Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
Teams
• How to build bonds between the teams
• How to involve the teams
• How to build up support
• How to sell security to developers

Bringing the following together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards baby steps to address the vulnerabilities that you have in your organization
• Prioritization is key
• Why big bang approach may not be the right approach
• Pros and Cons of grandfathering vulnerabilities
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
• This has to be reviewed with multiple teams, and discussed at various forums
• Changes to policies needs to be a controlled process
• Granting waivers
o Practical considerations for granting waivers to quarantine artifacts
o Practical considerations for granting waivers at application level