at Scale: How Datadog is using AWS and PagerDuty to Keep Pace with Gr...
 
The Teams Behind DevSecOps
The Teams Behind DevSecOps The Teams Behind DevSecOps
The Teams Behind DevSecOps
 
Shifting security all day dev ops
Shifting security all day dev opsShifting security all day dev ops
Shifting security all day dev ops
 
Optimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFixOptimizing Your Application Security Program with Netsparker and ThreadFix
Optimizing Your Application Security Program with Netsparker and ThreadFix
 
Shifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 ConferenceShifting Security Left from the Lean+Agile 2019 Conference
Shifting Security Left from the Lean+Agile 2019 Conference
 
F5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSF5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKS
 
The New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS CanadaThe New Normal - Eric Gales, AWS Canada
The New Normal - Eric Gales, AWS Canada
 
Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...Running a Comprehensive Application Security Program with Checkmarx and Threa...
Running a Comprehensive Application Security Program with Checkmarx and Threa...
 
So You Want to be Well-Architected?
So You Want to be Well-Architected?So You Want to be Well-Architected?
So You Want to be Well-Architected?
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 
Introduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption FrameworkIntroduction to the Security Perspective of the Cloud Adoption Framework
Introduction to the Security Perspective of the Cloud Adoption Framework
 

Similar to SAP Concur’s Cloud Journey

ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxBabatundeAbioye2
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 
Cloud Azure Market Research and Service Offerings by RapidValue
Cloud Azure Market Research and Service Offerings by RapidValueCloud Azure Market Research and Service Offerings by RapidValue
Cloud Azure Market Research and Service Offerings by RapidValueRapidValue
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...Amazon Web Services
 
Develop an Enterprise-wide Cloud Adoption Strategy – Chris Merrigan
Develop an Enterprise-wide Cloud Adoption Strategy – Chris MerriganDevelop an Enterprise-wide Cloud Adoption Strategy – Chris Merrigan
Develop an Enterprise-wide Cloud Adoption Strategy – Chris MerriganAmazon Web Services
 
(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for EnterprisesAmazon Web Services
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The CloudPECB
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Cynthia Hsieh
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudAlert Logic
 
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017Amazon Web Services
 
Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016Amazon Web Services
 
Barracuda, AWS & Securosis: Application Security for the Cloud
Barracuda, AWS & Securosis: Application Security for the CloudBarracuda, AWS & Securosis: Application Security for the Cloud
Barracuda, AWS & Securosis: Application Security for the CloudAmazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitAmazon Web Services
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPADiemShin
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud JourneyAmazon Web Services
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Amazon Web Services
 
Lss cloud computing a boon for smb-interop-2011
Lss cloud computing a boon for smb-interop-2011Lss cloud computing a boon for smb-interop-2011
Lss cloud computing a boon for smb-interop-2011L S Subramanian
 
The Journey to Digital Enterprise, presented by CSC
The Journey to Digital Enterprise, presented by CSCThe Journey to Digital Enterprise, presented by CSC
The Journey to Digital Enterprise, presented by CSCAmazon Web Services
 

Similar to SAP Concur’s Cloud Journey (20)

ShareResponsibilityModel.pptx
ShareResponsibilityModel.pptxShareResponsibilityModel.pptx
ShareResponsibilityModel.pptx
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
Cloud Azure Market Research and Service Offerings by RapidValue
Cloud Azure Market Research and Service Offerings by RapidValueCloud Azure Market Research and Service Offerings by RapidValue
Cloud Azure Market Research and Service Offerings by RapidValue
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
 
Develop an Enterprise-wide Cloud Adoption Strategy – Chris Merrigan
Develop an Enterprise-wide Cloud Adoption Strategy – Chris MerriganDevelop an Enterprise-wide Cloud Adoption Strategy – Chris Merrigan
Develop an Enterprise-wide Cloud Adoption Strategy – Chris Merrigan
 
(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises(SEC321) Implementing Policy, Governance & Security for Enterprises
(SEC321) Implementing Policy, Governance & Security for Enterprises
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
Cyber Security in The Cloud
Cyber Security in The CloudCyber Security in The Cloud
Cyber Security in The Cloud
 
Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020Get ahead of cloud network security trends and practices in 2020
Get ahead of cloud network security trends and practices in 2020
 
CSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the CloudCSS 17: NYC - Realities of Security in the Cloud
CSS 17: NYC - Realities of Security in the Cloud
 
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
Cloud Native, Cloud First, and Hybrid - AWS Summit Bahrain 2017
 
Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016Cloud Migration for Financial Services - Toronto - October 2016
Cloud Migration for Financial Services - Toronto - October 2016
 
Barracuda, AWS & Securosis: Application Security for the Cloud
Barracuda, AWS & Securosis: Application Security for the CloudBarracuda, AWS & Securosis: Application Security for the Cloud
Barracuda, AWS & Securosis: Application Security for the Cloud
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
Addressing Cloud Security with OPA
Addressing Cloud Security with OPAAddressing Cloud Security with OPA
Addressing Cloud Security with OPA
 
Considerations for your Cloud Journey
Considerations for your Cloud JourneyConsiderations for your Cloud Journey
Considerations for your Cloud Journey
 
Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS Achieving Continuous Compliance with CTP and AWS
Achieving Continuous Compliance with CTP and AWS
 
Lss cloud computing a boon for smb-interop-2011
Lss cloud computing a boon for smb-interop-2011Lss cloud computing a boon for smb-interop-2011
Lss cloud computing a boon for smb-interop-2011
 
The Journey to Digital Enterprise, presented by CSC
The Journey to Digital Enterprise, presented by CSCThe Journey to Digital Enterprise, presented by CSC
The Journey to Digital Enterprise, presented by CSC
 

More from SBWebinars

Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSBWebinars
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemSBWebinars
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSBWebinars
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelSBWebinars
 
The Next Generation of Application Security
The Next Generation of Application SecurityThe Next Generation of Application Security
The Next Generation of Application SecuritySBWebinars
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply ChainYou're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply ChainSBWebinars
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...SBWebinars
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud SecuritySBWebinars
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementSBWebinars
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsSBWebinars
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixSBWebinars
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...SBWebinars
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementSBWebinars
 
Flow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemFlow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemSBWebinars
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouSBWebinars
 
Take a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogTake a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogSBWebinars
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditSBWebinars
 

More from SBWebinars (20)

Securing Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside OutSecuring Mobile Apps, From the Inside Out
Securing Mobile Apps, From the Inside Out
 
Top Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against ThemTop Cybersecurity Threats and How SIEM Protects Against Them
Top Cybersecurity Threats and How SIEM Protects Against Them
 
Software-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and RightSoftware-Defined Segmentation Done Easily, Quickly and Right
Software-Defined Segmentation Done Easily, Quickly and Right
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
Taking Open Source Security to the Next Level
Taking Open Source Security to the Next LevelTaking Open Source Security to the Next Level
Taking Open Source Security to the Next Level
 
The Next Generation of Application Security
The Next Generation of Application SecurityThe Next Generation of Application Security
The Next Generation of Application Security
 
You're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply ChainYou're Bleeding. Exposing the Attack Surface in your Supply Chain
You're Bleeding. Exposing the Attack Surface in your Supply Chain
 
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...Demystifying PCI Software Security Framework: All You Need to Know for Your A...
Demystifying PCI Software Security Framework: All You Need to Know for Your A...
 
Top 10 Threats to Cloud Security
Top 10 Threats to Cloud SecurityTop 10 Threats to Cloud Security
Top 10 Threats to Cloud Security
 
Reduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity ManagementReduce the Burden Of Managing SAP With Enterprise Identity Management
Reduce the Burden Of Managing SAP With Enterprise Identity Management
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP CloudsHow to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
How to Kickstart Security and Compliance for Your AWS, Azure, and GCP Clouds
 
Reducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at NetflixReducing Risk of Credential Compromise at Netflix
Reducing Risk of Credential Compromise at Netflix
 
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
2018 Black Hat Hacker Survey Report: What Hackers Really Think About Your Cyb...
 
The State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities ManagementThe State of Open Source Vulnerabilities Management
The State of Open Source Vulnerabilities Management
 
Flow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need ThemFlow Metrics: What They Are & Why You Need Them
Flow Metrics: What They Are & Why You Need Them
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Building Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for YouBuilding Blocks of Secure Development: How to Make Open Source Work for You
Building Blocks of Secure Development: How to Make Open Source Work for You
 
Take a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation BacklogTake a Bite Out of the Remediation Backlog
Take a Bite Out of the Remediation Backlog
 
The Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance AuditThe Trick to Passing Your Next Compliance Audit
The Trick to Passing Your Next Compliance Audit
 

Recently uploaded

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 

Recently uploaded (20)

Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 

SAP Concur’s Cloud Journey

  • 1. • Rory McEntee, Director of App Sec, SAP Concur • Scott Ward, Principal Solutions Architect, Amazon Web Services • Jeff Williams, Co-Founder & CTO, Contrast Security A Journey of Chutes & Ladders Real World Ups and Downs of Migrating to the Cloud & Securing Applications
  • 2. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL THE AVERAGE APPLICATION IS EXTREMELY VULNERABLE 71% unused Libraries 26.7Vulnerabilities 2Vulnerabilities 8% USED Libraries 21% Custom Code Source: www.helpnetsecurity.com
  • 3. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 3 Source: http://www.ptsecurity.com YOU ARE UNDER ATTACK
  • 4. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 4CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL APPSEC MEETS MODERN SOFTWARE: IMPOSSIBLE ECONOMICS HUGE RISK Specialized security staff More code, faster applicationstorunthebusiness time Security tools budget
  • 5. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL 1.Establish work flow 2.Ensure instant feedback 3. Culture of experimentation 1.Establish security work flow 2. Ensure instant security feedback 3. Build a security culture DEVOPS DEVSECOPS DEVSECOPS IS VERY PROMISING
  • 6. About SAP Concur Rory McEntee, Director, Product Security
  • 7. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL The Start Increased Velocity Security Challenge Secure by Design And it Continues Our Journey
  • 8. Business Drivers • Improve security posture • Maximize developer time with meaningful findings Technology drivers • Ease of use is paramount • SDLC workflow fit is important • Ability to automate and scale • Reduce the surprise factor Economic Driver • Total cost of ownership is important Key Drivers
  • 9. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL Limitations of Static & Dynamic tools in a Modern DevOps World • Code Scanning • Whitebox testing • Point in-time SAST DAST Traditional legacy approaches are not enough in today’s environment • From the Outside • Blackbox testing • Expertise required for test creation
  • 10. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL Provide An Easy Way To Write Secure Code Greater Accuracy Integrations Ability To Scale Inventory and Secure the Software Supply Chain Holistic View Custom Code & Libraries Why We Chose Contrast Security for IAST
  • 11. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL Shifting Security Further to the Left within the SDLC “Shift Left”
  • 12. CONTRASTSECURITY.COM © 2019 COMPANY CONFIDENTIAL • Threat Modeling • Security Testing • Triaging • Developer Education • Governance & Compliance Security • Scope • Design • Code • Test • Release Development Collaborative Culture Shared (security) Responsibility
  • 13. There’s No Silver Bullet to Security
  • 14. Automate with deeply integrated security services Scale with superior visibility and control Largest network of security partners and solutions Inherit global security and compliance controls Highest standards for privacy and data security Move Fast & Stay Secure
  • 15. Business Imperatives Competing forces Development Build it faster Operations Keep it stable Security Make it secure D E V O P S BUILD TEST DISTRIBUTE MONITOR Developer s Users D E V S E C O P S BUILD TEST DISTRIBUTE MONITOR Developer s Users SECURITY 15 Why DevSecOps
  • 16. 16 Pre Commit Commit Acceptance Deploy  Continuous Compliance  Threat modeling Initial *AST inside IDE Code review “Break the build“ Compile/build checks SCA Container security Additional *AST Unit test Secure infra build Functional testing SCA *AST Unit testing Security attacks Detailed *AST Fuzzing, Pen Tests Provision runtime environment Config management RASP SECURITY COMPLIANCE CI/CD DEVOPS Security & Compliance of the Code in the Pipeline Security & Compliance of the Code in the Pipeline
  • 17. Customers have their choice of security configurations IN the Cloud AWS is responsible for the security OF the Cloud AWS Customers control their own security policy Shared Responsibility Model
  • 18. Cloud & Security Migration Journey High Points ANDMove fast Stay secure
  • 19. Recap
  • 20. Next Steps • CONCUR: https://www.concur.com • AWS: https://aws.amazon.com/security/ • Contrast Security: https://www.contrastsecurity.com/contrast-community-edition https://aws.amazon.com/marketplace/pp/B07T9GRPPG
  • 21. Q&A
  • 23. Chutes & Ladders PLACEHODER SLIDE Rory to help provide content  Key Stakeholders  Compliance & Regulations  Shared Security Responsibility
  • 24. Architecture & Roadmap Contrast Security TeamServer deployed in AWS
  • 25. Steps to Success – Implementation Roadmap Train • Lunch and Learn • Onsite Training • KPIs and Reporting • Vulnerability Management Workflow with CTE • Current & Future state workflow mapping Scale • CI/CD integration • Automatic ticket creation • Instrument Chorus DT and TMC services • Leverage OSS • Developer Training Systematize • CI/CD integration • Vulnerability Management for the next apps • Deliver Policy Compliance Reporting • Developer Training Replicate • Onboard next in line apps • OSS • Developer Training Jun May Apr Build • TeamServer Implementation • Single Sign On • CTE App on Faraday cloud instrumented • Jira Integration • Launch Internal Collateral Mar Done
  • 26. Maybe slide About Concur’s journey to AWS comes here?
  • 27. Contrast and Faraday Post provisioner • Downloads Contrast .NET agent from Artifactory • Sets up config files • Runs Contrast .NET agent installer
  • 28. Contrast and Faraday Post provisioner • Downloads Contrast .NET agent from Artifactory • Sets up config files • Runs Contrast .NET agent installer
  • 29. 29 4. SECURE BY DESIGN

Editor's Notes

  1. At first we started with just instrumenting our own instances of Faraday. We’d instrument the big app, do our usual pentest things, spider the pages we could crawl. We were able to uncover some very interesting and valuable findings that have previously gone undiscovered, even after years of beating up the big app for years. The next step for us was to roll this out to everyone’s instance of Faraday. That was easy to do with Faraday’s post-provision process. Whenever you run `faraday post-provision` to set up your new cloud instance, a bunch of powershell scripts get fired off in the. Teams can add their own provisioner scripts to do just about anything: install more tools, tweak configs, run automation, you name it. Working closely with the Faraday team, we did our own automation that allows instrumenting the big app with the Contrast .NET agent. This post provisioner simply downloads the .NET agent from artifactory, pulls some config files and sets things up, then runs the agent installer in headless mode. It’s as easy as that, and our post-provisioner is the part of the core set of post-provisioners very soon. Every team that uses Faraday is now a consumer of Contrast, and is contributing to our code security coverage by doing their normal day to day development and testing.
  2. At first we started with just instrumenting our own instances of Faraday. We’d instrument the big app, do our usual pentest things, spider the pages we could crawl. We were able to uncover some very interesting and valuable findings that have previously gone undiscovered, even after years of beating up the big app for years. The next step for us was to roll this out to everyone’s instance of Faraday. That was easy to do with Faraday’s post-provision process. Whenever you run `faraday post-provision` to set up your new cloud instance, a bunch of powershell scripts get fired off in the. Teams can add their own provisioner scripts to do just about anything: install more tools, tweak configs, run automation, you name it. Working closely with the Faraday team, we did our own automation that allows instrumenting the big app with the Contrast .NET agent. This post provisioner simply downloads the .NET agent from artifactory, pulls some config files and sets things up, then runs the agent installer in headless mode. It’s as easy as that, and our post-provisioner is the part of the core set of post-provisioners very soon. Every team that uses Faraday is now a consumer of Contrast, and is contributing to our code security coverage by doing their normal day to day development and testing.
  3. Look onboarding with Contrast is not very difficult. The thing for us is really about scale and automation. We had been using Contrast for a little while, onboarding sub-parts of our massive app steadily. Now we had to ramp it up and automate. Our goal here was Just a bit of background - all of our .NET code hangs out on IIS. The Contrast .NET agent is point and click, run the wizard To automate the process, we just ran it in the headless mode Contrast agent instruments all code running under that IIS instance, so any projects there are automatically instrumented At this point we have fully automated implementation of Contrast agent which would take just a few seconds to install ,and the results start streaming in almost instantaneously The next challenge was: How can we capture all teams’ projects, all integration testing, and really maximize code coverage? The answer for us is faraday. Which is internal project name for what we do with AWS services. <<Lightweight explanation for Faraday>> <NEXT SLIDE>