Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
SCA domain
• Good, bad and ugly
• License - why companies look have a handle on the associated license for open source licenses used in their application estate
• Vulnerabilities
• How the use of open source of library has evolved
Why we use NexusIQ
• How is works - a refresher
• Importance of NexusIQ Firewall in addition to Lifecycle and Auditor
• How to arrive at Effective Policies for Root Organization, Organization and Applications
Audit Requirements
• Handling audit - Nomura's story
• Integration with CMDB
Mandating NexusIQ scan across the estate
• Nomura's journey so far
• Actionable Metrics
• Buy-in from Top Down
Exception handling
• Care that is required if you are in regulated industry
• Being Proactive
Remediation
• We built the waiver workflow and developers are happy with lean waiver process. But what next, how do you remediate the inherent risk after waiver are going to expire