Building Resilience into Information Security

Ante Gulam

$whoami• https://uk.linkedin.com/in/agulam

• Global Head of Information Security | CISO | CSO

• Application Security Evangelist

• Security Researcher

• 13 years of experience in Information Security

• Governance and Compliance (FCA/PCI-DSS/ISO/DPA…)

• Hands-on: development of security tools (source code analysers, web fuzzers, db anti-malware etc.), incident response, forensics, penetration testing etc.

Agenda• Introduction• Traditional Information Security Approach• Issues, Challenges and Indicators• Situational Awareness in Agile Environments• Information Security Integration into Agile SDLC• Crowdsourced Security and Agile SDLC (Truth or Dare)• Takeaways from Crowdsourced Platform Experiences• Conclusion• Q&A

Introduction• Overview from two Opposite Perspectives

• Information Security on Auto-Pilot

• Learning from other industries

• New approaches

Traditional Info-Sec Approach

• Reusing Strategies and Frameworks

• Readiness posture

• Proactive vs. Reactive Practices

• Checkbox Compliance

• Tackling modern methodologies and processes

• People vs. Tools

• Repeating is harder than anything else. (Usain Bolt)

Issues, Challenges and Indicators• Are we fast enough? I’ll always be chasing you…

• Rigid Processes

• Value Added Execution

• Silos - collaboration killers

• What’s coming …

• Behavioural Analysis vs. Signature Based

• Quantum Cryptography (key distribution)

• What’s next?

Situational Awareness in Agile Environments

• Fast-Paced Environment

• On the fly Requirement Changes

• Multiple Simultaneous Projects

• Being Agile vs. Doing Agile

• Near-real time Risk Profile

• Risk Appetite in Agile Software Development

Security Integration into Agile SDLC

• 86 percent of web applications contain at least one 'serious' vulnerability (WhiteHat Security's “2015 Website Security Report.”)

• Scaling Info-Sec Activities

• Light-weight

• Delivery in bite-sized chunks

• Early Delivery Security Challenges

Security Integration into Agile SDLC

• Developers Awareness and Training

• Preliminary Risk Assessment

• Threat Modelling

• Source Code Analysis

• Penetration Testing

• Remediation Tracking and Continuous Monitoring

Crowdsourced Information Security and Agile SDLC

• Massive Outsourcing or Voluntary outsourcing

• Brave New World

• Tailored Security for Tailored Development

• Unlimited skill-set pools

• Phased integration

• Confidentiality issues

Takeaways from Crowdsourced Platform Experience• Involved personally in crowdsourced assessments

• Solution Design Reviews, On-Demand PT, Bug bounties…

• Web, Mobile, External Network, API …

• World’s top researchers involved and lot of available manpower

• New techniques, ideas and toolsets

• Extreme diversity and technology coverage

• Curated/Managed Programmes to reduce noise

• Reduced cost, increased flexibility and test coverage

Conclusion• Info-Sec to lead not only to follow

• Use benefits that are out there

• Resources and knowledge are around us• Try out new approaches as traditional ones are

insufficient

• Future of Information Security especially Penetration Testing

• "It pleases to experiment” Thomas Mann

Questions?

Thank you!