Beyond Code Security: How CSPM Can Help to Secure Your Cloud and Avoid Configuration Disasters

Presented at Disobey 2024, Feb. 16, 2024, 3 p.m. (30 minutes).

What if I told you that your code security is not enough? You need to ensure your deployment is secure as well! Developing Software-as-a-Service applications requires security both from a development perspective as well as from a deployment perspective. Facts: - The Verizon 2023 Data Breach Investigations Report shows that misconfigurations are a persistent cause for data breaches over the years and account for a fair chunk of confirmed breaches (verizon.com/dbir). - According to OWASP Top 10:2021, in 90% of the applications they examined, they found some form of misconfiguration. This is where Cloud Security Posture Management (CSPM) solutions come into play. They work as a bridge between security, operations and development to ensure the code is deployed in a secure fashion and helps organizations avoid breaches due to configuration errors. It doesn't matter if your code has zero vulnerabilities based on your sophisticated SAST/DAST/IAST scans and if you've ensured your third-party libraries are all patched using your state-of-the-art SCA scans if your cloud configuration allows unauthorized access to your object storage. In addition, underlying configuration mistakes can lead to disaster when an attacker chains their attacks and is able to escalate their privileges, move laterally or establish persistence.

Presenters:

  • Mikael Nilsson
    Mikael works as the Product Security Lead for Customer Intelligence R&D at SAS Institute Inc. His work involves close collaboration with various teams within SAS, including Product Management, Cloud Operations, Research & Development, Legal and the Privacy Office and obviously SAS customers. He has worked at SAS for 13 years, mostly in professional services as a technical architect in a global enablement role within the Customer Intelligence practice, but also as the Information Security Manager for the Nordics. In addition, he is a skilled trainer & presenter with over 15 years of presenting experience and has delivered numerous SAS bootcamps and workshops around the world. He is an ISO/IEC 27001 Lead Implementer (CIS LI) and a Certified Secure Software Lifecycle Professional (CSSLP). Outside of work he is a serious casual video gamer, likes Japanese cars & is known to sample different beers wherever he may roam.

Links:

Similar Presentations: