imvision ltd. proprietary and confidential
TRANSCRIPT
The business perspective
The organizational perspective
Tomorrow’s application security leaderWhat you need to know to influence secure API development and be relevant
The new application security standards How to restructure your appsec program to enable greater visibility and control
From business context to risk assessmentWhy securing tomorrow's applications begins with assessing your business risks today
The individual perspective
Imvision LTD. Proprietary and Confidential
How enterprises secure their APIs
4
Operating globallyFounded 2016 Holistic offeringProven at scale
+20B API TPM
Protect your APIs wherever they are, throughout their lifecycle.
Imvision LTD. Proprietary and Confidential
80% of enterprises enable external access to data via APIs
5
Types of APIs used by Organizations
Source: Imvision Enterprise API Security Survey 2021
Imvision LTD. Proprietary and Confidential
The business reliance on APIs is intensifying
6
Company’s API Strategy
Source: Imvision Enterprise API Security Survey 2021
API security will continue being a key theme in enterprise application management as application architectures continue evolving.
The adoption of cloud-native architectures, for example, calls for a complete reassessment of how APIs are deployed and managed, and how they may lead to new security vulnerabilities.”
Ariana Leena LavanyaAnalyst, The Fast Mode
©20
21 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l
Imvision Webinar
Sidney GottesmanJune 2021
JUNE 2, 2021IMVISION WEBINAR9
©20
21 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l
Mastercard’s Business - Mastercard is a technology company in the global payments industry that connects consumers, financial institutions, merchants, governments, digital partners, businesses and other organizations worldwide, enabling them to use electronic forms of payment instead of cash and checks.
JUNE 2, 2021IMVISION WEBINAR10
©20
21 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l
Malicious Actors
Exponential growth in data
Trends that shape our markets are accelerating…creating a crisis of trust
Digital Convergence & IoT
Weak built-in security Concerns over data security and privacy
Age of AI
Disrupting industries
Digitally Native Generation
Tempted to trade security for experience
Ransomware
Supply Chain
Integration risk JUNE 2, 2021IMVISION WEBINAR11
©20
21 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l
THENCOUNTERFEIT
ADCLOST & STOLEN
NOWID THEFTACCOUNT TAKEOVER
SIMPLE VS. SECURITY
Evolving consumer touchpoints creates opportunities and threats
HOW DO YOU AUTHENTICATE THE ACCOUNT?
HOW DO YOU VERIFY THE CONSUMER IDENTITY?
HOW DO YOU AUTHORIZE THE TRANSACTION?
Magstripe CNP CVC2 Device EMV Chip Token
PIN Password Address Geolocation Biometrics
●●●●
Blocks Alerts Monitor PredictiveAnalytics
DynamicRules
TXNDecisions
Biometrics
JUNE 2, 2021IMVISION WEBINAR12
©20
21 M
aste
rcar
d. P
ropr
ieta
ry a
nd C
onfid
entia
l
Responding to stakeholders needs with a multi-layered security strategy
Enab
lers
Segm
ents
Data & AI StandardsMultiple rails
Dom
ains
NetworkConnecting and
securing stakeholders to services
ExperiencePhysical & digital experiences that grow commerce
DetectStop cyber attacks, reduce fraud and find weaknesses
IdentifyIdentify genuine
consumers, devices, companies
PreventSecure physical, digital and IoT
worlds
Banks & Fintechs
Merchants Consumers GovernmentsSME / B2B
JUNE 2, 2021IMVISION WEBINAR13
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com
Trends Affecting Business Risk and Security Priorities
Imvision, June 2021
Rob Cuddy Global Application Security Evangelist, [email protected]
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
About Me
•Global Application Security Evangelist for HCL
•Went to USC, BS AE ‘92
•Live in Southern California
•@Robservatory
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com
How Can We Possibly Expect to Handle All This?
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com
Current Trends Affecting Risk and Priorities
SecDevOps or DevSecOps
Security and Speed
• Good Read: https://devops.com/secdevops-is-the-solution-to-cybersecurity
• 77% adopting DevSecOps for Majority of Apps 1
• Only 51% integrate development and security testing 2
What’s My Real Risk?
Prioritize with Accuracy
• Balance vulnerabilities with exposure and likelihood.
• Know what needs to be fixed first.• 76% of retail apps have flaws5
• 26% of retail apps have critical flaws5
• Example – 10,000 servers that need to be patched but which ones are exposed vs more protected?
The Right Training Makes a Huge Difference
Building The Right Skill
• 70% say that faster release cycles put applications at risk due to less time for testing 2
• Sonatype: Developers that get meaningful secure coding training are 5x more likely to be happy in their jobs. 3
Developer Friendly Threat Modelling
Security By Design
• Puppet Labs 2019 State of DevOps Top Practice that affects Security Posture:
• Security and Development Teams collaborate on threat models 4
• Great session on this from Alyssa Miller during SynkCon 2020: User Story Threat Modeling –It’s The DevSecOps Way
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com
Biggest Impact for AppSec
Know What You Have Decide What And How To Disseminate
Depth THEN BreadthIf you don’t get anything
else, get this!
You can’t secure what you don’t know!
Great collaboration requires great communication
Better to get a few teams healthy & mature
Vs.
Trying to get everyone to “level 1” at once
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com
Is Security A Noise, Nuisance or Necessity?
NOISE: You report everything, every time• The problem: False positives erode trust
NUISANCE: Only interact over incident/problem• When do you say “yes”?• Do you understand your impact to their
world?
NECESSITY: Teams understand the value you bring• You help prioritize and fix. (Manage backlog)• You are a partner finding ways to safely enable• You prevent disaster
• On average, vulnerabilities can go undetected for over 4 years in open-source projects before disclosure
Source: https://twitter.com/HistoryMuppet/status/1313579832807170050
Copyright © 2021 HCL Technologies Limited | www.hcltech.com
Copyright © 2021 HCL Technologies Limited | www.hcltechsw.com
ALL organization apps• based on business
risk and report current risk rating
Most common vulnerabilities• Improvement
(reduction in vulnerabilities being introduced to apps) over time
Per application trends• Amount of security
issues being remediated
• Break down by severity of issues
• Managed in backlog
Coverage Model• ACROSS your
applications• OF your applications• Policies reviewed and
updated
Know What is Most Important
Good Metrics are Better than Good Guesses
1
Application Inventory
2
Development and
Team Health
3
Vulnerabilities Managed
4
Scan Health