SlideShare uma empresa Scribd logo

The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf

lior mazor
lior mazor

Join us virtually for our upcoming meetup to learn: - Why adopt a fresh approach and redefine how you view critical risks within your software supply chain? - How can we deal with the paradox of enhancing protection for expanding attack surfaces and the dynamic nature of threat actors, especially in the world of the Generative Code AI amidst budget constraints?

Software
1 de 37
Join Us: https://www.linkedin.com/company/ application-security-virtual-meetups QR Link:
THE CISO’S CHALLENGES: Risk management and compliance in a software development company
Mandy Andress CISO Advisor Board Member Who Am I? 2
What are we going to talk about today Overview of CISO daily challenges Information Security Risk Landscape in 2024 Information Security Strategic Business Impacts CISO Daily Challenges in Practice Q&A Session 3
Information Security Risk Landscape in 2024 5 Current Threats on the Rise Emerging Technologies Regulatory Changes Ransomware, phishing, software supply chain attacks AI powered automated vulnerability discovery, sophisticated "deepfake" phishing, IoT vulnerabilities Always ever-changing, but even more so with emerging technologies and evolving global data privacy laws
A Day in the Life of a CISO 4 CISO JOB CISO Mind Map: An Overview of The Responsibilities and Ever Expanding Role of The CISO Business Enablement Project Delivery Lifecycle Security Architecture Compliance and Audits Legal & Human Recources Budget Selling InfoSec (Intermail) Security Operations Identity Management Risk Management Governance Merger/ Acqusition Cloud Computing Mobile Technology Threat Prevention Threat Detection Incident Management Process
CISO Daily Challenges in Practice 6 Our Goal: To continually reduce risk to the appetite level of our organization The Challenge: Battling all responsibility fronts when you only have to hands!
CISO Daily Challenges in Practice 7 The Strategy: Prioritize, Prioritize, Prioritize. Continually! The Tactics: Utilizing every resource and tool out there to do that
CISO Daily Challenges in Practice 8 The Prioritizing CISO Mindset: The Methodology Keeping all of our stakeholders content (business, engineering, compliance, and many more) Maximizing "Risk ROI": In terms of number of issues fixed per effort In terms of business impact / application impact over resources used
Information Security Strategic Business Impacts 9 Equifax 147 million americans 2017 Massive data breach exposing the personal information of 147 million Americans, severely damaging brand reputation and trust. Marriott International 500 million guests 2018 Estimated damages exceeding $10 billion, targeting critical infrastructure and causing widespread data loss and system disruptions. Yahoo 3billion accounts 2014 Massive data breach compromising 3 billion accounts, eroding user trust and leading to a steep decline in market value. Targe t 40million credit cards 2013 Data breach of 40 million credit and debit cards, triggering investigations and damaging customer confidence. Reputation Loss: Stephane Nappo, Global Head of Information Security for Société Générale International Banking. It takes 20 years to build a reputation and few minutes of cyber- incident to ruin it.
Stay Resilient! Perseverance is Protection 10 The ever-shifting domain of information security demands both vigilance and strategic action Security is not a one-time endeavor, but an ongoing journey By consistently prioritizing proactive defense we can make software development that is trustworthy, resilient, and protected
SOFTWARE SUPPLY CHAIN RISK MANAGMENT What can we do better?
Yoad Fekete • A DevOps enthusiastic turned avid DevSecOps Supporter. • Formerly at Prime Minister's Office Elite Unit, Samsung Next, Microsoft. • Founded next-gen SCA company Myrror Security. • Cat Lover (Yes, Dogs as well). • Musician, when life allows. • Weird last name (which means "Black" in Hungarian). Formerly At: Founded: Raised From: Who Am I? 2
What are we going to talk about today • Dependency Vulnerability Risk & Prioritization • Attack Risk & Detection Managing Software Supply Chain Risk The XZ malware - How we can detect that - DEMO Q&A Session 3
Supply Chain as an Attack Surface 4 Source: The Open Source Security & Risk Analysis (OSSRA) Report Open source libraries are the foundation for literally every application in every industry.” The challenge: Rising above the noise and yet zeroing in on the critical The supply chain serves as a significant attack surface in the development & deployment phases Increased OSS Usage (>90% of companies use OSS, 80% of the code is Open Source) Analysis Design Development Deployment Testing Maintenance
Vulnerabilities / Attacks 5 A vulnerability: A supply chain attack: • A non-deliberate mistake (aside from very specific sophisticated attacks) • Identified by a CVE • Recorded in public databases • Defense possible before exploitation • Includes both regular vulns and zero-day ones • A deliberate malicious activity • Lacks specific CVE identification • Untracked by standard SCAs and public DBs • Typically already attempted to be exploited Example: Log4Shell is a vulnerability Example: SolarWinds is a supply chain attack Two main risk vectors we must consider to secure our SSC:
Implementing CTEM for our Software Supply Chain 6 5 steps in the Cycle of Continuous Threat Exposure Management By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach. 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
Vulnerabilities and Beyond 7 Scoping & Discovery 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
How Scoping & Discovery is Being Done Today - SCA 8 Challenges: Navigating False Positives, Alert Fatigue, and Code Attack Blindness Analyzing Assets - Scanning SBOM / manifest files a complete picture of direct & indirect dependencies vulnerabilities is generated - but Completeness is not always great Application Transitive Dependency Transitive Dependency Transitive Dependency Direct Dependency
Alert Fatigue 9 Definition: Flow: Graphics of an exhaustive list of alerts Vulnerability Alert Fatigue is when application security professionals become desensitized to SCA vulnerability alerts, and are not sure which vulnerability to address first. Alert fatigue follows SCA Platforms generate alerts for vulnerabilities There are a lot of dependencies, and thus a lot of vulnerabilities Security Alerts Time Mar 31, 2021 @ 17:32:39.401 Mar 31, 2021 @ 17:03:34.911 Mar 30, 2021 @ 17:02:44.667 Mar 30, 2021 @ 16:33:56.221 Mar 30, 2021 @ 08:52:39.351 SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) 5 5 5 5 5 19003 19003 19003 19003 19003 Description Level Rule ID
Code Attacks 742% 61% Source: NIST CSRC https://csrc.nist.gov/glossary/term/supply_chain_attack Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle. 10 YoY Increase In Attacks of all U.S. businesses were directly impacted by SSC attacks between Apr 22' and April 23' (Gartner research)
Types Of Supply Chain Attacks Typosquatting Malicious Code in Repo Distribution Server Attacks Dependency Confusion CI/CD Attacks Maintainer Compromise 11
How to detect attacks 12 Inspect the source code of the libraries for malicious code Verify the end compiled binary to ensure it matches the source code. Analysis Design Development Deployment Testing Maintenance
Rise Above The Noise with Prioritization 13 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
Achieving Relevance with Prioritization To achieve relevance we regard four things: Exploitability Use Case Reachability Fix Available Exploitability Reachability Use case Fix available Is this vulnerability possible to exploit? Is vulnerable code actually being used? What is the use case in the application? Can we fix it? 14
Is a Fix Available? 15 Direct Dependency There's a vulnerability in the transitive function (like we see here), but do we have a version on the direct dependency that fixes it? Vulnerable Function Application InDirect Dependencies fix? Easy Peasy? Direct Dependency Fix vs. Transitive Dependency Fix Upgrading all the vulnerable dependencies in one shoot vs. one by one
Exploitability - Without App Context CVSS EPSS 16
Use Case - Adding App Context 17
Reachability Source: https://myrror.security/the-definitive-guide-to-vulnerability- reachability-analysis-part-1/ 18 Formal Definition: In vulnerability analysis terminology, reachability is a property of a piece of code that indicates whether it will (or will not) be called under an application’s normal operational conditions. Application code hibernate jackson slf4j spring-web mongodb REACHABLE UNREACHABLE The reachable part of Jackson does not call the vulnarable function UNREACHABLE The reachable part of monogdb does not call the vulnarable part of slf4j
Remediating in One Go 19 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
Take Action - Comprise a Remediation Plan 20 Using the power of all former analyses and capabilities We generate a Remediation Plan that handles what actually matters Software Composition Analysis Reachability Engine Exploitability Engine Software Integrity AI Engine Remediation Plan Generator
Validation 21 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
22 Continuous Monitoring Feedback Loop Adaptive Remediation Conducting a real-time ongoing surveillance of our software to detect vulnerabilities and threats guarantees the security measures we took are in check, validating our risk mitigating course of action. Taking remediation action and keeping an ongoing effort to improve our supply chain establishes a feedback mechanism creating a continuous improvement of our security posture ensuring our application reliability. This feedback loop of constant monitoring and remediation of our systems over time allows us to gain insights and evolve our remediation strategies, enhancing our robustness to emerging threats Validation - Always Vigilant
Demo 23
Conclusions Securing a supply chain is hard work and getting harder Implementing methodologies of rigorous prioritization is the path forward Wishing everyone a secure SDLC! 24
25 Questions?
Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups

Recomendados

OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Research Paper
Research PaperResearch Paper
Research PaperDavid Chaponniere
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 

Recomendados

OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperMohd Anwar Jamal Faiz
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Research Paper
Research PaperResearch Paper
Research PaperDavid Chaponniere
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesCSNP
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attackMark Silver
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultSOCVault
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Cybersecurity Education and Research Centre
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxClavis Segurança da Informação
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los CabosJuan Carlos Carrillo
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxMicrosoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxARIV4
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 

Mais conteúdo relacionado

Semelhante a The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf

Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Cybersecurity Education and Research Centre
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMatthew Rosenquist
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021lior mazor
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxYoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxVictoriaChavesta
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...robbiesamuel
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 sucesuminas
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsRedhuntLabs2
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldSafeNet
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Imperva
 
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxMicrosoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxARIV4
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSantiago Cavanna
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftEoin Keary
 

Semelhante a The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf (20)

Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxMicrosoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Allianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draftAllianz Global CISO october-2015-draft
Allianz Global CISO october-2015-draft
 

Mais de lior mazor

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdflior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxlior mazor
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxlior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxlior mazor
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdflior mazor
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxlior mazor
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxlior mazor
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxlior mazor
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119lior mazor
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022lior mazor
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022lior mazor
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 blior mazor
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021lior mazor
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021lior mazor
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021lior mazor
 

Mais de lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Último

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationkaushalgiri8080
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 

Último (20)

Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Project Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanationProject Based Learning (A.I).pptx detail explanation
Project Based Learning (A.I).pptx detail explanation
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 

The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf

  • 2. THE CISO’S CHALLENGES: Risk management and compliance in a software development company
  • 4. What are we going to talk about today Overview of CISO daily challenges Information Security Risk Landscape in 2024 Information Security Strategic Business Impacts CISO Daily Challenges in Practice Q&A Session 3
  • 5. Information Security Risk Landscape in 2024 5 Current Threats on the Rise Emerging Technologies Regulatory Changes Ransomware, phishing, software supply chain attacks AI powered automated vulnerability discovery, sophisticated "deepfake" phishing, IoT vulnerabilities Always ever-changing, but even more so with emerging technologies and evolving global data privacy laws
  • 6. A Day in the Life of a CISO 4 CISO JOB CISO Mind Map: An Overview of The Responsibilities and Ever Expanding Role of The CISO Business Enablement Project Delivery Lifecycle Security Architecture Compliance and Audits Legal & Human Recources Budget Selling InfoSec (Intermail) Security Operations Identity Management Risk Management Governance Merger/ Acqusition Cloud Computing Mobile Technology Threat Prevention Threat Detection Incident Management Process
  • 7. CISO Daily Challenges in Practice 6 Our Goal: To continually reduce risk to the appetite level of our organization The Challenge: Battling all responsibility fronts when you only have to hands!
  • 8. CISO Daily Challenges in Practice 7 The Strategy: Prioritize, Prioritize, Prioritize. Continually! The Tactics: Utilizing every resource and tool out there to do that
  • 9. CISO Daily Challenges in Practice 8 The Prioritizing CISO Mindset: The Methodology Keeping all of our stakeholders content (business, engineering, compliance, and many more) Maximizing "Risk ROI": In terms of number of issues fixed per effort In terms of business impact / application impact over resources used
  • 10. Information Security Strategic Business Impacts 9 Equifax 147 million americans 2017 Massive data breach exposing the personal information of 147 million Americans, severely damaging brand reputation and trust. Marriott International 500 million guests 2018 Estimated damages exceeding $10 billion, targeting critical infrastructure and causing widespread data loss and system disruptions. Yahoo 3billion accounts 2014 Massive data breach compromising 3 billion accounts, eroding user trust and leading to a steep decline in market value. Targe t 40million credit cards 2013 Data breach of 40 million credit and debit cards, triggering investigations and damaging customer confidence. Reputation Loss: Stephane Nappo, Global Head of Information Security for Société Générale International Banking. It takes 20 years to build a reputation and few minutes of cyber- incident to ruin it.
  • 11. Stay Resilient! Perseverance is Protection 10 The ever-shifting domain of information security demands both vigilance and strategic action Security is not a one-time endeavor, but an ongoing journey By consistently prioritizing proactive defense we can make software development that is trustworthy, resilient, and protected
  • 13. Yoad Fekete • A DevOps enthusiastic turned avid DevSecOps Supporter. • Formerly at Prime Minister's Office Elite Unit, Samsung Next, Microsoft. • Founded next-gen SCA company Myrror Security. • Cat Lover (Yes, Dogs as well). • Musician, when life allows. • Weird last name (which means "Black" in Hungarian). Formerly At: Founded: Raised From: Who Am I? 2
  • 14. What are we going to talk about today • Dependency Vulnerability Risk & Prioritization • Attack Risk & Detection Managing Software Supply Chain Risk The XZ malware - How we can detect that - DEMO Q&A Session 3
  • 15. Supply Chain as an Attack Surface 4 Source: The Open Source Security & Risk Analysis (OSSRA) Report Open source libraries are the foundation for literally every application in every industry.” The challenge: Rising above the noise and yet zeroing in on the critical The supply chain serves as a significant attack surface in the development & deployment phases Increased OSS Usage (>90% of companies use OSS, 80% of the code is Open Source) Analysis Design Development Deployment Testing Maintenance
  • 16. Vulnerabilities / Attacks 5 A vulnerability: A supply chain attack: • A non-deliberate mistake (aside from very specific sophisticated attacks) • Identified by a CVE • Recorded in public databases • Defense possible before exploitation • Includes both regular vulns and zero-day ones • A deliberate malicious activity • Lacks specific CVE identification • Untracked by standard SCAs and public DBs • Typically already attempted to be exploited Example: Log4Shell is a vulnerability Example: SolarWinds is a supply chain attack Two main risk vectors we must consider to secure our SSC:
  • 17. Implementing CTEM for our Software Supply Chain 6 5 steps in the Cycle of Continuous Threat Exposure Management By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach. 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
  • 18. Vulnerabilities and Beyond 7 Scoping & Discovery 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
  • 19. How Scoping & Discovery is Being Done Today - SCA 8 Challenges: Navigating False Positives, Alert Fatigue, and Code Attack Blindness Analyzing Assets - Scanning SBOM / manifest files a complete picture of direct & indirect dependencies vulnerabilities is generated - but Completeness is not always great Application Transitive Dependency Transitive Dependency Transitive Dependency Direct Dependency
  • 20. Alert Fatigue 9 Definition: Flow: Graphics of an exhaustive list of alerts Vulnerability Alert Fatigue is when application security professionals become desensitized to SCA vulnerability alerts, and are not sure which vulnerability to address first. Alert fatigue follows SCA Platforms generate alerts for vulnerabilities There are a lot of dependencies, and thus a lot of vulnerabilities Security Alerts Time Mar 31, 2021 @ 17:32:39.401 Mar 31, 2021 @ 17:03:34.911 Mar 30, 2021 @ 17:02:44.667 Mar 30, 2021 @ 16:33:56.221 Mar 30, 2021 @ 08:52:39.351 SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) 5 5 5 5 5 19003 19003 19003 19003 19003 Description Level Rule ID
  • 21. Code Attacks 742% 61% Source: NIST CSRC https://csrc.nist.gov/glossary/term/supply_chain_attack Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle. 10 YoY Increase In Attacks of all U.S. businesses were directly impacted by SSC attacks between Apr 22' and April 23' (Gartner research)
  • 22. Types Of Supply Chain Attacks Typosquatting Malicious Code in Repo Distribution Server Attacks Dependency Confusion CI/CD Attacks Maintainer Compromise 11
  • 23. How to detect attacks 12 Inspect the source code of the libraries for malicious code Verify the end compiled binary to ensure it matches the source code. Analysis Design Development Deployment Testing Maintenance
  • 24. Rise Above The Noise with Prioritization 13 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
  • 25. Achieving Relevance with Prioritization To achieve relevance we regard four things: Exploitability Use Case Reachability Fix Available Exploitability Reachability Use case Fix available Is this vulnerability possible to exploit? Is vulnerable code actually being used? What is the use case in the application? Can we fix it? 14
  • 26. Is a Fix Available? 15 Direct Dependency There's a vulnerability in the transitive function (like we see here), but do we have a version on the direct dependency that fixes it? Vulnerable Function Application InDirect Dependencies fix? Easy Peasy? Direct Dependency Fix vs. Transitive Dependency Fix Upgrading all the vulnerable dependencies in one shoot vs. one by one
  • 27. Exploitability - Without App Context CVSS EPSS 16
  • 28. Use Case - Adding App Context 17
  • 29. Reachability Source: https://myrror.security/the-definitive-guide-to-vulnerability- reachability-analysis-part-1/ 18 Formal Definition: In vulnerability analysis terminology, reachability is a property of a piece of code that indicates whether it will (or will not) be called under an application’s normal operational conditions. Application code hibernate jackson slf4j spring-web mongodb REACHABLE UNREACHABLE The reachable part of Jackson does not call the vulnarable function UNREACHABLE The reachable part of monogdb does not call the vulnarable part of slf4j
  • 30. Remediating in One Go 19 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
  • 31. Take Action - Comprise a Remediation Plan 20 Using the power of all former analyses and capabilities We generate a Remediation Plan that handles what actually matters Software Composition Analysis Reachability Engine Exploitability Engine Software Integrity AI Engine Remediation Plan Generator
  • 32. Validation 21 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
  • 33. 22 Continuous Monitoring Feedback Loop Adaptive Remediation Conducting a real-time ongoing surveillance of our software to detect vulnerabilities and threats guarantees the security measures we took are in check, validating our risk mitigating course of action. Taking remediation action and keeping an ongoing effort to improve our supply chain establishes a feedback mechanism creating a continuous improvement of our security posture ensuring our application reliability. This feedback loop of constant monitoring and remediation of our systems over time allows us to gain insights and evolve our remediation strategies, enhancing our robustness to emerging threats Validation - Always Vigilant
  • 35. Conclusions Securing a supply chain is hard work and getting harder Implementing methodologies of rigorous prioritization is the path forward Wishing everyone a secure SDLC! 24
  • 37. Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups