Upload
kyle-lai
View
172
Download
1
Embed Size (px)
Citation preview
1© Pactera. Confidential. All Rights Reserved.
Cybersecurity & Application Security Trend
Pactera Cybersecurity ServicesAugust, 2016
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
2
Agenda
Application Security Trend
Cloud Security Trend
DevOps Security (SecDevOps) Trend
Introduce Pactera Cybersecurity Services
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
3
Application Security Survey
38% have a "maturing" Application Security program
40% have documented approaches and policies to which
third-party software vendors must adhere
41% named public-facing web applications as the
leading cause of breaches
Source: SANS 2016 Application Security Survey - 475 respondents
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
4
Critical Vulnerabilities Caused by Coding Issues
38%
Source: SANS 2016 Application Security Survey
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
5
Time to Patch Critical Application Vulnerabilities
Source: SANS 2016 Application Security Survey
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
6
Maturity of Application Security Programs from Survey
62.8%
Source: SANS 2016 Application Security Survey
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
7
Top Application Security Concerns
Source: SANS 2016 Application Security Survey
1. Lack of application security skills, tools, and
methods
2. Lack of funding and management buy-in
3. Silos between security, development and
business units
4. Identifying all applications in the portfolio
5. Fear of modifying production code (might
“break the app”)
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
8
Top Application Security Processes and Controls in Place
Source: SANS 2016 Application Security Survey
Most bang for the buck!
1. Train developers on application security
2. Perform periodic vulnerability scanning
3. Inventory and assess all applications
4. Commission penetration testing by a third-party
5. Use Internal Penetration Testing
6. Incorporate continuous vulnerability scanning
(dynamic scanning)
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
9Application Security: Distribution of Malicious AttacksAttack Types: DT, HTTP, RFI, Spam, SQLi, and XSS attacks
Source: 2016 Imperva Web Application Attack Report Ed. 6
2.5 times more Cross-Site Scripting attacks
3 times more SQL Injection attacks
3 out of 4 applications were targeted
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
10
Cloud Adoption
Source: CloudPassage 2016 Security Survey Report
79% of respondents are either in planning or trial stages, currently implementing or in
active production cloud environments
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
11
Top Cloud Service Delivery and Providers
Source: CloudPassage 2016 Security Survey Report
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
12
BARRIERS TO CLOUD ADOPTION
Source: CloudPassage 2016 Security Survey Report
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
13
Cloud Security Concerns
Source: CloudPassage 2016 Security Survey Report
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
14
Biggest Security Threats in Public Cloud
Source: CloudPassage 2016 Security Survey Report
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
15
Top Cloud Security Concerns
Source: CloudPassage 2016 Security Survey Report
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
16
DevOps Security (SecDevOps) - Pay Attention to Security
Conducting a security review process for all major features but not slow down
development
Integrating security testing & controls into SDLC - Dev, QA & Ops (include design review, demo review, demo feedback)
Security is an integral part of continuous delivery
High performers spend 50% less time remediating security issues
Automate security testing process to include testing the security requirements
App Security group made pre-approved, easy to use libraries, packages, toolchains,
processes for developers and IT Ops to use
2016 State of DevOps Report – by Puppet + DORA
Results:
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
17
DevOps Security (SecDevOps) – continues.
2016 State of DevOps Report – by Puppet + DORA
• Security is an integral part of continuous delivery
• High performers spend 50% less time remediating security issues
Pactera Cybersecurity ServicesIntroduction
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
19Who’s Pactera - Serving Top Global Brands Across Key Industries
BFSI
Technology
Telecom
Manufacturing& Retail
Others
North America & EU 42% Greater China 47% Asia Pacific 11%
35%
43%
8%
12%
2%
Source: Pactera, 2015 estimated revenue data
© P
acte
ra. C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
20Pactera: Exceptional Record of Security, Privacy and Quality
Security is a top priority for Pactera and our clients.
We are proud of our consistent track record of meeting and exceeding customer expectations
for security and quality among our facilities, people and processes.
Se
cu
rit
y
&Q
ua
lity
ISO 9001
(1st China-based IT services firm to be ISO
certified)
1st China-based IT services firm to pass
SEI-CMM company-wide Level 5 in 2003
Personal Information Protection
Assessment (PIPA) certified in 2009
IAOP (Intl Association of Outsourcing
Professionals) Exclusive COP Partner in
China
Strict leverage of this methodology in
daily operations
ISO 27001 Certified Since 2006
Pass CMMI Level 5 in 2008
#1 in security infrastructure among Microsoft
Offshore Facilities (OFs) worldwide, 2011-12.
“Grade A” Microsoft Procurement 2012 ranking in
Service Quality & Satisfaction.
Pactera Cybersecurity Services Centers of Excellence (COE)
© P
acte
ra. S
EC
CO
E C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
21
Cybersecurity COE is an experienced global team with security expertise to deliver
customer centric security services.
Pactera Cybersecurity Services Capabilities©
Pa
cte
ra. S
EC
CO
E C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
22
WhyPactera
Cybersecurity Services?
Industry Top
Security Pros
Security Software Partner
Asia and U.S. Elite Teams
BFSI, Gov, Healthcare, Regulatory Experience
Privacy Experience
App Sec Training Provider
•Improve Threat Prevention, Detection, & Response Capability
•Privacy Program Development & Consulting
Cybersecurity & Privacy Program Consulting
•Reduce Risk by Remediate Threats
•SecDevOps (Improve Security in DevOps)
Application Vulnerability / Penetration Testing
•Reduce Vulnerabilities via Secure Coding Practice
Application Secure Coding Practice Training
•Manage Security Risks Posed by Suppliers
Third-party Supplier Security Risk Management
Client References
© P
acte
ra. S
EC
CO
E C
on
fide
ntia
l. All R
igh
ts R
ese
rve
d.
23
• For major financial institutions -– Performed third-party security assessments, helped suppliers to enhance security and reduce client third-party risk exposure– Performed application security assessments, provided recommendations for remediation to enhance protection– Conducted security vulnerability assessments– Participated in Cybersecurity Incident Response and root cause analysis
• For a Fortune 50 software firm -– Perform information security consulting– Application vulnerability assessment and management, regulatory compliance – Ensuring Security Compliance for over 2000 applications through threat modeling, secure code review, vulnerability assessment, privacy
compliance processes in agile and DevOps environments
• For a major international airline and a leading mobile phone provider -– Perform application vulnerability assessments in agile and DevOps environment– Conduct web and mobile application penetration testing
• Ensure security weaknesses are identified and remediated• Prevent leak of sensitive information
• For a major member loyalty program management firm –– Perform Data Privacy Governance and ISO 27001 Certification program development– Conduct security assessment, penetration testing / vulnerability assessment– Help the client to attain ISO 27001 certification
• For a leading Australian Telco -– Performed IT security maturity assessments and penetration testing service to its newly acquired entity in China– Assist the client to construct a 2 years roadmap to increase the security maturity to the expected level
Q&A
Thank You
www.Pactera.com
Kyle Lai
CISSP, CSSLP, CISA, CIPP/US/G
CISO, Head of Security Services
http://Linkedin.com/in/kylelai
@KyleOnCyber