As many enterprises begin their journey to innovate and differentiate their products through the use of technology built in Devops mindsets and Agile methods and head down the road to “Application Economy”, this drives a high velocity of changes for application security, how can we get ahead? Join Capgemini to learn how the byproduct of IoT is a more connected enterprise and nation that will require new secure and resilient ways of software design, coding, testing (SLDC) and new frameworks to secure and make an attack resilient IoT ecosystem. Presented at HPE Discover Las Vegas 2016.

1. Failing and Failing
fast in AppDev
How do we keep up in AppSec?
Oz Deally- Vice President,
Cybersecurity Practice Lead: Capgemini
Gopal Padinjaruveetil –
Cybersecurity Thought leader and Strategist: Capgemini

2. Preys and Predators – The natural world is a hostile place
Human evilness cannot be eliminated
4
The only difference:
humans do bad
things not for
survival, but
pleasure and other
unknown reasons

3. We are tired of catching up.. We need resilience
5
A fever is a symptom. There's an underlying disease that causes it. Giving you a fever (sitting in a sauna)
doesn't make you sick, and getting rid of the fever (in a cold bath, for example) doesn't always get rid of the
illness…
Spending time and money gaming symptoms and effects is common and urgent, but it's often true that you'd
be better off focusing on the disease (the cause) instead.
– Seth Godin
Security vulnerability is a symptom,
The root cause is always something else

4. Technology growing at an exponential rate
If technology is growing at exponential rate and if we do nothing, the security threats too would rise exponentially..
6
263 = 18,446,744,073,709,551,615
IPV4= 4 Billion devices(size of postage stamp)
IPV6 = 340 Trillion Trillion Trillion (Undecilion) devices (Size of
Solar system)
50 billion Connected Devices by 2020
9.9 Trillion market Value
Over 80 trillion email spam messages a year
Connected Cars, Connected cities, Connected
Devices 2025?
Connected Bodies (BYBN ) 2035?
Finally Singularity* in 2045?

5. The Future of Application Security, Let us look at some Facts
7
In the future, the Internet of Things is likely to mold our virtual and
physical worlds together in ways that is difficult to comprehend.
– There will be 50 Billion Connected Devices by 2020
– 92% of Current IOT Devices are is Vulnerable*
– 80% of the applications are Vulnerable and 60% of them critical
vulnerabilities
– That means if we don’t change, in 2020 we will have 36.8
Vulnerable devices
As the physical objects in our everyday lives become more connected
and as they start to increasingly detect and share observations about
us, they also could become the bridge to facilitate attacks on other
systems and other physical objects that are interconnected, directly
creating risks to personal safety not only of an individual but also the
community, regions and even countries.

6. Agile Methodolgy and Secure Development Lifecycle
Are we ready to open our Kimono?
8
– “Technology vendors will open their own kimonos. Driven by new types of threats, CISOs will
continue to increase oversight of IT vendor risk management in 2016.
– This will cause a reaction on the supply side as leading vendors trumpet their own internal
cyber supply chain management and secure software development best practices as a way
of differentiating themselves from more lackadaisical competitors.”
– 80% of breaches occur at the application layer, with more than 60% of applications having
serious flaws
– Rapid release of new applications leaves many organizations feeling there is not enough
time to spend on security,
– Agile does not bend to Security, so you need to bend Security to fit Agile ?.
– Fundamental principle in Agile Self-disciplined Teams and Self Organizing Teams.
– Self-Organization is in the DNA of an organization..
– The organization provides the environment for self-organization
– How many organizations are a crucible for self-organization today?

7. A real lesson from a kids fantasy tale
9
Now, here, you see, it takes all the running you
can do, to keep in the same place. If you want to
get somewhere else, you must run at least twice
as fast as that!
- The Red Queen, to Alice, in Lewis Carroll’s
Through the Looking Glass
The adversary is constantly advancing its capabilities..
Can we overtake them at the current pace?

8. “Unless we change our direction, we are likely to end up where we are
headed” – unknown
10

9. Secure Coding (Eliminating Coding Flaws)
Secure by Design (Eliminating Design Flaws)
Secure Configuration (Eliminating Configuration Flaws)
Mutate: Behavior Modification in Secure SDLC
Application Security and SDLC
11
1
4
2
3

10. Secure By Design
Eliminating Design Flaws
12

11. The natural world is a good example of an Intelligent Design
for Security
13
The Central Nervous system
The Blood Brain Barrier
The Immune system
The Camouflage
The Reflex Action
The Adrenaline
Many More..
Survival of the fittest (Resilience) requires design as a
"way of thinking”

12. “You can fix it on the drawing board with an eraser or you can fix it on the
site with a sledgehammer" – Frank Lloyd Wright
14

13. Placeholder for title
15
Sustain Secure
State
Remediation of
Non Compliance
Verification
&
Validation
Secure
Configuration
Secure Coding
Secure
Design (Threat
Modeling)
Technical
Security
Standards,
Procedure,
Specifications
Enterprise
Security
and
Privacy Policies,
Security
Principles
Plan, Design and
Architecture
Develop and
Test
Maintain and
Run

14. What Is Threat Modeling?
16
– Threat modeling is an engineering technique you can use to help you
identify security objectives threats, attacks, vulnerabilities, and
countermeasures in the context of your application scenario. The
threat modeling activity helps you to:
– Threat modeling is performed to identify when and where more
effort should be applied. There are many possible vulnerabilities,
threats, and exploits; it is unlikely that your application will
encounter all of them.
– It is also unlikely that your company would need to address all of
them. Threat modeling helps you identify where your organization
needs to apply effort.

15. Why Do Threat Modeling
17
Balancing Business Value with Business Risk
– Risk Appetite
– Risk Tolerance
Secure by Design and Not Chance
– Secure by design at design time
– Secure by design at Run Time
Adhere to fundamental principles of security
– Support the Business
– Defend the Business
– Promote responsible security behavior

16. Key Questions we ask in Threat Modeling
18
– Where does your system live?
– What are you building ?
– What do you have to protect?
– Who are your users?
– Who are your adversaries?
– What can go wrong ?(mis-use cases)
– What are your weak points?
– What can you do to mitigate the threats?

17. Key Concepts in Threat Modeling
19
– Risk
– Trust Boundary
– Attack Trees
– Identifying Threats(STRIDE Model)
– Attack Surface
– Attack Vectors
– Risk Mitigation Strategies
– Rating Risk with (DREAD)
– Countermeasures

18. Guidelines for Threat Modeling
20
Concept Description
Modeling to reduce risk Threat modeling helps you identify where effort needs to be applied.
Incremental rendering
Threat modeling is iterative. You should not be too concerned about missing details in any single
iteration productive.
Context-precision
Context-precision provides relevancy. You need to look at application use cases and roles to truly
vulnerabilities.
Boundaries
Establishing boundaries helps you to define constraints and goals. Boundaries help you Identify
happen, what needs to happen, and what is nice to happen.
Entry and exit criteria
By defining entry and exit criteria, you establish tests for success so you know when your threat
enough) and to ensure you spend the right amount of time on the activity.
Pattern-based information model
By using a pattern-based information model, you can identify the patterns of repeatable
them into categories.

19. Secure Coding
Eliminating Coding Flaws
21

20. Automate, Automate, Automate
22
– OWASP
– Define Coding Standards
– SANS 25 Dangerous
Programming Errors
– Use Design Patterns when possible
– Reuse Secure Components
(SBB, TBB)
– Fail Fast, Fail Early

21. Secure Configuration
Eliminating Configuration Flaws
23

22. Adopt an Industry Standard Secure Configuration
24
Ensure Baseline is followed
 US DoD Security Technical Implementation Guides (STIGs) for
Databases http://iase.disa.mil/stigs/Pages/index.aspx
 CIS Bench Marks
https://benchmarks.cisecurity.org/
Adopt a Baseline
Maintain the secure baseline

23. Evolutionary Design
Embraces the fact of an evolving system understanding, and helps system’s design evolve
25
Evolving and adapting through Mutation the only way to survive
in a hostile world
Op

24. Evolutionary Design
Embraces the fact of an evolving system understanding, and helps system’s design evolve
26
Evolving and adapting through Mutation the only way to survive
in a hostile world
Op

25. Evolutionary Design
Embraces the fact of an evolving system understanding, and helps system’s design evolve
27
Evolving and adapting through Mutation the only way to survive
in a hostile world
Op

26. Mutate: Human Behavior Changes in SDLC
Optional subtitle
28

27. Change is inevitable.. Adaptation is Optional
29

28. Policy and Procedure without Enforcement is Ineffective
Does the compliance Program have the teeth? Do they have visibility into the policy violations ?
30

29. Enforcement Without Teeth Will Lead To Ineffective Compliance or No
Compliance
Are there real implications for policy violations (monetary, disciplinary) ?
31

30. TSA and Zero Tolerance:
32
– It is possible to build
application security program
with
Zero Tolerance
– Requires a
Cultural Change
– Requires strong management
support
– Behavior Change takes time
– Don’t expect
overnight change
– But it can be done

31. McNamara Fallacy and Predictive Analytics
You can not manage what you can not measure
33
Define smart KPI’s for your application security program
including human behavior metrics

32. Capgemini’s Industrial Application Security Testing Capacity
Powered by HPE
34
The Capgemini performs technical and
administrative platform management
HPE provides the tool and help
Sogeti scale up
The clients upload their applications
and URL,
download their reports
Capgemini auditors produce the reports
based on the
scan results
Prospects can try the platform and watch
assessments results
Capgemini Manages the portal and support
the client
Static and dynamic
scanning Hosting
client portals
Static Dynamic

33. Get more information
35
– Supporting text here
– Supporting text here
– Supporting text here
– Supporting text here
– Supporting text here
– Supporting text here
Text here
Attend these sessions: Visit these demos: Follow us on Social Media:
Where do they go after the show?
Add that here.

34. Thank You
Oz Deally: oz.deally@Capgemini.com
Gopal Padinjaruveetil: gopal.padinjaruveetil@capgemini.com
36