Conf42 Platform Engineering 2024 - Online

- premiere 5PM GMT

Beyond the Code: Building Cyber-Awareness in Platform Development Teams

Video size:

Abstract

Take your platform development team’s security mindset to the next level with “Beyond the Code: Building Cyber-Awareness in Platform Development Teams.” Learn how to cultivate a culture of cyber-awareness, integrate best practices, and protect your platforms from modern threats. Empower your team!

Summary

Transcript

This transcript was autogenerated. To make changes, submit a PR.
Hello, everybody. How you doing? My name is Victor. And today in this particular course today, I'll be teaching you about, a course, a topic. I'm talking about a topic called beyond the code, building cyber security awareness in your platform development team. So if you are looking to inculcate the best practices into your platform development teams, this particular talk, you would actually find useful. By the end of this talk, you should be able to understand some modern threats that your team actually faces as a platform development team and how to elevate your security mindset in your team. So it's important for us to understand that, the cybersecurity landscape is evolving just to where. We with more, improvement in technology, there's also going to be improvements in security threats, so there's a rise of sophisticated threats and the attack vectors, improving attack vectors here simply means, the means through the channels through which you can actually be attacked. So for instance, things like IOT systems, for instance, You can actually be hacked through your cameras or maybe your fridge because fridge freezers and fridges today have I have like I like IoT devices too. They can actually be. Connected to via the Internet, and there's also an increasing reliance on technology today. Lots of organizations, almost everybody in the world CrowdStrike event where because of there was a downtime with the CrowdStrike system, airports were shut, airports could not, their operations were affected. In the world today, technology is like the backbone of most of the business processes. yeah, so the first thing to actually look at when you're talking about integration security into your platform development lifecycle is to have a secure by design mindset. What it means here for the shift approach means the fact that, you Make sure that whatever you do when you arrive with your designs, maybe you are designing a cloud application or a software. For instance, you want to make sure that it is secure by design, meaning that you consider security first. It doesn't matter how fancy whatever your building is. If it's not secure, it can actually be an attack vector through which your system is going to be attacked. There should also be a secure testing and analysis piece. What this means is that you should have a very good quality assurance process in place in your platform development team. you shouldn't be in a hurry to move a product into a, an app or a software into the production system. Without adequately testing it, you should have a very good quality assurance system or methodology. And there are also automated security tools you can actually use to achieve this. And there are also different methodologies. You can actually also make sure you do penetration testing. Penetration testing means that you actually get maybe a hacker to, you get a hacker to actually target your system to see how, where and where your system could be vulnerable. I could also. Do things around statistics, code and statistics, static code analysis where you can actually review the source code or what you do to actually see whether there are any bugs where, for instance, if there are any bugs that could actually make you prone to being attacked via SQL injection attack, for instance, those will be identified with a static code analysis. Process. it's also very important to you. That's what you're looking to have a security conscious culture. They should be regular awareness trainings held in your organization, and they should openness and transparency. What this actually means is the fact that your team should be people should be encouraged to, speak up when they feel something is wrong. Okay, you should encourage an atmosphere of people speaking up, people not keeping to themselves when they feel something is wrong. It could be the difference between you being cyber safe and you being cyber attacked. Okay, so it's very important to encourage a community and ambience of. Open transparency is very important for you to maintain security conscious culture within your team. incentives could also be provided to members of your team when a member of your team, actually does an achievement or is actually like a cyberspace champion in the sense that he or she encourages, The team needs to be more cyber a lot. you could actually sign our words for those kind of people and give them our words or maybe monetary gift of our chance to encourage them so that all the members of the team see that good behavior is actually encouraged. Going back to the secrecy awareness training. This is a lot actually been found that most companies are not doing a lot to, train. They're not doing a lot to actually train, their staffs regularly around, Cyber security trainings and cyber security trains, so it's not just enough for you to organize a cyber security training. When you're onboarding your staff, you should also make sure that it's a question of process. They should understand the importance of things around not having a cladex policy. they should have a cladex policy, things around changing their passwords regularly, things around not sharing, things Sensitive, office things when they're personal social media, things like that. Those are reminders, nudging your staffs to make sure that they don't become like an attack vector themselves with moving towards social engineering. And so in social engineering concepts, your staffs may actually be an attack vector that you could be hacked from. So you have to be very careful, You should also look at implementing secure coding practice on the technical area. We talk about things around form validation. For instance, I spoke about password for the previous slide. when it comes to things around input validation, you should say, if you have some sensitive files, For instance, you could also secure it to the way that the password to access those files would have certain rules and requirements. For instance, it could be that the password must be maybe 15 characters long. where you must have a capital letter, small letter symbols and all that. So there must be, good input validation built into your system. There should also be secure authentication and authorization systems, things around MFA, multi factor authentication, to make sure that the person who is logging in or having access to sensitive documents, Is supposed to be the person having access to them. Okay. So this is very important to know. Then also encryption, it goes without saying, it cannot be overemphasized and it cannot be understated that you need to encrypt sensitive files. Oh, look at the CIA triad. Things around your confidentiality, your integrity of your files is so important. So sensitive details like passwords or, system like systems in your, In your disposals, you should make sure that you also inculcate things around the least privileged access methodologies where anyone who shouldn't have any business having access to a system should not have access to it. It should be encrypted from them. It's only individuals who would have, who, who, Authorized to have access to the information who, you can use, you can say something like around a need to know basis, something around a need to know basis where it is only when they have to know that it would actually have access to actually decrypt that file and have access to the file. So encryption is very important. The number four would be secure logging and monitoring. This is so important, very important. You need to have a secure logging system that shows who actually logged, who actually accessed the resource. And when did they access the resource? It cannot be overemphasized. When you have a cyber attack and you are doing a post incident recovery, you want to go back and check, actually, let's be cyber attack who accesses file who was killing through this file. It will help you investigate. So there's a need to have a secure logging system that shows that tracks the time and whatever anybody did in a system. Some organizational systems around them use different softwares to actually track this down. So you need to check for a software that actually works for you to project. Then if your physical security of your platforms, things around your, network security and segmentation, implementing a firewall is non negotiable. You will need to have interaction systems, your QALYs, QBM IRADAR, QALYs, DACTRACE. Different options for you to use from Microsoft Defender. you should also implement firewalls outside and inside your network if need be. You can also, for some organizations, I know some , your staff probably work remote. You probably want get a VAN establish a site end to in v you secure v and VPN system to ensure that there's enough, there's a very good segmentation. That helps your remote workers connect securely to your network, in such a way that it does not affect your main usnc files. Okay. So that is what's network security and segmentation will help you do. Then best practices. You need to have best practices. I've spoken about that in the previous slide. You even must have a good access, I didn't say an access management system that talks about your authorization, access and authorization. people who are logging into your systems must have the right login credentials to do Okay. If you log in, if your login process is broken, you might as well know that your systems are not safe. Okay. And you should also have to do regular scanning so that where and where you are actually weak. It's a good practice to have penetration testers come to test your systems regularly to know where you are weak. So you can do that maybe every three months to check, okay, get a penetration test that will actually test your system. Physical security measures since around Creating barriers to your systems. you should have guts in your data sentence. if you have data centers, if you're filed on August 10 on the cloud and you have some offline files stored in data centers, you should have fiscal gaps, fiscal barriers, surveillance systems, cameras, to protect access to your, your critical infrastructure. Very important to have all those in place, and of course you should have an adequate backup, adequate backup measure in place just in case maybe there's a fire, so that your systems are not lost. Make sure you back up your systems properly. Incident response planning cannot be overemphasized. you should have In your security policy organization, there should be, a comprehensive incidents response plan as regards, the procedures for containing any security incidents you might actually have. You should have a dedicated team, maybe outsource dedicated team that would be, Taxed with the responsibility of handling any incident you might probably encounter in the course of your day to day work. Okay. And of course, there are software that could actually help you with threat intelligence and analysis. I've mentioned some like DuckTrace and IBM Curator. There are lots of them, but you need to work with what works for your budget. Okay. So incident resource plan, you should have an incident resource plan in your security policy. that shows the appropriate response, how you are going to actually deal with the incident, how you are going to do it during the incident and after the incident, what steps will be taken so that you don't fall to that same server attack next time. Very important. yes. So There's a need for continuous monitoring, you have to continuously monitor your systems, you have to continue to monitor them because the cyber attackers are not actually sleeping, so you have to continuously check. Though some systems will give you false positives, some softwares like, I know Qualys and some other systems, sometimes they may throw what they call false positives. which might not actually be a cyber threat. you want to make sure that you check very well, you investigate for that, you check the logs and check that, okay, this system is actually, this is actually not actually a false policy, but if you see anything unusual in your monitoring and your vulnerability assessment, you raise it up to your line manager to let them know what to do so that they can take it up and actually neutralize any cyber threat. lastly, I would, I want to talk about Empowering your team. It's so important for you to take security awareness training seriously. it is very important to work on a mindset of your team. They need to understand that cyber security is everybody's business, not just the security team's business. Everybody should be cyber aware. Very important. That's why I mentioned you need to train them. You need to train your staff. Regularly around security because he has different security threats coming up every day and your system, your staffs need to be aware. They should also be. you can also have things around threat modeling in the interactive security simulations. You can actually do security simulation where you check You know, you mimic real world scenarios to help people at it. So that would help you identify how you're going to respond to a threat. You can also, when it comes to security awareness and training, you can also conduct fun games, security games, that can actually, you can give me five security scenarios, true quizzes, interactive games, challenges, and why your staffs are having fun. They'll be learning things about security. Okay. Just to make them have fun and they will have that mindset, within them that. Okay. We have actually, we need to be actually be cyber secure and we need to have informed, actually learning something. And with that, you are improving, you are empowering, the security mindset. And in conclusion, I just want to say that it is very possible for you to actually cultivate a security conscious culture within your platform development team and protect your platform development team from modern threats so that you can have a resilient cyber posture in your platform. in your organization. So you need to take this seriously. And if you aren't doing any of the things listed in this presentation before, please take out time. You can speak to a cybersecurity consultant about it. And I actually hope and believe that, you will find you have found this presentation useful. And, yes, so it is very, I find I, I counted the privilege to actually present in conf platform and the conf. 42 plus from engineering 2024 program. And I'm sure that you would, you've actually found this pretty useful and yes. So I guess I'll catch up with you another time and wherever you are in the world, I want to say, have an amazing time. Thank you very much for listening.
...

Victor Onyenagubom

Lecturer in Computing @ Teesside University

Victor Onyenagubom's LinkedIn account



Join the community!

Learn for free, join the best tech learning community for a price of a pumpkin latte.

Annual
Monthly
Newsletter
$ 0 /mo

Event notifications, weekly newsletter

Delayed access to all content

Immediate access to Keynotes & Panels

Community
$ 8.34 /mo

Immediate access to all content

Courses, quizes & certificates

Community chats

Join the community (7 day free trial)