Session
Implementing App Security Program with emphasis on SCA - Lessons and Feedback
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
SCA domain
• Good, bad and ugly
• License - why companies look have a handle on the associated license for open source licenses used in their application estate
• Vulnerabilities
• How the use of open source of library has evolved
Why we use NexusIQ
• How is works - a refresher
• Importance of NexusIQ Firewall in addition to Lifecycle and Auditor
• How to arrive at Effective Policies for Root Organization, Organization and Applications
Audit Requirements
• Handling audit - Nomura's story
• Integration with CMDB
Mandating NexusIQ scan across the estate
• Nomura's journey so far
• Actionable Metrics
• Buy-in from Top Down
Exception handling
• Care that is required if you are in regulated industry
• Being Proactive
Remediation
• We built the waiver workflow and developers are happy with lean waiver process. But what next, how do you remediate the inherent risk after waiver are going to expire
Aruneesh Salhotra
Fractional CISO, Author, Podcaster, Blogger
New York City, New York, United States
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top