Tara KhannaManaging Director
ACHIEVING SECURITY AT SPEED AND SCALETara KhannaManaging Director-Application Security
September, 2018
SECURITYACCENTURE
Copyright © 2017 Accenture Security. All rights reserved.
SECURING THE DELIVERY LIFECYCLE
20-30% faster development
Up to 30x less remediation cost
30-50% less staff required
Culture shift – security as part of the project team
Opportunities
• Change is constant and fast• Virtualization is now a fact of life• How do we continue delivering at
speed in highly virtualized environments SECURELY?
DEV OPS
SECURITYACCENTURE
Framework
Accenture has developed a repeatable methodology supported by industrialized tools and processes to quickly integrate security into your SDLC
SEC
Outcomes
Copyright © 2018 Accenture Security. All rights reserved.
ACHIEVING SECURITY AT SPEED AND SCALE
PROGRAM MANAGEMENT, STRATEGY, AND GOVERNANCE
ANALYTICS & STRATEGY ORG & DEV ENABLEMENT COMPLIANCE
FOUNDATIONAL ENABLERS
• Automation• Job relevant security enablement
and self-service tools• Security frameworks &
trusted libraries• On demand security services• Secure CI/CT/CD
PRODUCT DEVELOPMENT OPERATIONS
• Security validation• Environment hardening• I&AM • SecOps enablement• Red teaming• Threat intelligence• Security use cases
• KPIs• Roadmap• Risk approach
• Education & support• Change management & innovation• Communities & evangelists
• Regulatory & internal• Compliance models• Measurement
SECURITYACCENTURE
Security can easily be integrated into your organization’s existing DevOps automation toolset and processes.
Compile & Package
Code Analysis
Run Unit Tests
Create ST env Deploy Code Load Test Data Run Test Harness
Create clustered env
Tear down ST env
Deploy Code Run Perf Test
Run Security Test
Run Ops Test
Tear down ST env
Committer: jdoe
Story:25
Commit ID: 113
Static Dynamic
Requirement DesignScope
DeployBuildTest
• Standard User Stories
• Checklists, job aides
• Threat modeling
• Security Review
• “Security runway” – epics/initiatives
• Risk Rating
User Stories/requirements/Test Cases/priority
Self Service Capabilities:• Training availability• Security team engagement• Templates/Job aides/checklists
Ongoing Operations
Pentest & Simulation
Vulnerability Scanning
Logging/Monitoring
Data Security IR
Back
log
Config mgmt
BDD Security
Scrum Teams Containers
Stakeholders
Input
KPIs &Reporting
Feature requests
Vuln
erab
ility
man
agem
ent
Security Team (onshore or offshore):• Interprets report results & tunes tools• Assists with remediation direction• Provides on demand, self service capabilities
Governance
FW Mgmt & Runtime
IAM
Note: tools reflected are examples only
CI/CD TeamTools, monitoring, etc
Copyright © 2018 Accenture Security. All rights reserved
DEVSECOPS IN ACTION
“Platform Teams”
White Listing
Malware & HIPS
Static Code Scans – IDE
SECURITYACCENTURE
GOVERNANCE IMPLEMENTATIONMaturity Assessment, Trainings, KPI Framework & Implementation, Process engineering & implementation, Tool rationalization & optimization and Change Management
THREAT MODELING AS A SERVICEScalable staffing model and Threat modeling on demand
ENVIRONMENT BUILD AND RUNBuild and/or enhance custom DevSecOps environment with automation scripts with security embedded in the life cycle.
CONTINUOUS SECURITY TESTINGEnable continuous security testing with static and dynamic tests in CI/CD pipelinePerform Penetration testing, cloud applications security testing, automation, various vendor toolset
SECURE OPERATIONS AND MONITORINGSIEM integration, Ongoing operations support
SELF SERVICE CAPABILITIESSecurity Advisory, Secure requirements, On Demand Security services and Ongoing Operational support
1
3
4
5
6
2
HOW ACCENTURE CAN HELP
Copyright © 2018 Accenture Security. All rights reserved
KEY DIFFERENTIATORSTaaS (Testing as a Service) Platform
Client Experience Demo Environment
ADOP Platform