SlideShare a Scribd company logo

[OPD 2019] Governance as a missing part of IT security architecture

OWASP, profile picture
OWASP

The document discusses how governance is a missing part of IT security architecture. It proposes that security architecture should include technology, processes, and organization/people, similar to how Gartner describes the components of overall IT architecture. It presents capabilities maturity models and the secure development lifecycle as ways to incorporate governance into the design, development, testing, and operations of technology to ensure security is considered throughout the IT process.

Internet
1 of 13
Downloaded 10 times
1
2
3
4
5
6
7
8
9
10
11
12
13
GOVERNANCE AS A MISSING PART OF IT SECURITY ARCHITECTURE
WELL DESIGNED SECURITY ARCHITECTURE OWASP DAY POLAND 2 Technology: Tooling Processes: How we do Organization: People (culture) SECURITY CI/CD Technology Organization Processes
Source: Gartner 2017Sourve: Gartner 2017 HOW IT WORKS BY GARTNER OWASP DAY POLAND 3 DEV/OPS 2.0DEV/OPS 2.0
HOW IT WORKS SO FAR OWASP DAY POLAND 4
HUMAN ERROR Human error means that something has been done that was "not intended by the actor; not desired by a set of rules or an external observer; or that led the task or system outside its acceptable limits". In short, it is a deviation from intention, expectation or desirability. OWASP DAY POLAND 5
SO, THE QUESTION IS: OWASP DAY POLAND 6 ??
Process A series of actions or steps taken in order to achieve a particular end Process is not a bureaucracy Automation Process automation refers to the use of digital technology to perform a process or processes in order to accomplish a workflow or function. OWASP DAY POLAND 7 GOVERNANCE
CAPABILITY MATURITY MODEL (CMM) OWASP DAY POLAND 8
OWASP DAY POLAND 9 Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Design ● Threat modeling ● Secure design Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Test ● Vulnerability Assessment ● Dynamic Analysis ● Functional tests ● QA Develop ● Code review ● Unit testing ● Static Analysis Define ● Code Standards ● Security Non Functional Requirements (SNFR) Training ● Secure Coding Practices ● Writing security tests ● Provider/Platform Technical Training SECURE DESIGN/DEVELOPMENT OPS KPI
OWASP DAY POLAND 10 Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Design ● Threat modeling ● Secure design Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Test ● Vulnerability Assessment ● Dynamic Analysis ● Functional tests ● QA Develop ● Code review ● Unit testing ● Static Analysis Define ● Code Standards ● Security Non Functional Requirements (SNFR) Training ● Secure Coding Practices ● Writing security tests ● Provider/Platform Technical Training SECURE DESIGN/DEVELOPMENT OPS KPI
OWASP DAY POLAND 11 Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Design ● Threat modeling ● Secure design Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Test ● Vulnerability Assessment ● Dynamic Analysis ● Functional tests ● QA Develop ● Code review ● Unit testing ● Static Analysis ● Dynamic Analysis Define ● Code Standards ● Security Non Functional Requirements (SNFR) Training ● Secure Coding Practices ● Writing security tests ● Provider/Platform Technical Training SECURE DESIGN/DEVELOPMENT OPS KPI KPIKPI KPI KPIKPIKPI KPI
Source: Gartner 2017Sourve: Gartner 2017 HOW IT CAN WORK OWASP DAY POLAND 12 DEV/OPS 2.0DEV/OPS 2.0
TITLE: Let’s stay in touch Dariusz.Czerniawski@isaca.waw.pl +48501056737 OWASP DAY POLAND 13

More Related Content

PDF
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
PDF
[OPD 2019] Life after pentest
OWASP
 
PDF
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
PPTX
AllDayDevOps 2019 AppSensor
jtmelton
 
PDF
Owasp top 10 2017 (en)
PrashantDhakol
 
PPTX
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
PDF
Owasp masvs spain 17
Luis A. Solís
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP
 
[OPD 2019] Life after pentest
OWASP
 
Red team-view-gaps-in-the-serverless-application-attack-surface
Priyanka Aash
 
AllDayDevOps 2019 AppSensor
jtmelton
 
Owasp top 10 2017 (en)
PrashantDhakol
 
Elizabeth Lawler - Devops, security, and compliance working in unison
DevSecCon
 
Owasp masvs spain 17
Luis A. Solís
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 

What's hot (20)

PPTX
Mobile Security at OWASP - MASVS and MSTG
Romuald SZKUDLAREK
 
PPTX
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
PPTX
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
PDF
Beyond the mcse red teaming active directory
Priyanka Aash
 
PDF
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PPTX
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
PDF
Dev seccon london 2016 intelliment security
DevSecCon
 
PDF
The Dev, Sec and Ops of API Security - API World
42Crunch
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
PDF
Red Team vs. Blue Team on AWS
Priyanka Aash
 
PDF
Top API Security Issues Found During POCs
42Crunch
 
PDF
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
PDF
Collaborative security : Securing open source software
Priyanka Aash
 
PDF
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
PPTX
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
PPTX
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
PDF
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
PDF
DevSecOps | DevOps Sec
Rubal Jain
 
PDF
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Mobile Security at OWASP - MASVS and MSTG
Romuald SZKUDLAREK
 
Stephen Sadowski - Securely automating infrastructure in the cloud
DevSecCon
 
Application Security Logging with Splunk using Java
Robert Grupe, CSSLP CISSP PE PMP
 
Beyond the mcse red teaming active directory
Priyanka Aash
 
Dev secops on the offense automating amazon web services account takeover
Priyanka Aash
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
SecDevOps 2.0 - Managing Your Robot Army
conjur_inc
 
Dev seccon london 2016 intelliment security
DevSecCon
 
The Dev, Sec and Ops of API Security - API World
42Crunch
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Red Team vs. Blue Team on AWS
Priyanka Aash
 
Top API Security Issues Found During POCs
42Crunch
 
ChaoSlingr: Introducing Security-Based Chaos Testing
Priyanka Aash
 
Collaborative security : Securing open source software
Priyanka Aash
 
Pactera - App Security Assessment - Mobile, Web App, IoT - v2
Kyle Lai
 
Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Jeff Williams
 
Integrate Security into DevOps - SecDevOps
Ulf Mattsson
 
DevSecOps - Building continuous security into it and app infrastructures
Priyanka Aash
 
DevSecOps | DevOps Sec
Rubal Jain
 
Secure Coding for Java - An Introduction
Sebastien Gioria
 
Ad

Similar to [OPD 2019] Governance as a missing part of IT security architecture (20)

PPTX
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon
 
PDF
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
PPTX
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
PDF
Owasp summit debrief v1.0 (jun 2017)
owaspsummit
 
PDF
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
PDF
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
PDF
Shift Left Security
gjdevos
 
PPT
Web Application Security Testing
Marco Morana
 
PDF
Shift Left Security
gjdevos
 
PDF
DevSecOps at Agile 2019
Elizabeth Ayer
 
PPTX
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
PDF
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
PDF
AppSec in an Agile World
David Lindner
 
PDF
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
PPT
OWASP - Building Secure Web Applications
alexbe
 
PPT
3830100.ppt
azida3
 
PPTX
Speed with Confidence
Shannon Lietz
 
PPTX
Speed with confidence
DevSecOps
 
PDF
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
QA or the Highway
 
PDF
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
DevSecCon Tel Aviv 2018 - Security learns to sprint by Tanya Janca
DevSecCon
 
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
HouSecCon 2019: Offensive Security - Starting from Scratch
Spencer Koch
 
Owasp summit debrief v1.0 (jun 2017)
owaspsummit
 
DevSecOps: A New Hope for Security in CI/CD
Franklin Mosley
 
Running an app sec program with OWASP projects_ Defcon AppSec Village
Vandana Verma
 
Shift Left Security
gjdevos
 
Web Application Security Testing
Marco Morana
 
Shift Left Security
gjdevos
 
DevSecOps at Agile 2019
Elizabeth Ayer
 
Дмитро Терещенко, "How to secure your application with Secure SDLC"
Sigma Software
 
What Every Developer And Tester Should Know About Software Security
Anne Oikarinen
 
AppSec in an Agile World
David Lindner
 
Webinar–Creating a Modern AppSec Toolchain to Quantify Service Risks
Synopsys Software Integrity Group
 
OWASP - Building Secure Web Applications
alexbe
 
3830100.ppt
azida3
 
Speed with Confidence
Shannon Lietz
 
Speed with confidence
DevSecOps
 
Bringing the hacker mindset into requirements and testing by Eapen Thomas and...
QA or the Highway
 
Security of the future - Adapting Approaches to What We Need
simplyme12345
 
Ad

More from OWASP (20)

PDF
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
PDF
[OPD 2019] Threat modeling at scale
OWASP
 
PDF
[OPD 2019] .NET Core Security
OWASP
 
PDF
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
PDF
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
 
PPTX
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
PPTX
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PDF
[OPD 2019] Automated Defense with Serverless computing
OWASP
 
PDF
[OPD 2019] Attacking JWT tokens
OWASP
 
PDF
[OPD 2019] Rumpkernels meet fuzzing
OWASP
 
PDF
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
PDF
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
PDF
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
 
PDF
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
PDF
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP
 
PDF
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP
 
PDF
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP
 
PPTX
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
PPTX
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP
 
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
[OPD 2019] Threat modeling at scale
OWASP
 
[OPD 2019] .NET Core Security
OWASP
 
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
[OPD 2019] Automated Defense with Serverless computing
OWASP
 
[OPD 2019] Attacking JWT tokens
OWASP
 
[OPD 2019] Rumpkernels meet fuzzing
OWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP
 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP
 
OWASP Poland Day 2018 - Omer Levi Hevroni - Secure the Pipeline
OWASP
 

Recently uploaded (20)

DOCX
Unit-3 cyber security network security of internet system
shivangisharma636228
 
PPTX
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
PPT
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
PPTX
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
PPTX
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
PPTX
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
PPTX
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
PDF
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
PDF
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
PPTX
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
PPT
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
PDF
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PDF
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
PPTX
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
PPTX
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
PPTX
Funds Management Learning Material for Beg
NKKumar16
 
PDF
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
PPTX
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
PPTX
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 
Unit-3 cyber security network security of internet system
shivangisharma636228
 
Job_Card_System_Styled_lorem_ipsum_.pptx
Jeffkigen
 
Design_with_Watersergyerge45hrbgre4top (1).ppt
DiogoRibeiro730590
 
international classification of diseases ICD-10 review PPT.pptx
naveenithkrishnan
 
Introuction about ICD -10 and ICD-11 PPT.pptx
naveenithkrishnan
 
Introuction about WHO-FIC in ICD-10.pptx
naveenithkrishnan
 
presentation_pfe-universite-molay-seltan.pptx
yahyamohibme
 
Paper PDF World Game (s) Great Redesign.pdf
Steven McGee
 
Decoding a Decade: 10 Years of Applied CTI Discipline
Andreas Sfakianakis
 
Module 1 - Cyber Law and Ethics 101.pptx
anantyakhrisna1
 
tcp ip networks nd ip layering assotred slides
pakadamfdp
 
An introduction to the IFRS (ISSB) Stndards.pdf
farhankhan13694
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
Triggering QUIC, presented by Geoff Huston at IETF 123
APNIC
 
introduction about ICD -10 & ICD-11 ppt.pptx
naveenithkrishnan
 
INTERNET------BASICS-------UPDATED PPT PRESENTATION
poonam62133
 
Funds Management Learning Material for Beg
NKKumar16
 
Automated vs Manual WooCommerce to Shopify Migration_ Pros & Cons.pdf
CartCoders
 
CHE NAA, , b,mn,mblblblbljb jb jlb ,j , ,C PPT.pptx
sumodmjohn3
 
Slides PPTX World Game (s) Eco Economic Epochs.pptx
Steven McGee
 

[OPD 2019] Governance as a missing part of IT security architecture

  • 1. GOVERNANCE AS A MISSING PART OF IT SECURITY ARCHITECTURE
  • 2. WELL DESIGNED SECURITY ARCHITECTURE OWASP DAY POLAND 2 Technology: Tooling Processes: How we do Organization: People (culture) SECURITY CI/CD Technology Organization Processes
  • 3. Source: Gartner 2017Sourve: Gartner 2017 HOW IT WORKS BY GARTNER OWASP DAY POLAND 3 DEV/OPS 2.0DEV/OPS 2.0
  • 4. HOW IT WORKS SO FAR OWASP DAY POLAND 4
  • 5. HUMAN ERROR Human error means that something has been done that was "not intended by the actor; not desired by a set of rules or an external observer; or that led the task or system outside its acceptable limits". In short, it is a deviation from intention, expectation or desirability. OWASP DAY POLAND 5
  • 6. SO, THE QUESTION IS: OWASP DAY POLAND 6 ??
  • 7. Process A series of actions or steps taken in order to achieve a particular end Process is not a bureaucracy Automation Process automation refers to the use of digital technology to perform a process or processes in order to accomplish a workflow or function. OWASP DAY POLAND 7 GOVERNANCE
  • 8. CAPABILITY MATURITY MODEL (CMM) OWASP DAY POLAND 8
  • 9. OWASP DAY POLAND 9 Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Design ● Threat modeling ● Secure design Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Test ● Vulnerability Assessment ● Dynamic Analysis ● Functional tests ● QA Develop ● Code review ● Unit testing ● Static Analysis Define ● Code Standards ● Security Non Functional Requirements (SNFR) Training ● Secure Coding Practices ● Writing security tests ● Provider/Platform Technical Training SECURE DESIGN/DEVELOPMENT OPS KPI
  • 10. OWASP DAY POLAND 10 Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Design ● Threat modeling ● Secure design Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Test ● Vulnerability Assessment ● Dynamic Analysis ● Functional tests ● QA Develop ● Code review ● Unit testing ● Static Analysis Define ● Code Standards ● Security Non Functional Requirements (SNFR) Training ● Secure Coding Practices ● Writing security tests ● Provider/Platform Technical Training SECURE DESIGN/DEVELOPMENT OPS KPI
  • 11. OWASP DAY POLAND 11 Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Design ● Threat modeling ● Secure design Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Training • Secure Coding Practices • Writing security tests • Provider/Platform Technical Training Test ● Vulnerability Assessment ● Dynamic Analysis ● Functional tests ● QA Develop ● Code review ● Unit testing ● Static Analysis ● Dynamic Analysis Define ● Code Standards ● Security Non Functional Requirements (SNFR) Training ● Secure Coding Practices ● Writing security tests ● Provider/Platform Technical Training SECURE DESIGN/DEVELOPMENT OPS KPI KPIKPI KPI KPIKPIKPI KPI
  • 12. Source: Gartner 2017Sourve: Gartner 2017 HOW IT CAN WORK OWASP DAY POLAND 12 DEV/OPS 2.0DEV/OPS 2.0