SlideShare a Scribd company logo

Battle Tested Application Security

Download as PPTX, PDF
T
Ty Sbano

Ty Sbano, head of security at Periscope Data, emphasizes the importance of developing application security programs tailored to internal technology cultures. He outlines a structured approach to application security that prioritizes engagement, education, and a mix of in-sourced and outsourced strategies while advocating for a culture focused on continuous improvement. Key focus areas include risk management in both waterfall and agile environments, along with emphasizing asset management and team involvement over purely financial investment.

Technology
Related topics:
Application Security Information Security
1 of 16
Downloaded 20 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Battle Tested Application Security Ty Sbano October 17, 2018
Bio Ty Sbano Currently the head of security at Periscope Data. Ty is an Information Security leader with over 12 years of experience, mainly in Financial Technology organizations. Ty's career has been focused on developing application and product security programs for Capital One, JPMorgan Chase, LendingClub, and Target. Key areas of knowledge include developing security champions, threat modeling, secure code training, static code analysis, component analysis, dynamic analysis, penetration testing, and red teaming. Ty’s security mentality has been concentrated on enabling engineering and product teams to securely move at the speed of the business to make it a competitive advantage. Ty graduated from Penn State University with a B.S. in Information Science & Technology and from Norwich University with a M.S. in Information Assurance. Ty also holds the CISSP, SSCP, CEH and CCSK.
The views and opinions expressed in this discussion are those of the authors and do not necessarily reflect the official policy or position of any company.
How do we build An Application Security Program? Step 1 – Learn your internal tech culture Step 2 – Ignore all the vendors (for now) Step 3 – Roll up your sleeves and get to work
• Development • Operations • Security • Architecture General Approach to Application Security 01 • Requirements • Goals • Measurements 02 • Retrospectives • Post Mortems • Rinse & Repeat 04 Culture 101 Criteria for Success Kaizen to Enhance • Role Centric • End Users • Developers • Security • Audit • Regulators • Executives 03 Educate for Scale Set the tone of the program by establishing a mission statement
Software Development Lifecycle (SDLC) Product Development Lifecycle (PDLC) Waterfall • Established Cadence/Gates • Required Risk Remediation • Executive Dashboards Agile • Constant Releases • Risk Management, Acceptable Tolerance • Real-Time, API Friendly Data Automation and Self- Service Capabilities Will Enable Security At The Speed of Business
Engineering Team Composition? In-Sourced • Education and Training • Self-Service • Assessments, Consulting and Support Out-Sourced • Contract Requirements • Vendor Due Diligence • Attestation and Consulting • Standards Commercial Off The Shelf (COTS) • Contract Requirements • Customer Advisory Board aka Influence the feature prioritization / backlog
Where’s the silver bullet solution? Be Tool Agnostic, Problem Specific Source: Forrester Wave for SAST, 2017
Security Staffing Strategy Insourced • Talent Acquisition / Sourcing • Talent Management • Rewarding Hybrid Approach • Staff Augmentation • Cross Training • Work/Life Balance Do Outsource Consistent, Repeatable Processes Do Not Outsource Something You Don’t Understand Outsourced • Scales Quickly • Cost Opportunities • Externalized Accountability
Funding the Program? Project Based (Product) • Incremental • Time Consuming • Cost Avoidance Internally Funded (Security Budget) • Annual • Responsibility on AppSec • Forecasting and Variance Challenges Business Owner (Non-IT) • Annual • Tracking Challenges • Cost Avoidance, e.g. Security Avoidance Remove Budget From The Equation, Your Engineering Teams will be more Engaged
Areas of Focus with High Return On Investment 25% Training & Education 30% Embrace Open Source 45% Asset Management It’s Less About Financial Investment, More About Engagement • Real-Time Coaching • Champion Programs • Brand and Be Bold • SneakerNet • Scanning Technology • OWASP??? • Understand the Business • Inventory • Business Oriented Risk Ranking • Defect Tracking
Forward Looking Lessons Hygiene over HYPE • Inventory, Asset Management, Security Basics over “Silver Bullets” Dialogue over Confidentiality • Engage your team, don’t always say everything is confidential – let people help Carrot beats Stick • Recognition always trumps reprimands, plus swag helps Always Be Learning • Take the opportunity of the rapid development world to learn something new everyday
Contact Linkedin - https://www.linkedin.com/in/tysbano/ Articles - https://techbeacon.com/contributors/ty-sbano Website - http://www.tysbano.com Twitter - @tysbano Instagram - https://www.instagram.com/takoyakity/ *Nothing to do with security https://www.periscopedata.com/careers Come work with me!
Battle Tested Application Security
Thank You Supporters
Meet me in the Slack channel for Q&A bit.ly/addo-slack

More Related Content

PDF
Scaling an Application Security Program at the IMF: A Case Study
Priyanka Aash
 
PPTX
The Economics of Security
Network Intelligence India
 
PPTX
BTC Quality Assurance and Testing Solutions for the Financial Services industry
Boston Technology Corporation
 
PPTX
Business model israel_v1.0
FixNix Inc.,
 
PPTX
How To Become An IT Security Risk Analyst
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
PPT
The Perspective of Today's Information Security Leader
Ravila White
 
PDF
Cyber Eleven flyer
Timmy Chou
 
PPTX
Yonix presents: Business Analysis: Where transformation and innovation begins
yonix
 
Scaling an Application Security Program at the IMF: A Case Study
Priyanka Aash
 
The Economics of Security
Network Intelligence India
 
BTC Quality Assurance and Testing Solutions for the Financial Services industry
Boston Technology Corporation
 
Business model israel_v1.0
FixNix Inc.,
 
How To Become An IT Security Risk Analyst
Niloufer Tamboly CISSP, CPA, CIA, CISA, CFE
 
The Perspective of Today's Information Security Leader
Ravila White
 
Cyber Eleven flyer
Timmy Chou
 
Yonix presents: Business Analysis: Where transformation and innovation begins
yonix
 

What's hot (10)

PPTX
Tre Smith - From Decision to Implementation: Who's On First?
centralohioissa
 
PDF
NUS-ISS Digital Architecture Information Session
engtsze
 
PDF
What it Takes to be a CISO in 2017
Doug Copley
 
PPTX
Build and Information Security Strategy
Info-Tech Research Group
 
PDF
The right technology combined with valuable messaging
HirePro
 
PDF
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
PDF
No more security empires - The ciso as an individual contributor
Priyanka Aash
 
PPT
20th March Session Five by Ramesh Shanmughanathan
Sharath Kumar
 
PDF
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
PDF
Alexander Knorr Transcript
Alexander Knorr
 
Tre Smith - From Decision to Implementation: Who's On First?
centralohioissa
 
NUS-ISS Digital Architecture Information Session
engtsze
 
What it Takes to be a CISO in 2017
Doug Copley
 
Build and Information Security Strategy
Info-Tech Research Group
 
The right technology combined with valuable messaging
HirePro
 
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
No more security empires - The ciso as an individual contributor
Priyanka Aash
 
20th March Session Five by Ramesh Shanmughanathan
Sharath Kumar
 
From Cave Man to Business Man, the Evolution of the CISO to CIRO
Priyanka Aash
 
Alexander Knorr Transcript
Alexander Knorr
 
Ad

Similar to Battle Tested Application Security (20)

PDF
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
PDF
EDCE 2017 bulletproof better-faster-safer
Winston Morton
 
PPTX
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
PDF
Business Competence Presentation
Pierguido Iezzi
 
PDF
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
PPTX
DevSecOps without DevOps is Just Security
Kevin Fealey
 
PDF
ScotSecure 2020
Ray Bugg
 
PDF
IT Security As A Service
Michael Davis
 
PPTX
Building a Security culture at Skyscanner 2016
Stu Hirst
 
PPTX
Amazing Winter Keynote - IT as a Team Sport
Paul Muller
 
PDF
The Future of Software Security Assurance
Rafal Los
 
PPTX
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
PPTX
The Five Essential Truths of the Application Economy
CA Technologies
 
PDF
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
PDF
Unified application security analyser
Tim Youm
 
PPTX
Digital Product Security
SoftServe
 
PPTX
INTERFACE, by apidays - Driving the business via APIs.pptx
apidays
 
PPTX
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
PPTX
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Protect Your Customers Data from Cyberattacks
SAP Customer Experience
 
EDCE 2017 bulletproof better-faster-safer
Winston Morton
 
Best Practices for a Mature Application Security Program Webinar - February 2016
Security Innovation
 
Business Competence Presentation
Pierguido Iezzi
 
Agile Relevance in the age of Continuous Everything ....
Eturnti Consulting Pvt Ltd
 
DevSecOps without DevOps is Just Security
Kevin Fealey
 
ScotSecure 2020
Ray Bugg
 
IT Security As A Service
Michael Davis
 
Building a Security culture at Skyscanner 2016
Stu Hirst
 
Amazing Winter Keynote - IT as a Team Sport
Paul Muller
 
The Future of Software Security Assurance
Rafal Los
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
lior mazor
 
The Five Essential Truths of the Application Economy
CA Technologies
 
New Era of Software with modern Application Security (v0.6)
Dinis Cruz
 
Unified application security analyser
Tim Youm
 
Digital Product Security
SoftServe
 
INTERFACE, by apidays - Driving the business via APIs.pptx
apidays
 
Walls of Steel, Doors of Wood - Relevance of Application Security
Abdul Jaleel
 
Fortify-Application_Security_Foundation_Training.pptx
VictoriaChavesta
 
Fortify-Application_Security_Foundation_Training.pptx
YoisRoberthTapiadeLa
 
Ad

Recently uploaded (20)

PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Teaching material agriculture food technology
LiaRayya
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 

Battle Tested Application Security

  • 1. Battle Tested Application Security Ty Sbano October 17, 2018
  • 2. Bio Ty Sbano Currently the head of security at Periscope Data. Ty is an Information Security leader with over 12 years of experience, mainly in Financial Technology organizations. Ty's career has been focused on developing application and product security programs for Capital One, JPMorgan Chase, LendingClub, and Target. Key areas of knowledge include developing security champions, threat modeling, secure code training, static code analysis, component analysis, dynamic analysis, penetration testing, and red teaming. Ty’s security mentality has been concentrated on enabling engineering and product teams to securely move at the speed of the business to make it a competitive advantage. Ty graduated from Penn State University with a B.S. in Information Science & Technology and from Norwich University with a M.S. in Information Assurance. Ty also holds the CISSP, SSCP, CEH and CCSK.
  • 3. The views and opinions expressed in this discussion are those of the authors and do not necessarily reflect the official policy or position of any company.
  • 4. How do we build An Application Security Program? Step 1 – Learn your internal tech culture Step 2 – Ignore all the vendors (for now) Step 3 – Roll up your sleeves and get to work
  • 5. • Development • Operations • Security • Architecture General Approach to Application Security 01 • Requirements • Goals • Measurements 02 • Retrospectives • Post Mortems • Rinse & Repeat 04 Culture 101 Criteria for Success Kaizen to Enhance • Role Centric • End Users • Developers • Security • Audit • Regulators • Executives 03 Educate for Scale Set the tone of the program by establishing a mission statement
  • 6. Software Development Lifecycle (SDLC) Product Development Lifecycle (PDLC) Waterfall • Established Cadence/Gates • Required Risk Remediation • Executive Dashboards Agile • Constant Releases • Risk Management, Acceptable Tolerance • Real-Time, API Friendly Data Automation and Self- Service Capabilities Will Enable Security At The Speed of Business
  • 7. Engineering Team Composition? In-Sourced • Education and Training • Self-Service • Assessments, Consulting and Support Out-Sourced • Contract Requirements • Vendor Due Diligence • Attestation and Consulting • Standards Commercial Off The Shelf (COTS) • Contract Requirements • Customer Advisory Board aka Influence the feature prioritization / backlog
  • 8. Where’s the silver bullet solution? Be Tool Agnostic, Problem Specific Source: Forrester Wave for SAST, 2017
  • 9. Security Staffing Strategy Insourced • Talent Acquisition / Sourcing • Talent Management • Rewarding Hybrid Approach • Staff Augmentation • Cross Training • Work/Life Balance Do Outsource Consistent, Repeatable Processes Do Not Outsource Something You Don’t Understand Outsourced • Scales Quickly • Cost Opportunities • Externalized Accountability
  • 10. Funding the Program? Project Based (Product) • Incremental • Time Consuming • Cost Avoidance Internally Funded (Security Budget) • Annual • Responsibility on AppSec • Forecasting and Variance Challenges Business Owner (Non-IT) • Annual • Tracking Challenges • Cost Avoidance, e.g. Security Avoidance Remove Budget From The Equation, Your Engineering Teams will be more Engaged
  • 11. Areas of Focus with High Return On Investment 25% Training & Education 30% Embrace Open Source 45% Asset Management It’s Less About Financial Investment, More About Engagement • Real-Time Coaching • Champion Programs • Brand and Be Bold • SneakerNet • Scanning Technology • OWASP??? • Understand the Business • Inventory • Business Oriented Risk Ranking • Defect Tracking
  • 12. Forward Looking Lessons Hygiene over HYPE • Inventory, Asset Management, Security Basics over “Silver Bullets” Dialogue over Confidentiality • Engage your team, don’t always say everything is confidential – let people help Carrot beats Stick • Recognition always trumps reprimands, plus swag helps Always Be Learning • Take the opportunity of the rapid development world to learn something new everyday
  • 13. Contact Linkedin - https://www.linkedin.com/in/tysbano/ Articles - https://techbeacon.com/contributors/ty-sbano Website - http://www.tysbano.com Twitter - @tysbano Instagram - https://www.instagram.com/takoyakity/ *Nothing to do with security https://www.periscopedata.com/careers Come work with me!
  • 16. Meet me in the Slack channel for Q&A bit.ly/addo-slack