Aruneesh Salhotra
Fractional CISO, Author, Podcaster, Blogger
New York City, New York, United States
Actions
• Experienced Technologist/Generalist with 22 + experience spanning Development, DevSecOps, PMO, CI/CD, Automation, Cloud Computing, Infrastructure, Virtualization, Security
• CISSP, CKA/CKAD, AWS and PMP/RMP certified
• Expertise in coordinating diverse teams and resources to complete objectives.
• Organized and detail-oriented with proactive and hard-working nature.
Area of Expertise
Topics
Practical approach(es) to build successful AppSec Program without frictions
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
Teams
• How to build bonds between the teams
• How to involve the teams
• How to build up support
• How to sell security to developers
Bringing the following together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards baby steps to address the vulnerabilities that you have in your organization
• Prioritization is key
• Why big bang approach may not be the right approach
• Pros and Cons of grandfathering vulnerabilities
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
• This has to be reviewed with multiple teams, and discussed at various forums
• Changes to policies needs to be a controlled process
• Granting waivers
o Practical considerations for granting waivers to quarantine artifacts
o Practical considerations for granting waivers at application level
Implementing App Security Program with emphasis on SCA - Lessons and Feedback
More than 80% of the application use open source and have atleast one vulnerability waiting to be exploited. We will talk about ways you to can find out if you application is vulnerable and way to remediate the vulnerability
CycloneDX - generate the S/W Bill of Material for your App, thus helping you manage your risk
CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis.
Effective ways to embed security scanning into your SDLC Build Pipleine
Embedding SAST and SCA into your pipeline, in order to find cross section of vulnerabilities in your code as well as vulnerabilities that are in the open source libraries that you are consuming
Implementing App Security Program with emphasis on SCA - Lessons and Feedback
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
SCA domain
• Good, bad and ugly
• License - why companies look have a handle on the associated license for open source licenses used in their application estate
• Vulnerabilities
• How the use of open source of library has evolved
Why we use NexusIQ
• How is works - a refresher
• Importance of NexusIQ Firewall in addition to Lifecycle and Auditor
• How to arrive at Effective Policies for Root Organization, Organization and Applications
Audit Requirements
• Handling audit - Nomura's story
• Integration with CMDB
Mandating NexusIQ scan across the estate
• Nomura's journey so far
• Actionable Metrics
• Buy-in from Top Down
Exception handling
• Care that is required if you are in regulated industry
• Being Proactive
Remediation
• We built the waiver workflow and developers are happy with lean waiver process. But what next, how do you remediate the inherent risk after waiver are going to expire
Breaking the Silos in order to making App Security Program Sold across Organization and be Successfu
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
Teams
• How to build bonds between the teams
• How to involve the teams
• How to build up support
• How to sell security to developers
Bringing the following together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards baby steps to address the vulnerabilities that you have in your organization
• Prioritization is key
• Why big bang approach may not be the right approach
• Pros and Cons of grandfathering vulnerabilities
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
• This has to be reviewed with multiple teams, and discussed at various forums
• Changes to policies needs to be a controlled process
• Granting waivers
o Practical considerations for granting waivers to quarantine artifacts
o Practical considerations for granting waivers at application level
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top