Session Name: Security Phoenix, From the Ashes of DevOps a New Security Creature is Born
This talk will take the audience on a journey from the origin of the security architecture, traditional waterfall framework and the evolution of those in a traditional DEV-SEC-OPS. It also addresses the difference between traditional command and control governance and the solution to avoid starving automation and innovation with traditional security governance.
The talk will introduce concepts like:
- Trust and Verify your developer
- “Build vs FIX” and “own your crappy code”
- Downtendring vulnerability threshold
- License to code
We will explore:
- Security Gates and why they do not always work in dev-ops
- Security governance: how to avoid starving innovation but do a security review
- ESF: Enterprise Security Framework - Different between products, Environment/Platforms and applications
- Modern SLDC cycle:
- How to secure the design phase (design and requirements)
- How to secure dev and test
- How to convert threat modelling in use stories
- Risk management and roles in DEV-SEC-OPS
- How to Deploy in the production ensuring that the artifacts have been reviewed (break the pipeline vs trust and verify)
- Prioritizing Vulnerabilities using CVE, Metaexploit code availability, Impact assessment
Speaker Bio:
Hi, I’m Francesco (aka @Franksec42 on twitter), your friendly cyber and cloud security avocado(advocate). I’m a Chief Information Security Officer (CISO) and cybersecurity advisor who specialises in strategy and cloud security. Fueled with passion, curiosity and dissatisfaction for the status quo, I believe in protecting identities in cyberspace and creating a safer, more connected world for future generations. I'm currently helping HSBC building their cybersecurity architecture practice and I’m acting virtual CISO for ELEXON. My motto is if you are cybersafe I'm cyberhappy. In my spare time, I’d love to give back to the cybersecurity community and I'm a keen contributor. I’m the co-author of several books on network and security. As part of that, I’m chairing the Cloud security alliance UK and active member of ISC2.
I’ve launched the #MentoringMonday community together with the support of Jane Frankland and Tanya Janca. The mentorship community is inclusive with a focus to empower women in cybersecurity as well as young minds. I am a mentor and coach in the community and I’ve launched the activity in order to help the future generation of cybersecurity expert. As part of the mentoring, I'm committed in supporting women in cyber with mentorship, education and guidance.
I've delivered effective cybersecurity transformation for my client in Financial services such as Nationwide, Charles Taylor, Capita Asset Management, Link Asset Management.
I've also delivered a cybersecurity improvement programme for different sectors, amongst my clients: United Nations (WFP and FAO), National Lottery (Camelot), Vodafone, BT, Telecom Italia.
