Tara KhannaManaging Director

ACHIEVING SECURITY AT SPEED AND SCALETara KhannaManaging Director-Application Security

September, 2018

SECURITYACCENTURE

Copyright © 2017 Accenture Security. All rights reserved.

SECURING THE DELIVERY LIFECYCLE

20-30% faster development

Up to 30x less remediation cost

30-50% less staff required

Culture shift – security as part of the project team

Opportunities

• Change is constant and fast• Virtualization is now a fact of life• How do we continue delivering at

speed in highly virtualized environments SECURELY?

DEV OPS

SECURITYACCENTURE

Framework

Accenture has developed a repeatable methodology supported by industrialized tools and processes to quickly integrate security into your SDLC

SEC

Outcomes

Copyright © 2018 Accenture Security. All rights reserved.

ACHIEVING SECURITY AT SPEED AND SCALE

PROGRAM MANAGEMENT, STRATEGY, AND GOVERNANCE

ANALYTICS & STRATEGY ORG & DEV ENABLEMENT COMPLIANCE

FOUNDATIONAL ENABLERS

• Automation• Job relevant security enablement

and self-service tools• Security frameworks &

trusted libraries• On demand security services• Secure CI/CT/CD

PRODUCT DEVELOPMENT OPERATIONS

• Security validation• Environment hardening• I&AM • SecOps enablement• Red teaming• Threat intelligence• Security use cases

• KPIs• Roadmap• Risk approach

• Education & support• Change management & innovation• Communities & evangelists

• Regulatory & internal• Compliance models• Measurement

SECURITYACCENTURE

Security can easily be integrated into your organization’s existing DevOps automation toolset and processes.

Compile & Package

Code Analysis

Run Unit Tests

Create ST env Deploy Code Load Test Data Run Test Harness

Create clustered env

Tear down ST env

Deploy Code Run Perf Test

Run Security Test

Run Ops Test

Tear down ST env

Committer: jdoe

Story:25

Commit ID: 113

Static Dynamic

Requirement DesignScope

DeployBuildTest

• Standard User Stories

• Checklists, job aides

• Threat modeling

• Security Review

• “Security runway” – epics/initiatives

• Risk Rating

User Stories/requirements/Test Cases/priority

Self Service Capabilities:• Training availability• Security team engagement• Templates/Job aides/checklists

Ongoing Operations

Pentest & Simulation

Vulnerability Scanning

Logging/Monitoring

Data Security IR

Back

log

Config mgmt

BDD Security

Scrum Teams Containers

Stakeholders

Input

KPIs &Reporting

Feature requests

Vuln

erab

ility

man

agem

ent

Security Team (onshore or offshore):• Interprets report results & tunes tools• Assists with remediation direction• Provides on demand, self service capabilities

Governance

FW Mgmt & Runtime

IAM

Note: tools reflected are examples only

CI/CD TeamTools, monitoring, etc

Copyright © 2018 Accenture Security. All rights reserved

DEVSECOPS IN ACTION

“Platform Teams”

White Listing

Malware & HIPS

Static Code Scans – IDE

SECURITYACCENTURE

GOVERNANCE IMPLEMENTATIONMaturity Assessment, Trainings, KPI Framework & Implementation, Process engineering & implementation, Tool rationalization & optimization and Change Management

THREAT MODELING AS A SERVICEScalable staffing model and Threat modeling on demand

ENVIRONMENT BUILD AND RUNBuild and/or enhance custom DevSecOps environment with automation scripts with security embedded in the life cycle.

CONTINUOUS SECURITY TESTINGEnable continuous security testing with static and dynamic tests in CI/CD pipelinePerform Penetration testing, cloud applications security testing, automation, various vendor toolset

SECURE OPERATIONS AND MONITORINGSIEM integration, Ongoing operations support

SELF SERVICE CAPABILITIESSecurity Advisory, Secure requirements, On Demand Security services and Ongoing Operational support

1

3

4

5

6

2

HOW ACCENTURE CAN HELP

Copyright © 2018 Accenture Security. All rights reserved

KEY DIFFERENTIATORSTaaS (Testing as a Service) Platform

Client Experience Demo Environment

ADOP Platform