security in development lifecycle
0 likes588 views
Gemalto focuses on providing security solutions across various sectors, including government, banking, and mobile IoT, to enhance connectivity and data protection. The document highlights the importance of integrating security into the development lifecycle through empowered engineering teams and continuous deployment practices. Furthermore, it addresses the rising expectations for fast, secure, and privacy-respecting services from both customers and service providers in an increasingly connected world.
security in development lifecycle
- 1. A culture change 08/10/2019 Security in development lifecycle
- 2. Gemalto / THALES DIS 09.10.19Introducing Gemalto2
- 3. We focus on six main markets – but serve many others 9 October 2019Introducing Gemalto3 BANKING & PAYMENT ENTERPRISE SECURITY GOVERNMENT MOBILE IoT SOFTWARE MONETIZATION
- 4. For the world’s governments & biggest brands 9 October 20194 Introducing Gemalto 200+ GOVERNMENT PROGRAMS 30,000+ ENTERPRISES 3,000+FINANCIAL INSTITUTIONS 450 MOBILE OPERATORS
- 5. Connecting elderly patients to keep them safe Internet of Things: Connect. Secure. Monetize 9 October 2019Introducing Gemalto5 • Integrators • Mobile network operators • Automotive & mobility players • Consumer electronics • Smart energy providers • Healthcare device suppliers • Smart home device makers OUR CLIENTS OUR SOLUTIONS Optimized connectivity: wireless modules & terminals, eSIM, MIM Flexible subscription management: On-Demand Connectivity End-to-end IoT Security: secure elements, data encryption, ID management & verification OnKöl partners with Gemalto to securely power health and home monitoring devices that connect elderly patients with their caregivers.
- 6. Mobile: Connecting more. Securing All 9 October 2019Introducing Gemalto6 • Mobile network operators • Device manufacturers • Service providers OUR CLIENTS OUR SOLUTIONS People & device authentication: multi-tenant removable & embedded secure elements Subscription management: eSIM solutions, device personalization & activation Trusted Digital Identity: Digital enrollment and ID verification, biometrics Cloud security: cloud authentication and data protection Faster ID checks for Telefónica Deutschland Gemalto’s Digital Identity Verification service optimizes the customer acquisition process and confirms the authenticity of a vast range of identity documents (passports, ID cards etc.) in real-time. Big Data Analytics and AI Network operations, customer support, marketing insights
- 7. New development challenges 09.10.19Overall challenges7
- 8. Connect securely Cloud resources Continuous deployment New generation of customers expect everything to be connected and constant stream of updates Customers want their service providers to deliver faster, more often, with higher quality and adapt quicker to their needs. Service providers want to focus on their services and use secured infrastructures and platforms as commodities. Digital devices are not just in our pockets or our offices, but increasingly in our homes, buildings, and many places and cities.. Customer and service provider expectations are rising
- 9. …and enforced Respect of privacy is valued Sharing?Yes, but not everything People want to share information at scale while respecting privacy Personal and corporate data should be kept private and only shared under clear rules. Privacy and the right to be forgotten will be top of mind for consumers when selecting a merchant or service provider. Policy makers and regulators are increasingly vigilant about private data management. Data expectations are rising
- 10. A product lifecycle view 09.10.19Overall challenges10 Continuous deployment
- 11. Security in development lifecycle 09.10.19Security in development lifecycle11
- 12. Security actors As continuous deployment exponentially speeds up the pace of development Bolt-on security by security specialists won’t scale … so security MUST be a primary concern of the development team 09.10.19Security in development lifecycle12
- 13. Continuous Secure deployment Continuous Secure Deployment is… empowered engineering teams taking ownership of how their product performs in production including security 09.10.19Security in development lifecycle13 “Security teams are no longer gate keepers but rather tool-smiths and advisors" Larry Maccherone, Comcast Senior Director
- 14. Continuous Secure Deployment Manifesto Build security in more than bolt it on Rely on empowered engineering teams more than security specialists Implement features securely more than security features Rely on continuous learning more than end-of-phase gates Build on culture change more than policy enforcement 09.10.19Security in development lifecycle14
- 15. Security in continuous deployment 09.10.19Security in development lifecycle15 Dev Ops Security by design Security test plan ISRA Threat modelling Secure coding standards Static code analysis Code review Security test cases Antivirus scan OSS vulnerability assessment OSS assessment Security test campaign Penetration test Compliance validation Fuzzing Deployment strategy (canary, red/black) Traffic shape configuration Configuration validation Configuration as code Vulnerability assessment Intruder detection App. attack detection Service restoring (or maintaining) Chaos engineering
- 16. Security in development lifecycle results It’s scary to QA and Security, but “shifting left security and handling it to developers” leads to time and cost benefits and to dramatically lower rates of customer experienced defects and vulnerabilities Security crucially impacts any technology choice Knowing security risks allows to take them into account while designing The customer is at ease when we can have a fluent speech about security in our software Security processes and checkpoints allow to handle it as any other functionality 09.10.19Security challenges16
- 17. Want to know more? 9 October 201917 Introducing Gemalto