Session
Practical approach(es) to build successful AppSec Program without frictions
Disclaimer
• The plan and presentation reflects the intended security posture
• 100% compliance of NexusIQ is WIP
• This talk is based on the experience, lessons learned
Supply Chain Attack
• Attack vectors
• Supply Chain Attacks - Widely known breaches/exploits
o Equifax
o SolarWinds
o Linksys/Cisco - GPL license
o CodeCov
o SonarQube data breach
Demystify the Application Security Domain
• SCA
o Open Source
• Code Security
o SAST
o DAST
o IAST
o RASP
• Container Scanning
o Image Scanning
o Runtime Scanning
o Registry Scanning
Teams
• How to build bonds between the teams
• How to involve the teams
• How to build up support
• How to sell security to developers
Bringing the following together
• Legal
• Risk and Control
• IT Security
• IT Management
• Learning
Lessons Learned
• Practical approach towards baby steps to address the vulnerabilities that you have in your organization
• Prioritization is key
• Why big bang approach may not be the right approach
• Pros and Cons of grandfathering vulnerabilities
o Practical approach towards grandfathering and tracking the tech debt
Policy Management
• Creating root level policies is an art
• No size fit all
• This has to be reviewed with multiple teams, and discussed at various forums
• Changes to policies needs to be a controlled process
• Granting waivers
o Practical considerations for granting waivers to quarantine artifacts
o Practical considerations for granting waivers at application level
Aruneesh Salhotra
Fractional CISO, Author, Podcaster, Blogger
New York City, New York, United States
Links
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top