SlideShare a Scribd company logo

The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf

lior mazor
lior mazor

Join us virtually for our upcoming meetup to learn: - Why adopt a fresh approach and redefine how you view critical risks within your software supply chain? - How can we deal with the paradox of enhancing protection for expanding attack surfaces and the dynamic nature of threat actors, especially in the world of the Generative Code AI amidst budget constraints?

Software
1 of 37
Join Us: https://www.linkedin.com/company/ application-security-virtual-meetups QR Link:
THE CISO’S CHALLENGES: Risk management and compliance in a software development company
Mandy Andress CISO Advisor Board Member Who Am I? 2
What are we going to talk about today Overview of CISO daily challenges Information Security Risk Landscape in 2024 Information Security Strategic Business Impacts CISO Daily Challenges in Practice Q&A Session 3
Information Security Risk Landscape in 2024 5 Current Threats on the Rise Emerging Technologies Regulatory Changes Ransomware, phishing, software supply chain attacks AI powered automated vulnerability discovery, sophisticated "deepfake" phishing, IoT vulnerabilities Always ever-changing, but even more so with emerging technologies and evolving global data privacy laws
A Day in the Life of a CISO 4 CISO JOB CISO Mind Map: An Overview of The Responsibilities and Ever Expanding Role of The CISO Business Enablement Project Delivery Lifecycle Security Architecture Compliance and Audits Legal & Human Recources Budget Selling InfoSec (Intermail) Security Operations Identity Management Risk Management Governance Merger/ Acqusition Cloud Computing Mobile Technology Threat Prevention Threat Detection Incident Management Process
CISO Daily Challenges in Practice 6 Our Goal: To continually reduce risk to the appetite level of our organization The Challenge: Battling all responsibility fronts when you only have to hands!
CISO Daily Challenges in Practice 7 The Strategy: Prioritize, Prioritize, Prioritize. Continually! The Tactics: Utilizing every resource and tool out there to do that
CISO Daily Challenges in Practice 8 The Prioritizing CISO Mindset: The Methodology Keeping all of our stakeholders content (business, engineering, compliance, and many more) Maximizing "Risk ROI": In terms of number of issues fixed per effort In terms of business impact / application impact over resources used
Information Security Strategic Business Impacts 9 Equifax 147 million americans 2017 Massive data breach exposing the personal information of 147 million Americans, severely damaging brand reputation and trust. Marriott International 500 million guests 2018 Estimated damages exceeding $10 billion, targeting critical infrastructure and causing widespread data loss and system disruptions. Yahoo 3billion accounts 2014 Massive data breach compromising 3 billion accounts, eroding user trust and leading to a steep decline in market value. Targe t 40million credit cards 2013 Data breach of 40 million credit and debit cards, triggering investigations and damaging customer confidence. Reputation Loss: Stephane Nappo, Global Head of Information Security for Société Générale International Banking. It takes 20 years to build a reputation and few minutes of cyber- incident to ruin it.
Stay Resilient! Perseverance is Protection 10 The ever-shifting domain of information security demands both vigilance and strategic action Security is not a one-time endeavor, but an ongoing journey By consistently prioritizing proactive defense we can make software development that is trustworthy, resilient, and protected
SOFTWARE SUPPLY CHAIN RISK MANAGMENT What can we do better?
Yoad Fekete • A DevOps enthusiastic turned avid DevSecOps Supporter. • Formerly at Prime Minister's Office Elite Unit, Samsung Next, Microsoft. • Founded next-gen SCA company Myrror Security. • Cat Lover (Yes, Dogs as well). • Musician, when life allows. • Weird last name (which means "Black" in Hungarian). Formerly At: Founded: Raised From: Who Am I? 2
What are we going to talk about today • Dependency Vulnerability Risk & Prioritization • Attack Risk & Detection Managing Software Supply Chain Risk The XZ malware - How we can detect that - DEMO Q&A Session 3
Supply Chain as an Attack Surface 4 Source: The Open Source Security & Risk Analysis (OSSRA) Report Open source libraries are the foundation for literally every application in every industry.” The challenge: Rising above the noise and yet zeroing in on the critical The supply chain serves as a significant attack surface in the development & deployment phases Increased OSS Usage (>90% of companies use OSS, 80% of the code is Open Source) Analysis Design Development Deployment Testing Maintenance
Vulnerabilities / Attacks 5 A vulnerability: A supply chain attack: • A non-deliberate mistake (aside from very specific sophisticated attacks) • Identified by a CVE • Recorded in public databases • Defense possible before exploitation • Includes both regular vulns and zero-day ones • A deliberate malicious activity • Lacks specific CVE identification • Untracked by standard SCAs and public DBs • Typically already attempted to be exploited Example: Log4Shell is a vulnerability Example: SolarWinds is a supply chain attack Two main risk vectors we must consider to secure our SSC:
Implementing CTEM for our Software Supply Chain 6 5 steps in the Cycle of Continuous Threat Exposure Management By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach. 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
Vulnerabilities and Beyond 7 Scoping & Discovery 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
How Scoping & Discovery is Being Done Today - SCA 8 Challenges: Navigating False Positives, Alert Fatigue, and Code Attack Blindness Analyzing Assets - Scanning SBOM / manifest files a complete picture of direct & indirect dependencies vulnerabilities is generated - but Completeness is not always great Application Transitive Dependency Transitive Dependency Transitive Dependency Direct Dependency
Alert Fatigue 9 Definition: Flow: Graphics of an exhaustive list of alerts Vulnerability Alert Fatigue is when application security professionals become desensitized to SCA vulnerability alerts, and are not sure which vulnerability to address first. Alert fatigue follows SCA Platforms generate alerts for vulnerabilities There are a lot of dependencies, and thus a lot of vulnerabilities Security Alerts Time Mar 31, 2021 @ 17:32:39.401 Mar 31, 2021 @ 17:03:34.911 Mar 30, 2021 @ 17:02:44.667 Mar 30, 2021 @ 16:33:56.221 Mar 30, 2021 @ 08:52:39.351 SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) 5 5 5 5 5 19003 19003 19003 19003 19003 Description Level Rule ID
Code Attacks 742% 61% Source: NIST CSRC https://csrc.nist.gov/glossary/term/supply_chain_attack Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle. 10 YoY Increase In Attacks of all U.S. businesses were directly impacted by SSC attacks between Apr 22' and April 23' (Gartner research)
Types Of Supply Chain Attacks Typosquatting Malicious Code in Repo Distribution Server Attacks Dependency Confusion CI/CD Attacks Maintainer Compromise 11
How to detect attacks 12 Inspect the source code of the libraries for malicious code Verify the end compiled binary to ensure it matches the source code. Analysis Design Development Deployment Testing Maintenance
Rise Above The Noise with Prioritization 13 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
Achieving Relevance with Prioritization To achieve relevance we regard four things: Exploitability Use Case Reachability Fix Available Exploitability Reachability Use case Fix available Is this vulnerability possible to exploit? Is vulnerable code actually being used? What is the use case in the application? Can we fix it? 14
Is a Fix Available? 15 Direct Dependency There's a vulnerability in the transitive function (like we see here), but do we have a version on the direct dependency that fixes it? Vulnerable Function Application InDirect Dependencies fix? Easy Peasy? Direct Dependency Fix vs. Transitive Dependency Fix Upgrading all the vulnerable dependencies in one shoot vs. one by one
Exploitability - Without App Context CVSS EPSS 16
Use Case - Adding App Context 17
Reachability Source: https://myrror.security/the-definitive-guide-to-vulnerability- reachability-analysis-part-1/ 18 Formal Definition: In vulnerability analysis terminology, reachability is a property of a piece of code that indicates whether it will (or will not) be called under an application’s normal operational conditions. Application code hibernate jackson slf4j spring-web mongodb REACHABLE UNREACHABLE The reachable part of Jackson does not call the vulnarable function UNREACHABLE The reachable part of monogdb does not call the vulnarable part of slf4j
Remediating in One Go 19 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
Take Action - Comprise a Remediation Plan 20 Using the power of all former analyses and capabilities We generate a Remediation Plan that handles what actually matters Software Composition Analysis Reachability Engine Exploitability Engine Software Integrity AI Engine Remediation Plan Generator
Validation 21 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
22 Continuous Monitoring Feedback Loop Adaptive Remediation Conducting a real-time ongoing surveillance of our software to detect vulnerabilities and threats guarantees the security measures we took are in check, validating our risk mitigating course of action. Taking remediation action and keeping an ongoing effort to improve our supply chain establishes a feedback mechanism creating a continuous improvement of our security posture ensuring our application reliability. This feedback loop of constant monitoring and remediation of our systems over time allows us to gain insights and evolve our remediation strategies, enhancing our robustness to emerging threats Validation - Always Vigilant
Demo 23
Conclusions Securing a supply chain is hard work and getting harder Implementing methodologies of rigorous prioritization is the path forward Wishing everyone a secure SDLC! 24
25 Questions?
Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups

Recommended

OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
Ivanti
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx
FinTech Belgium
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
Research Paper
Research PaperResearch Paper
Research Paper
David Chaponniere
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
CSNP
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
Mark Silver
 

Recommended

OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
Ivanti
 
Security is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White PaperSecurity is our duty and we shall deliver it - White Paper
Security is our duty and we shall deliver it - White Paper
Mohd Anwar Jamal Faiz
 
03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx03_Emmanuel Ndiaye_Degroof Petercam.pptx
03_Emmanuel Ndiaye_Degroof Petercam.pptx
FinTech Belgium
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
Norm Barber
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
Research Paper
Research PaperResearch Paper
Research Paper
David Chaponniere
 
Aon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation StrategiesAon Ransomware Response and Mitigation Strategies
Aon Ransomware Response and Mitigation Strategies
CSNP
 
Anatomy of a cyber attack
Anatomy of a cyber attackAnatomy of a cyber attack
Anatomy of a cyber attack
Mark Silver
 
What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
SOCVault
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Cybersecurity Education and Research Centre
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare ☁
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
Matthew Rosenquist
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
Boris Loukanov
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
Clavis Segurança da Informação
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
lior mazor
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
Juan Carlos Carrillo
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
robbiesamuel
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
SafeNet
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
Imperva
 
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxMicrosoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
ARIV4
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
Santiago Cavanna
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
lior mazor
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 

More Related Content

Similar to The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf

Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
sucesuminas
 
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxMicrosoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
ARIV4
 

Similar to The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf (20)

What Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVaultWhat Is Cyber Threat Intelligence | How It Work? | SOCVault
What Is Cyber Threat Intelligence | How It Work? | SOCVault
 
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
Data-Driven Assessment of Cyber Risk: Challenges in Assessing and Migrating C...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
McAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats PredictionsMcAfee Labs 2017 Threats Predictions
McAfee Labs 2017 Threats Predictions
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
Bsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptxBsides SP 2022 - EPSS - Final.pptx
Bsides SP 2022 - EPSS - Final.pptx
 
Application security meetup 27012021
Application security meetup 27012021Application security meetup 27012021
Application security meetup 27012021
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Fortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptxFortify-Application_Security_Foundation_Training.pptx
Fortify-Application_Security_Foundation_Training.pptx
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Presentación AMIB Los Cabos
Presentación AMIB Los CabosPresentación AMIB Los Cabos
Presentación AMIB Los Cabos
 
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
Boardroom to War Room: Practical Application of the NIST Cybersecurity Frame...
 
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05 Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
Segurança da Informação e Estrutura de Redes - Café Empresarial 15/05
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Cyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative WorldCyber Security Management in a Highly Innovative World
Cyber Security Management in a Highly Innovative World
 
Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012Top 9 Data Security Trends for 2012
Top 9 Data Security Trends for 2012
 
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docxMicrosoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
Microsoft Strategic InitiativeCharls Yang, Yining Xie, Andres .docx
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 

More from lior mazor

The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
lior mazor
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
lior mazor
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
lior mazor
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
lior mazor
 

More from lior mazor (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
The Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdfThe Power of Malware Analysis and Development.pdf
The Power of Malware Analysis and Development.pdf
 
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
Reveal the Security Risks in the software Development Lifecycle Meetup 060320...
 
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptxThe Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
The Hacking Games - A Road to Post Exploitation Meetup - 20240222.pptx
 
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptxSecure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
Secure Your DevOps Pipeline Best Practices Meetup 08022024.pptx
 
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptxWhy 2024 will become the Year of SaaS Security Meetup 24012024.pptx
Why 2024 will become the Year of SaaS Security Meetup 24012024.pptx
 
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdfVulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
Vulnerability Alert Fatigue and Malicious Code Attacks Meetup 11012024.pdf
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptxThe Hacking Game - Think Like a Hacker Meetup 12072023.pptx
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
 
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptxSailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
Sailing Through The Storm of Kubernetes CVEs Meetup 29062023.pptx
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptxThe Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
The Hacking Games - Cloud Vulnerabilities Meetup 22032023.pptx
 
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
The Hacking Games - Security vs Productivity and Operational Efficiency 20230119
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022Software Supply Chain Security Meetup 21062022
Software Supply Chain Security Meetup 21062022
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
 
User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022User management - the next-gen of authentication meetup 27012022
User management - the next-gen of authentication meetup 27012022
 
Securing and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 bSecuring and automating your application infrastructure meetup 23112021 b
Securing and automating your application infrastructure meetup 23112021 b
 
Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021Application security meetup k8_s security with zero trust_29072021
Application security meetup k8_s security with zero trust_29072021
 
Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021Application security meetup - cloud security best practices 24062021
Application security meetup - cloud security best practices 24062021
 
Application security meetup data privacy_27052021
Application security meetup data privacy_27052021Application security meetup data privacy_27052021
Application security meetup data privacy_27052021
 

Recently uploaded

AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
VictorSzoltysek
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Delhi Call girls
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
VishalKumarJha10
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
shinachiaurasa2
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 

Recently uploaded (20)

10 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 202410 Trends Likely to Shape Enterprise Technology in 2024
10 Trends Likely to Shape Enterprise Technology in 2024
 
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM TechniquesAI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
AI Mastery 201: Elevating Your Workflow with Advanced LLM Techniques
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verifiedSector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
Sector 18, Noida Call girls :8448380779 Model Escorts | 100% verified
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdfintroduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
introduction-to-automotive Andoid os-csimmonds-ndctechtown-2021.pdf
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptxBUS PASS MANGEMENT SYSTEM USING PHP.pptx
BUS PASS MANGEMENT SYSTEM USING PHP.pptx
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
LEVEL 5 - SESSION 1 2023 (1).pptx - PDF 123456
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 

The CISO Problems Risk Compliance Management in a Software Development 03042024.pdf

  • 2. THE CISO’S CHALLENGES: Risk management and compliance in a software development company
  • 4. What are we going to talk about today Overview of CISO daily challenges Information Security Risk Landscape in 2024 Information Security Strategic Business Impacts CISO Daily Challenges in Practice Q&A Session 3
  • 5. Information Security Risk Landscape in 2024 5 Current Threats on the Rise Emerging Technologies Regulatory Changes Ransomware, phishing, software supply chain attacks AI powered automated vulnerability discovery, sophisticated "deepfake" phishing, IoT vulnerabilities Always ever-changing, but even more so with emerging technologies and evolving global data privacy laws
  • 6. A Day in the Life of a CISO 4 CISO JOB CISO Mind Map: An Overview of The Responsibilities and Ever Expanding Role of The CISO Business Enablement Project Delivery Lifecycle Security Architecture Compliance and Audits Legal & Human Recources Budget Selling InfoSec (Intermail) Security Operations Identity Management Risk Management Governance Merger/ Acqusition Cloud Computing Mobile Technology Threat Prevention Threat Detection Incident Management Process
  • 7. CISO Daily Challenges in Practice 6 Our Goal: To continually reduce risk to the appetite level of our organization The Challenge: Battling all responsibility fronts when you only have to hands!
  • 8. CISO Daily Challenges in Practice 7 The Strategy: Prioritize, Prioritize, Prioritize. Continually! The Tactics: Utilizing every resource and tool out there to do that
  • 9. CISO Daily Challenges in Practice 8 The Prioritizing CISO Mindset: The Methodology Keeping all of our stakeholders content (business, engineering, compliance, and many more) Maximizing "Risk ROI": In terms of number of issues fixed per effort In terms of business impact / application impact over resources used
  • 10. Information Security Strategic Business Impacts 9 Equifax 147 million americans 2017 Massive data breach exposing the personal information of 147 million Americans, severely damaging brand reputation and trust. Marriott International 500 million guests 2018 Estimated damages exceeding $10 billion, targeting critical infrastructure and causing widespread data loss and system disruptions. Yahoo 3billion accounts 2014 Massive data breach compromising 3 billion accounts, eroding user trust and leading to a steep decline in market value. Targe t 40million credit cards 2013 Data breach of 40 million credit and debit cards, triggering investigations and damaging customer confidence. Reputation Loss: Stephane Nappo, Global Head of Information Security for Société Générale International Banking. It takes 20 years to build a reputation and few minutes of cyber- incident to ruin it.
  • 11. Stay Resilient! Perseverance is Protection 10 The ever-shifting domain of information security demands both vigilance and strategic action Security is not a one-time endeavor, but an ongoing journey By consistently prioritizing proactive defense we can make software development that is trustworthy, resilient, and protected
  • 13. Yoad Fekete • A DevOps enthusiastic turned avid DevSecOps Supporter. • Formerly at Prime Minister's Office Elite Unit, Samsung Next, Microsoft. • Founded next-gen SCA company Myrror Security. • Cat Lover (Yes, Dogs as well). • Musician, when life allows. • Weird last name (which means "Black" in Hungarian). Formerly At: Founded: Raised From: Who Am I? 2
  • 14. What are we going to talk about today • Dependency Vulnerability Risk & Prioritization • Attack Risk & Detection Managing Software Supply Chain Risk The XZ malware - How we can detect that - DEMO Q&A Session 3
  • 15. Supply Chain as an Attack Surface 4 Source: The Open Source Security & Risk Analysis (OSSRA) Report Open source libraries are the foundation for literally every application in every industry.” The challenge: Rising above the noise and yet zeroing in on the critical The supply chain serves as a significant attack surface in the development & deployment phases Increased OSS Usage (>90% of companies use OSS, 80% of the code is Open Source) Analysis Design Development Deployment Testing Maintenance
  • 16. Vulnerabilities / Attacks 5 A vulnerability: A supply chain attack: • A non-deliberate mistake (aside from very specific sophisticated attacks) • Identified by a CVE • Recorded in public databases • Defense possible before exploitation • Includes both regular vulns and zero-day ones • A deliberate malicious activity • Lacks specific CVE identification • Untracked by standard SCAs and public DBs • Typically already attempted to be exploited Example: Log4Shell is a vulnerability Example: SolarWinds is a supply chain attack Two main risk vectors we must consider to secure our SSC:
  • 17. Implementing CTEM for our Software Supply Chain 6 5 steps in the Cycle of Continuous Threat Exposure Management By 2026, organizations that prioritize their security investments based on a continuous exposure management program will be 3x less likely to suffer a breach. 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
  • 18. Vulnerabilities and Beyond 7 Scoping & Discovery 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
  • 19. How Scoping & Discovery is Being Done Today - SCA 8 Challenges: Navigating False Positives, Alert Fatigue, and Code Attack Blindness Analyzing Assets - Scanning SBOM / manifest files a complete picture of direct & indirect dependencies vulnerabilities is generated - but Completeness is not always great Application Transitive Dependency Transitive Dependency Transitive Dependency Direct Dependency
  • 20. Alert Fatigue 9 Definition: Flow: Graphics of an exhaustive list of alerts Vulnerability Alert Fatigue is when application security professionals become desensitized to SCA vulnerability alerts, and are not sure which vulnerability to address first. Alert fatigue follows SCA Platforms generate alerts for vulnerabilities There are a lot of dependencies, and thus a lot of vulnerabilities Security Alerts Time Mar 31, 2021 @ 17:32:39.401 Mar 31, 2021 @ 17:03:34.911 Mar 30, 2021 @ 17:02:44.667 Mar 30, 2021 @ 16:33:56.221 Mar 30, 2021 @ 08:52:39.351 SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (55) SCA summary: CIS Apple macOS Benchmark applied to macOS 11.x: Score less than 80% (56) 5 5 5 5 5 19003 19003 19003 19003 19003 Description Level Rule ID
  • 21. Code Attacks 742% 61% Source: NIST CSRC https://csrc.nist.gov/glossary/term/supply_chain_attack Attacks that allow the adversary to utilize implants or other vulnerabilities inserted prior to installation in order to infiltrate data, or manipulate information technology hardware, software, operating systems, peripherals (information technology products) or services at any point during the life cycle. 10 YoY Increase In Attacks of all U.S. businesses were directly impacted by SSC attacks between Apr 22' and April 23' (Gartner research)
  • 22. Types Of Supply Chain Attacks Typosquatting Malicious Code in Repo Distribution Server Attacks Dependency Confusion CI/CD Attacks Maintainer Compromise 11
  • 23. How to detect attacks 12 Inspect the source code of the libraries for malicious code Verify the end compiled binary to ensure it matches the source code. Analysis Design Development Deployment Testing Maintenance
  • 24. Rise Above The Noise with Prioritization 13 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Discovering Risks Prioritization Comprise a robust remediation plan Remediation
  • 25. Achieving Relevance with Prioritization To achieve relevance we regard four things: Exploitability Use Case Reachability Fix Available Exploitability Reachability Use case Fix available Is this vulnerability possible to exploit? Is vulnerable code actually being used? What is the use case in the application? Can we fix it? 14
  • 26. Is a Fix Available? 15 Direct Dependency There's a vulnerability in the transitive function (like we see here), but do we have a version on the direct dependency that fixes it? Vulnerable Function Application InDirect Dependencies fix? Easy Peasy? Direct Dependency Fix vs. Transitive Dependency Fix Upgrading all the vulnerable dependencies in one shoot vs. one by one
  • 27. Exploitability - Without App Context CVSS EPSS 16
  • 28. Use Case - Adding App Context 17
  • 29. Reachability Source: https://myrror.security/the-definitive-guide-to-vulnerability- reachability-analysis-part-1/ 18 Formal Definition: In vulnerability analysis terminology, reachability is a property of a piece of code that indicates whether it will (or will not) be called under an application’s normal operational conditions. Application code hibernate jackson slf4j spring-web mongodb REACHABLE UNREACHABLE The reachable part of Jackson does not call the vulnarable function UNREACHABLE The reachable part of monogdb does not call the vulnarable part of slf4j
  • 30. Remediating in One Go 19 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
  • 31. Take Action - Comprise a Remediation Plan 20 Using the power of all former analyses and capabilities We generate a Remediation Plan that handles what actually matters Software Composition Analysis Reachability Engine Exploitability Engine Software Integrity AI Engine Remediation Plan Generator
  • 32. Validation 21 1 2 3 4 5 Validation Scoping our Software Assets Monitor your code base constantly to validate your Reachability, Exploitability, Impact, Fix availability​ Vulnerabilities and Attacks Comprise a robust remediation plan Discovering Risks Prioritization Remediation
  • 33. 22 Continuous Monitoring Feedback Loop Adaptive Remediation Conducting a real-time ongoing surveillance of our software to detect vulnerabilities and threats guarantees the security measures we took are in check, validating our risk mitigating course of action. Taking remediation action and keeping an ongoing effort to improve our supply chain establishes a feedback mechanism creating a continuous improvement of our security posture ensuring our application reliability. This feedback loop of constant monitoring and remediation of our systems over time allows us to gain insights and evolve our remediation strategies, enhancing our robustness to emerging threats Validation - Always Vigilant
  • 35. Conclusions Securing a supply chain is hard work and getting harder Implementing methodologies of rigorous prioritization is the path forward Wishing everyone a secure SDLC! 24
  • 37. Thank You! Questions? To be continued… https://www.linkedin.com/company/application-security-virtual-meetups