使用全?？捎^測性協調應用程序安全性和生命周期管理.pdf

《使用全?？捎^測性協調應用程序安全性和生命周期管理.pdf》由會員分享，可在線閱讀，更多相關《使用全?？捎^測性協調應用程序安全性和生命周期管理.pdf（46頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveLuis Bravo CXPM Team L SessionUsing Full Stack Using Full Stack Observability to align Observability to align application security and application security and lifecycle managementlifecycle management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnte

2、r your personal notes hereCisco Webex App 3Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces

3、 will be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKAPP-2004Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhy do we need application securitySecuring on the left or the rightSecurity Compliance

4、sApplication security within Full Stack ObservabilityConclusion4Why do we need application security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive800%Increase in Nation-State initiated Cyber attacksSince start of Russia-Ukraine WarThe Register,Cyberattack Escalation,Marc

5、h 2022$6 TrillionGlobal Impact of CybercrimeCost siphoned from beneficial investment to combat CybercrimeSource:Herjavec Group 2021 EstimateThe stakes are different for securityBRKAPP-20046 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveModern IT support operations must i

6、nclude Application Security7Organizations are now being challenged by their customers,partners and enterprise users to digitize their business processes turning them into software developed applications.Enterprise CapabilitiesTechnologyInnovationOperational EfficiencyGrowthCustomerCompetitionSecurit

7、y PostureSecuring those new software products is necessary to protect all business data 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity must be a priority when developing apps8Maximizing Application ResiliencyFinding the vulnerabilities before the bad guys doCloud

8、 and ApplicationsEnterprise NetworksIoT EcosystemsOperationsSecure Design ReviewsContinuous Breach Resiliancy Technical Security AssessmentsRed Team&Penetration Testing 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevelop an Application Security Framework9BRKAPP-2004Com

9、plianceApplication Risk CriteriaApplication ArchitectureApplication Security Tools&SolutionsMeasurement&MetricsAudit&OversightSecure Development LifecycleContract ManagementThreat ModelingAwareness&EducationConfiguration&Change ManagementAPI ManagementRequirements DefinitionRoles DefinitionComplianc

10、e ControlsSecurity TestingApplication Vulnerability ManagementProfiling&ClassificationContingency Planning3rd Party Portfolio ManagementData SecurityIdentity&Access ManagementIncident Response&ForensicsMobile Application ManagementSTRATEGYEXECUTIONMANAGEMENTSecuring on the left or the right 2023 Cis

11、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveShifting Left or RightMinimizing Vulnerabilities Throughout the Lifecycle11BRKAPP-2004DesignSecurity Design and Architecture AssessmentsDevelopmentPenetration Testing&RemediationHigh ExposureInitial system design presents several cri

12、tical threatsConfidenceIdentification and mitigation of vulnerabilities drastically reduces exposureDesign RefinementsCountermeasures and strategic technology choices mitigate risks before they are introducedHigh Risk VulnerabilitiesNew BugsMisunderstandings and compromises introduce new vulnerabili

13、ties during implementation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveManaging and identifying vulnerability risks 12MergeMergeto trunkto trunkIntegration Integration testingtestingDeploy Deploy ToToPrePre-prodprodCodeCodecommitcommitCodeCodebuildbuildUnit testUnit te

14、stRegressionRegressiontesttestDeployDeployto to ProductionProductionEarly remediation or alternative solutionAvoidAccept low risk and go liveAcceptImplement service or control mechanismMitigateHire external entity to own risk managementTransferHow some organizations Manage application security risks

15、Identify vulnerabilities and security risks(example)SQL Injection identifiedApplication Riskidentified 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSpecific ServicesI want to know the security posture of my.Applications and SystemsApplications and SystemsApplication Pen

16、etration Test and Security AssessmentsApplication Design AssessmentCode ReviewSoftware Development Lifecycle Assessment and AdvisoryCloud Application MigrationThreat ModellingNetworking&InfrastructureNetworking&InfrastructureNetwork Design AssessmentNetwork Penetration TestNetwork Vulnerability Asse

17、ssmentHost/Server/DB Build ReviewCellular Radio Access Network AssessmentWireless Assessment/Penetration TestBreach Resiliency SubscriptionPhysical Components or OperationsPhysical Components or OperationsPhysical Security AssessmentMobile Device AssessmentDigital ProfilingDevSecOps AssessmentPhishi

18、ngPhysical Penetration TestOT Assessment-SCADA/ICSHardware&Device TestingConnected Vehicle Testing.and how to improve it.13 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveProcess FitDesignCreate or modify system design.Produces product specifications.Architecture Assessme

19、nt&Threat ModelingIdentify threats,best practice gaps and countermeasuresPenetration Test&Code ReviewTesting and analysis of release.Verify countermeasures are effective.DevelopmentProduces new release.ExpertiseBRKAPP-200414 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

20、Application Penetration Process Flow15Define TargetsDefine ObjectivesObtain Target Intelligence Identify Applicable Attack Vectors and Threat AgentsOpen Source Intelligence(OSINT)GatheringIntelligence GatheringIdentify and map available functionalityPerform scanning to identify hidden featuresDocume

21、nt different authorization levels and user typesResearch applicable threats to discovered system assets and softwarePrioritize attacks based on testing objectivesMap Attack SurfaceFuzz known inputs and analyze responsesIdentify injection attacksTest for common misconfigurationsDiscover verbose error

22、s or sensitive informationCircumvent security controlsVulnerability ScanningManually verify scanner resultsExploit vulnerabilities to gain additional access or bypass controlsChain exploits together to achieve further compromiseTest authentication and authorization bypassesExfiltrate sensitive dataM

23、anual TestingEliminate false positives,where possibleInvestigate potential business impact Investigate and develop remediation strategiesProvide technical and strategic recommendationsAdditional WorkshopsDelivery and Closure 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive

24、Example:Mobile ApplicationBusiness Value&Risk ReductionChallenge1Securing user data Securing user data in transit and at rest against potential attackersSecuring the web service endpoints against potential attackersPotentially adverse business impact of publishing insecure softwareSolution2Security

25、assessment Security assessment produces a prioritized list of must-fix issues along with remediation adviceExecutive presentation proving business impactTargeting specific concerns rather than the entire surfaceSecuring user data Securing user data in transit and at rest against potential attackersS

26、ecuring the web service endpoints Securing the web service endpoints against potential attackersPotentially adverse business impact of publishing insecure softwareResults3Securing mobile applications through penetration testing and application security 2023 Cisco and/or its affiliates.All rights res

27、erved.Cisco Public#CiscoLiveCommon Web App Findings during penetration testing17Injection Attacksction AttacksSQL InjectionXML External Entity(XXE)InjectionClient Side AttacksClient Side AttacksCross-Site Scripting-XSS(Reflected/Stored/DOM Based)Cross-Site Request Forgery(CSRF)Insecure RedirectionCo

28、ntrols BypassControls BypassBroken AuthenticationHorizontal/Vertical Authorization BypassBusiness Logic ErrorsTiming Attacks*Open Web Application Security Project*OWASP Top 10 Vulnerabilities*OWASP Top 10 Vulnerabilities1 Injection 2 Broken Authentication and Session Management3 XSS4 Insecure Direct

29、 Object References5 Security Misconfiguration6 Sensitive Data Exposure7 Missing Function Level Access Control8 CSRF9 Using Known Vulnerable Components10 Unvalidated Redirects and Forwards 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWorsening trends confirm a capability

30、 struggle1,8622021 Cyber security breachesIncrease in reported breaches from 2020 to 202168%1,1082020 Cyber security breachesSource:CNET Data Breach 2021 Report,Jan.202218 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCustomer pain is real and similar to ITOpsproblemsAve

31、rage cost to contain a breach with 38%of this cost from lost business“Cost of a Data Breach Report 2021,”Ponemon Institute,https:/www.ponemon.org/287 days$9.05MCost to Contain a Breach in the USAverage time to identify and contain a data breach“Cost of a Data Breach Report 2021,”Ponemon Institute,ht

32、tps:/www.ponemon.org/200 Days to detect breach occurred!60%Breaches with data exfiltrated in the first 24-hoursSource:Cisco Security,202019Security Compliances 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeeting internal and external security policies21PolicyStandardGu

33、idelineProcedureGovernance,risk and complianceSecurity roadmapsDefine security standards(i.e.encryption)Security Guidance are non mandatory Procedural steps to implement standards or guidelines 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLegal and Regulatory Compliance

34、22Information Security+Privacy ISO 2700X i.e ISO 27001/27017/27018/27701 SOC 2 Type II and SOC 3 Cloud Computing Compliance Controls Catalog(C5)FedRAMP Ciscos Quality Management System ISO 9001 CSA STAR L2Cross-Border TransfersBinding Corporate Rules APEC cross-border privacy rulesEU Standard Contra

35、ctual ClausesRegulatoryHIPAAGDPRFERPACOPPAPIPEDAPHIPACCPAPCIContinually assessing regsInternational&Local 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBusiness applications with highest security risk2342%Customer facing web apps40%Legacy applications30%Mobile applicatio

36、ns28%Desktop applications26%Internal-facing applications26%Business applicationsSource:Cybersecurity insiders,Application Security Report 2022 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication alignment with compliances24Application SecurityISO 27001/27002 HIPAA

37、and HITECH Payment Card Industry ServicesExpertiseExpertise is needed for the following:Understand and satisfy regulatory requirements.Build a compliance roadmap that bridges existing practices and certification goals.Take advantage of the knowledge gained for broader security maturity.Reduce costsR

38、educe costs by avoiding penalties imposed when you are not in alignment with regulations.Faster adoptionFaster adoption.Align audit cyclesAlign audit cycles.Improve agility Improve agility to keep up with constantly changing business models.App security within Full Stack Observability 2023 Cisco and

39、/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse cases and solutions Hybrid application monitoringModern(cloud-native)application monitoringApp dependencymonitoringCustomer digitalexperience monitoringHybrid cost optimizationApp resource optimizationApplication securityPartner soluti

40、ons&custom use casesBusiness impactBusiness riskBusiness experienceBusiness operationsBusiness contextApplicationsPerformance monitoring Network and internet monitoring Application security Monitoring and actionUser digital experience monitoring(DEM)Applications Resources optimizationMulti cloud Inf

41、rastructure and costServicesPlatformX-MELT|Advanced traces|Advanced correlation and insights(real time and predictive)|Transformation|AI/MLOpenTelemetry|Network telemetry|Security telemetry|Cloud advanced telemetryExtensibility(Entity and object models/MELT workflows/IO/RBAC/User Interface,etc.Cisco

42、 Full-Stack Observability Architecture FoundationBRKAPP-200426 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFull Stack ObservabilityWith focus on Application Security27App TeamFocused on velocity&user experienceSecurity TeamFocused on vulnerabilities&threats 2023 Cisco

43、and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetect AttacksBlock AttacksDetect VulnerabilitiesCommon Vulnerabilities and Exceptions with Code Level correlationSpot Common Vulnerabilities correlated runtime exploits and Zero Day attacks(like Log4j)Policy level blocking that stops b

44、ad actors even if vulnerabilities existSecurity insights provided with Application and Business contextSecure Application Use Cases at RuntimeFast to deploy,immediate time to value,and performant for all environments28 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveYour t

45、eams need to see the full stack of available dataFast to deploy,immediate time to value,and performant for all environments29E-CommerceLocationPersonalizationChatScan and goPOSConsumerNetOpsAppOpsandDevOpsInfraOpsAppSecandSecOps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco

46、LiveApplication Security at the center of business30Application SecurityProtect from the inside outPrioritize by business impactCollaboration between AppOpsand SecOps 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRequire new protectionsNew applicationsRun anywhereCLOSER

47、to the applicationChange constantlyCONTINUOUSLY automates security Are uniqueADAPTIVE for the applicationApplications require a new security approachEmpowering the digital enterprise to operate with speed and security31 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco

48、 FSO Security solution Extended detection and response to boost productivity32 Integrated with Kenna Security Detailed vulnerabilities insights to prioritize right vulnerabilities to address Integrated with Panoptica Expose 3rd-party API security issues(Vulnerabilities,*TLS issues.)Integrated with T

49、alos Intelligence Identify bad actors Hunt for threats in SecureXGive a more complete picture of an incident*Transport Layer Security 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Business Risk Observability?Business RiskLikelihoodof exploitSecurity insights and

50、application contextImpactof breachBusiness and application contextLibraryVulnerabilitiesServicesAppBusiness TransactionsCodeDataThreatLikelihoodLikelihoodImpactImpact33 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRisk Scoring34Business ImpactKenna VulnerabilityIntellig

51、enceThreats and Attacks3rd-Party Vulnerabilities Talos Bock ListPanoptica API Intelligence Leverage app and biz dataCreate a customer-specific view of security risk Security insights in transactionsMerge findings and intel from Cisco Talos,Panoptica,Kenna,*Snyk Continuously assess score Evaluate all

52、 changes to reflect real-time risk Stack-ranked risk Prioritize remediation and mitigation efforts by what matters to the bizDemo 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive36BRKAPP-2004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill o

53、ut your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!37BRKAPP-2004These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will als

54、o earn 100 points in the Cisco Live Game for every survey completed.2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the

55、Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCX helps you identify and deliver exceptional digital experiences.We assess your use cases,implement KPIs,and deliver recommendations for optimi

56、zing your application and networking experience.How we can help Strategy and solution discovery Discover and document business and technical use cases,identify sources of information and drive observability roadmapAssessments Assess application and networking environment readiness to gather necessar

57、y metrics Optimization and monitoring supportUnleash the full power of full-stack observability tools Knowledge transferReceive consulting support with dedicated advisors driving recommendations Planning,design,implementation Accelerate success implementing unified dashboards and correlating availab

58、le information for business related KPIs Learning|CertificationsEmpower your workforce with efficiency and innovation You dont have to do it alone.For more insight,visit the Cisco CX Booth(#3310)in the World of Solutions for Lightning Talks and DemosOptimize the user experience with the power of FSO

59、Innovate with Ciscocertified application experts Stay agile to resolve application issues with predictable analyticsDiscover how full-stack observability services accelerate outcomesBRKAPP-200439#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgenda11 Sessions(1 Customer

60、Success,2 PSOs,6 Breakouts,2 Dev)Partner Day Tuesday,June 6th10:00 am 1:00 pm.Alexandra Zagury Presentation.Partner Managed Services Booth(#2217)in the World of SolutionsMeet the Executive Alexandra ZaguryMeet the Engineer Sanjit AiyappaPrivate Meeting Room for PMaaS&APO partner/customer meetings(lo

61、cation TBD)40Where Partner Managed and as-a-Service Sales is showing up at Cisco LiveBRKAPP-2004 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePartner Managed and as-a-Service Sales Sessions41SessionSessionMonday June 5Monday June 5Tuesday June 6Tuesday June 6Wednesday J

62、une 7Wednesday June 7Thursday June 8Thursday June 8Partner DayPartner Day10:00 1:00 BRKNWTBRKNWT-2208 2208-Driving network automation through application visibility and event correlation(Russ,Aleksas)10:30 11:30DEVWKSDEVWKS-2768 2768-Demystifying Cisco FSO Stack APIs (Anuj)12:00 NoonPSOGENPSOGEN-103

63、31033 Unlock business outcomes from connectivity with a Private 5G solution(PK)2:30 3:00 WOSCSSMERCSSMER-1008 1008 TBD TBD (Hector)4:00 5:00 BRKIOTBRKIOT-1127 1127 Build pervasive wireless mobility in industrial environment(Karan)4:00 5:00 PSOGEN PSOGEN 1044 1044 -How to generate new revenue streams

64、 while enhancing customer experiences and engagement:A use case story(Sanjit)New time:1:00 or 2:30 WOSBRKGENBRKGEN-1366 1366-From Zero to Managed Campus using Cisco DNAC(Hector)2:30 3:30 BRKGENBRKGEN-2000 2000-Demystifying Cisco FSO Stack APIs-Building a secure code pipeline with Concourse CI and Va

65、ult Integration(Anuj)4:00 5:00BRKGENBRKGEN-2001 2001-Cisco P5G-A Robust and Secure Architecture(Rajneesh)1:00 2:00 BRKXARBRKXAR-2014 2014-Managed Service Provider-Creating Single Touch-Point for Multiple Cisco Architecture using APIs and increasing their operational efficiency(Sunil)1:00 2:00 DevNet

66、DevNet-2278 2278 Using IOT+Collab+Meraki APIs for a safer return to school(Hector)2:00 2:45 DeNetClassroom 2 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive42BRKAPP-2004Session IDSession IDTitleTitleSpeakerSpeakerSession Session Date/TimeDate/TimeAbstractAbstractBRKNWTBRK

67、NWT-2208 2208 Driving network automation Driving network automation through application visibility through application visibility and event correlationand event correlationRuss Atkin,Aleksas Vitenas6/510:30 11:30The trend is clear:automation and machine learning are helping IT teams support more str

68、ategic initiatives for the business.AIOps tools,are accelerating this trend by shrinking mean time to resolution(MTTR)and helping IT leaders better support user experience.We will discuss how Cisco can help you enhance observability across the network and cloud native environments.By augmenting obse

69、rvability with AIOps tools,a vast improvement in operational efficiency is quickly becoming a reality.In this session,we will illustrate how Cisco is supporting our partners with programs that provide a blueprint to deploy observability-driven operations,by leveraging best-in-class Cisco infrastruct

70、ure with observability innovations into AIOps platforms with open extensible APIs.This Full-Stack Observability use case improves overall Customer Experience and will significantly lower Mean-Time-to-Isolation(MTTI)in complex multi-domain environments.Discuss a functional Architecture for AIOpsBRKGE

71、NBRKGEN-20002000Demystifying Cisco FSO Stack Demystifying Cisco FSO Stack APIs APIs-Building a secure code Building a secure code pipeline with Concourse CI and pipeline with Concourse CI and Vault Integration Vault Integration Anuj Modi6/74:00 5:00 The DevOps culture brings a new change to the IT i

72、ndustry by collaborating developers and operations teams to build better products using automation,CI/CD,and APIs.This session will walk through modern cloud-native development methodology to make the code pipeline for testing&development with Cisco FSO APIs.This session will cover the fundamentals

73、of CISCO FSO APIs stack including all of its components like AppDynamics,ThousandEyes,and Intersight to integrate with their own products or third-party products.The takeaway would be detailed information on building lab using AWS cloud provider,Hashicorp Vault,container repositories,source code rep

74、o,Kubernetes,AWS APIs,to create a pipeline for the entire infrastructure as a codeDEVWKSDEVWKS-27682768Demystifying Cisco FSO Stack Demystifying Cisco FSO Stack APIs APIs Anuj Modi6/5 12:00 NoonThe DevOps culture brings a new change to the IT industry by collaborating developers and operations teams

75、 to build better products using automation,CI/CD,and APIs.This session will walk through modern cloud-native development methodology to make the code pipeline for testing&development with Cisco FSO APIs.This session will cover the fundamentals of CISCO FSO APIs stack including all of its components

76、like AppDynamics,ThousandEyes,and Intersight to integrate with their own products or third-party products.The takeaway would be detailed information on building lab using AWS cloud provider,Hashicorp Vault,container repositories,source code repo,Kubernetes,AWS APIs,to create a pipeline for the entir

77、e infrastructure as a code.New this year DevNet workshop seating is pre-registered attendees are seated first.There are only 20 laptops available for this session.This is a hands-on DevNet Workshop where you code along with an instructor.Partner Managed and as-a-Service CLUS FSO-related Sessions 202

78、3 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive43Session IDSession IDTitleTitleSpeakerSpeakerBRKAPP-2007Cisco FSO Platform and 2 partner use casesBen HaddoxLTRAPP-2682Building Observability Solutions on the FSO Platform Renato QuedasPSOAPP-1009Extend observability with Cisco

79、 FSO Platform Yogesh Ranjan BRKAPP-1013Empower a new observability ecosystem with an open and extensible Cisco FSO PlatformSunder Parameswaran,Renato QuedasBRKAPP-2008Cisco FSO Platform and partner use casesLuca RelandiniBRKAPP-2632Adopt Cisco Full-Stack Observability to Accelerate Cloud Migration S

80、ubarno MukherjeeIBOCLD-2020An Interactive Discussion on Why Organizations Need an FSO PlatformLuis Bravo Partner Managed and as-a-Service CLUS FSO Related Complementary Sessions.Cross Promotion(CTA to PMaaS Booth,promote our sessions)BRKAPP-2004Thank you#CiscoLive 2023 Cisco and/or its affiliates.Al

81、l rights reserved.Cisco Public#CiscoLive45Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123445 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKAPP-2004#CiscoLive