Aruneesh Salhotra
Fractional CISO, Author, Podcaster, Blogger
New York City, New York, United States
Actions
• Experienced Technologist/Generalist with 22 + experience spanning Development, DevSecOps, PMO, CI/CD, Automation, Cloud Computing, Infrastructure, Virtualization, Security
• CISSP, CKA/CKAD, AWS and PMP/RMP certified
• Expertise in coordinating diverse teams and resources to complete objectives.
• Organized and detail-oriented with proactive and hard-working nature.
Area of Expertise
Topics
Practical Step-by-step Guide for Organizations to embrace AI Safely and Securely
As the wave of artificial intelligence (AI) innovation continues to swell, organizations across the globe are at a crossroads: how to harness the power of AI in a way that's beneficial, responsible, and aligned with their goals. This journey, while full of potential, is also riddled with challenges—from navigating complex regulations to ensuring ethical use and managing risks. This presentation outlines a human-centric, practical framework for organizations looking to embrace AI, covering everything from identifying the right opportunities to rolling out AI solutions in a controlled and monitored environment.
We start with the crucial first step: pinpointing where AI can truly make a difference in your organization. This means looking beyond the hype to find genuine use cases where AI can solve real problems, improve efficiency, or unlock new opportunities. It's about asking, "Where can AI add the most value here?" and "How does this align with our broader mission?"
Recognizing the importance of guidance and oversight, we delve into the creation of a steering committee—a diverse team of leaders who can shepherd AI initiatives from a strategic vantage point. This group acts as the bridge between lofty AI goals and grounded, everyday operations, ensuring that AI efforts are not just technologically sound but also in sync with business objectives and ethical standards.
We explore strategies for weaving regulatory compliance into the fabric of AI projects, ensuring that legal and ethical standards are met at every turn.
Continuous monitoring of AI systems is essential to ensure they perform as expected, remain compliant over time, and adapt to new challenges and opportunities. This involves setting up mechanisms for ongoing oversight, performance evaluation, and, when necessary, recalibration.
Code Generation - Advantages, Risks and Mitigation Controls
Imagine stepping into a world where the software writes itself, where ideas turn into code at the speed of thought. This is not a distant dream but today's reality with Generative Artificial Intelligence (AI) in code generation. This presentation guides understanding this breakthrough, celebrating its benefits, navigating the tricky waters of licensing, and laying out a roadmap for safely introducing it into your projects.
First, let's talk perks. Generative AI is transforming how we approach software development, making it faster, more creative, and accessible to a broader range of thinkers and makers. It's not just about speed; it's about bringing new ideas to life that we couldn't tackle before because manual coding was too complex or time-consuming.
How do we bring this technology into our work safely and effectively? It's not as simple as flipping a switch. We need a plan that considers everything from picking suitable projects for AI code generation to ensuring that every piece of code respects privacy, security, and legal boundaries. The talk will focus on practical steps to evaluate, implement, and monitor Generative AI tools in your coding workflow, ensuring they become a source of innovation rather than a cause for concern.
Breaking the Silos in order to making App Security Program Sold across Org and be Successful
Disclaimer
• The plan and presentation reflects the intended security posture
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST, DAST, IAST, RASP
• Containers
o Image, Runtime, Registry Scanning
Teams
• Build bonds between teams
• Involve teams
• Buildup support
• Sell security to tech
Bringing teams together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards steps to address vulnerabilities that you in your organization
• Prioritization is key
• Why big bang approach is not be the right approach
• Pros and Cons of grandfathering vulns
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
Practical approach(es) to build successful AppSec Program without frictions
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
Teams
• How to build bonds between the teams
• How to involve the teams
• How to build up support
• How to sell security to developers
Bringing the following together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards baby steps to address the vulnerabilities that you have in your organization
• Prioritization is key
• Why big bang approach may not be the right approach
• Pros and Cons of grandfathering vulnerabilities
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
• This has to be reviewed with multiple teams, and discussed at various forums
• Changes to policies needs to be a controlled process
• Granting waivers
o Practical considerations for granting waivers to quarantine artifacts
o Practical considerations for granting waivers at application level
Effective ways to embed security scanning into your SDLC Build Pipleine
Embedding SAST and SCA into your pipeline, in order to find cross section of vulnerabilities in your code as well as vulnerabilities that are in the open source libraries that you are consuming
Implementing App Security Program with emphasis on SCA - Lessons and Feedback
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
SCA domain
• Good, bad and ugly
• License - why companies look have a handle on the associated license for open source licenses used in their application estate
• Vulnerabilities
• How the use of open source of library has evolved
Why we use NexusIQ
• How is works - a refresher
• Importance of NexusIQ Firewall in addition to Lifecycle and Auditor
• How to arrive at Effective Policies for Root Organization, Organization and Applications
Audit Requirements
• Handling audit - Nomura's story
• Integration with CMDB
Mandating NexusIQ scan across the estate
• Nomura's journey so far
• Actionable Metrics
• Buy-in from Top Down
Exception handling
• Care that is required if you are in regulated industry
• Being Proactive
Remediation
• We built the waiver workflow and developers are happy with lean waiver process. But what next, how do you remediate the inherent risk after waiver are going to expire
Breaking the Silos in order to making App Security Program Sold across Organization and be Successfu
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
Teams
• How to build bonds between the teams
• How to involve the teams
• How to build up support
• How to sell security to developers
Bringing the following together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards baby steps to address the vulnerabilities that you have in your organization
• Prioritization is key
• Why big bang approach may not be the right approach
• Pros and Cons of grandfathering vulnerabilities
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
• This has to be reviewed with multiple teams, and discussed at various forums
• Changes to policies needs to be a controlled process
• Granting waivers
o Practical considerations for granting waivers to quarantine artifacts
o Practical considerations for granting waivers at application level
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top