EdTALK: Paying it Forward – Securing Technology in the Payment Ecosystem

Historical approaches to IT security have been driven by primary colors – red teams attack, blue teams defend. This leaves technical teams color blind as to how hackers exploit the very software they are tasked with building and protecting.

Purple Teaming is a collaborative approach organizations use to improve their security posture during the attack exercise to capture immediate value and foster a real-world defensive approach. This strengthens a team’s understanding of abuse cases so they can employ effective controls from requirements through deployment.

Attend this talk to learn how to embed an exploit mentality into technical teams, which results in a reduced attack surface, fewer security vulnerabilities, and accelerated feature release.

Historical approaches to IT security have been driven by primary colors – red teams attack, blue teams defend. This leaves technical teams color blind as to how hackers exploit the very software they are tasked with building and protecting.

Purple Teaming is a collaborative approach organizations use to improve their security posture during the attack exercise to capture immediate value and foster a real-world defensive approach. This strengthens a team’s understanding of abuse cases so they can employ effective controls from requirements through deployment.

Attend this talk to learn how to embed an exploit mentality into technical teams, which results in a reduced attack surface, fewer security vulnerabilities, and accelerated feature release.

From executives to software developers and database administrators, each role plays an important part in protecting privacy data. But what does an effective privacy program look like for the teams that build and operate the software applications that powers your enterprise?

This webcast will describe how to build powerful policies that can be easily understood and implemented in today’s continuous delivery and DevOps approaches.

Topics include:

Privacy Concerns for Software Applications
Threats, Regulations, and Laws
Guidelines for Building Privacy Policy
Privacy Engineering Principles
Data Collection, Retention, and Consent

This Webcast is ideal for policy makers, program leads, compliance managers, and privacy officers. Development and IT Operations teams will also gain valuable insight into how to protect data throughout the entire application lifecycle.

From executives to software developers and database administrators, each role plays an important part in protecting privacy data. But what does an effective privacy program look like for the teams that build and operate the software applications that powers your enterprise?

This webcast will describe how to build powerful policies that can be easily understood and implemented in today’s continuous delivery and DevOps approaches.

Topics include:

Privacy Concerns for Software Applications
Threats, Regulations, and Laws
Guidelines for Building Privacy Policy
Privacy Engineering Principles
Data Collection, Retention, and Consent

This Webcast is ideal for policy makers, program leads, compliance managers, and privacy officers. Development and IT Operations teams will also gain valuable insight into how to protect data throughout the entire application lifecycle.

IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.

This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis. 

About the Speaker
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since its inception in 2002 and took over as CEO in 2003. Ed is a Research Fellow at The Ponemon Institute, serves on the board of several IT security organizations, and was named a Privacy by Design Ambassador by the Information and Privacy Commissioner of Canada.

IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.

This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis. 

About the Speaker
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since its inception in 2002 and took over as CEO in 2003. Ed is a Research Fellow at The Ponemon Institute, serves on the board of several IT security organizations, and was named a Privacy by Design Ambassador by the Information and Privacy Commissioner of Canada.

Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.

Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.

Topics covered:

• Properly protecting stored cardholder data - encryption, hashing, masking and truncation

• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security

• How to identify and mitigate missing encryption

Sensitive data is vulnerable when it is stored insecurely and transmitted over open networks. The PCI Security Council takes a hard line on protecting cardholder data and describes specific methods to comply with its standards.

Attend this webinar to better understand methods that make data theft more difficult for attackers and render stolen data unusable.

Topics covered:

• Properly protecting stored cardholder data - encryption, hashing, masking and truncation

• Securing data during transmission - using strong cipher suites, valid certificates, and strong TLS security

• How to identify and mitigate missing encryption

Millions of cars with tens of millions of lines of code are already talking to servers and each other. According to the Ponemon Research Institute, 63% of manufacturers test less than half of the technologies in your car for vulnerabilities and only 33% train developers on secure coding methods.

However, there is a new IT system going into cars that was built with security and privacy by design. This “Talking Cars” safety of life program, which is estimated to save 10,000 lives per year, is one of the few automotive technologies that is secure and private for drivers.

This webinar discusses the trade-off between safety, privacy, and convenience. It will also examine the 10-year Privacy by Design system used in “Talking Cars” and how other technology projects can benefit from similar due diligence.

Topics:
• Connected cars – threats and attack surface
• Review of the most current research on automotive IT security and privacy
• Blueprint for excellence: Security & Privacy in the “Talking Cars” program

Though basic knowledge of cybersecurity and privacy is helpful, this webinar is for anyone who wants to better understand connected car technology and how to design resilient IT systems. The speakers, Dr. Larry Ponemon and Ed Adams, are experts in their field and deliver this information-rich webinar.

Millions of cars with tens of millions of lines of code are already talking to servers and each other. According to the Ponemon Research Institute, 63% of manufacturers test less than half of the technologies in your car for vulnerabilities and only 33% train developers on secure coding methods.

However, there is a new IT system going into cars that was built with security and privacy by design. This “Talking Cars” safety of life program, which is estimated to save 10,000 lives per year, is one of the few automotive technologies that is secure and private for drivers.

This webinar discusses the trade-off between safety, privacy, and convenience. It will also examine the 10-year Privacy by Design system used in “Talking Cars” and how other technology projects can benefit from similar due diligence.

Topics:
• Connected cars – threats and attack surface
• Review of the most current research on automotive IT security and privacy
• Blueprint for excellence: Security & Privacy in the “Talking Cars” program

Though basic knowledge of cybersecurity and privacy is helpful, this webinar is for anyone who wants to better understand connected car technology and how to design resilient IT systems. The speakers, Dr. Larry Ponemon and Ed Adams, are experts in their field and deliver this information-rich webinar.

Attitudes toward privacy have an amazingly broad spectrum. Laws like CCPA and GDPR are forcing organizations to build privacy programs, but their robustness varies significantly based on geography, industry, and consumer views. Counter forces of IT Security, Data Breaches, and IoT put privacy at risk every day. Come listen to 3 industry experts discuss privacy in the context of today’s digital world. They will discuss the organizational impacts of privacy, compliance drivers, and the difference between data security and data privacy.

Topics include:
• Impacts of emerging technologies (5G, Artificial Intelligence, etc.) on privacy programs
• How the WFH movement has changed corporate privacy and security strategies
• Findings from the recent study "Privacy and Security in a Digital World” by The Ponemon Institute
• The battle between security and privacy (corporate, law enforcement, compliance, personal)
• Practical tips on how to protect both privacy and data security

The cloud offers near-instant scale and numerous security features that organizations can leverage; however, it’s not that way by default. Despite wide adoption of cloud services, many organizations remain unprepared and unknowingly expand their attack surface. Gartner predicts that by 2025, 99% of cloud security issues will be the customer’s fault.

The proliferation and complexity of software-enabled systems have amplified risk for many organizations. Conventional approaches to software security don’t work, typically encompassing no more running vulnerability scanning. Executives need a better way to understand which products, systems, and teams are putting their enterprise at most risk – and deploy appropriate action plans.

SToRM represents a new approach for enterprises to more effectively assess and protect software-dependent IT systems. Change your approach – evolve from a vulnerability focused approached to risk-based one. Learn pragmatic steps to ensure you’re mitigating the most risk with limited resources, time, and budget.

Topics include:

• Why traditional approaches aren’t working
• How to identify risks at the business workflow and IT system levels
• Techniques to calibrate assessment and mitigation efforts

DevOps brings the potential of faster time to market and higher quality software applications.  But to accelerate adoption or realize its full benefit, organizations need to adapt to the policy, staff, and technology changes that inherently accompany it.   

Join us for an educational webinar that examines DevOps from an implementation and risk perspective and how to minimize organizational impact.

Topics include:
* What’s the difference? DevOps vs. other development approaches
* Third-party risk:  COTS, open source, and cloud
* Implications of accelerated development and automation 
* Making room for DevOps: organizational changes

Principle-based approaches have long been at the core of “traditional” engineering disciplines. However, when it comes to building software and IT systems, best practices around encryption, access control, and authorization are often lackluster. The ability to understand and apply security concepts is essential to protecting today’s digital business.

Join host Ed Adams, a Ponemon Institute research fellow, for a panel discussion with security professionals whose collective experience spans Fortune 500 technology, financial services, and medical device industries.

JOSHUA CORMAN
Founder of I Am the Cavalry (dot org). His approach to security in the context of human factors, adversary motivations, and social impact has helped position him as one of the most trusted names in security.

UMA CHANDRASHEKHAR
Leader of the Global Information Product Security function at Alcon. She holds several patents in information security, privacy, and reliability and was an invited council member of the U.S. Federal Communications Commission’s Security, Reliability, and Interoperability Council (CSRIC).

MARK MERKOW
CISSP, CISM, CSSLP. A prolific author and advocate for building security into the SDLC with software-quality and security activities, tools, processes, and education.

Topics to be discussed:

* Why and for whom are security principles important?
* Have principles become a lost art form, or did they never really take off?
* What is the most underutilized principle? Does it vary based on tech stack and deployment?

FREE GIVEAWAY
We'll also be raffling off three copies of Mark Merkow's latest book "Secure, Resilient, and Agile Software Development" during the webinar.

The cloud offers near-instant scale and numerous security features that organizations can leverage; however, it’s not that way by default. Despite wide adoption of cloud services, many organizations remain unprepared and unknowingly expand their attack surface. Gartner predicts that by 2025, 99% of cloud security issues will be the customer’s fault.

Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.

Attend this webcast to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.

Topics include:
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling

Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).

Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.

Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.

Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder

Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.

This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:

* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”