SecAppDev 2022 Lecture Details

Enterprise security architecture and app development

Stefaan Van daele
Monday June 13, 11:00 - 12:30
Short description

Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.

Abstract

Enterprise Security Architecture (ESA) is a mostly unknown aspect for most application developers. The primary security focus of developers lies on passing application security tests, which is just a part of the picture.

This session provides a brief introduction to ESA as a governance model for the CISO office. We explore how design principles, like zero trust, could be applied to solution design and what governance could mean in practice in a DevOps context. Since an ESA looks after all aspects of IT Security, it provides more contextual guidance for application developers.

Key takeaway

How Enterprise Security Architecture could help to improve the security posture of the applications developed for your organisation.

Content level

Introductory

Target audience

Application Developers, IT Architects and Security Architects

Prerequisites

Basic knowledge how IT security gets organised in an enterprise

Download handouts


Stefaan Van daele

Stefaan Van daele

Executive Security Architect, IBM

Stefaan has more than 30 years of experience in IT and joined IBM in 1997. He is a Security Architect and, in that role, he fulfilled several positions at European and global level. His focus is both on security by design and effective security operations in support of an Enterprise Security Architecture. In his current role, he is assisting organisations in Europe with their journey to Cloud. He is also the global Lead Architect for the IBM Zero Trust Acceleration Services solution and the Secure Access Services Edge solution. He is co-author of the IBM Security Blueprint V3 Redbook.

Full speaker profile


Related security processes sessions

Hands-on threat modeling

One-day workshop by Sebastien Deleersnyder

This is a Threat Modeling course for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method.

You will perform threat modeling in 4 sprints. Exercises are built upon a fictional system, migrating a legacy system towards a cloud application:

  • Modeling a hotel booking web and mobile application, sharing a REST backend
  • Threat identification as part of migrating the system to AWS
  • AWS threat mitigations for the booking system build on microservices
  • Building an attack library for CI/CD pipelines

Security processes Thursday June 16, 09:00 - 17:00

Solid foundation for a secure future

Lecture by Jaya Baloo

How do we build a better future for information security? This session will discuss the importance of security, along with a path towards a more secure future.

Security processes Wednesday June 15, 16:00 - 17:15

Everything-as-Code - Ideas for a new world of AppSec

Lecture by Abhay Bhargav

Showcasing techniques, tools and practices that underscore and highlight concepts of security-as-code for application security.

Security processes Tuesday June 14, 11:00 - 12:30

Level up your threat modeling practice

Lecture by Sebastien Deleersnyder

We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.

Security processes Tuesday June 14, 14:00 - 15:30

Persona-based security and threat-modeling

Lecture by Deepak Subramanian

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Security processes Wednesday June 15, 14:00 - 15:30