 Okay, moving on, we have the first of two double acts today, next up. So we're going to talk about the topic of using standards to secure the digital product life cycle. And it's great to welcome Altaz Velani and Rob Akashok. So Altaz is the Director of Insights Research at Security Compass, and he conducts ongoing research in the software security domain. Prior to joining Security Compass, he was a Senior Research Director and Executive Advisor at Infotech Research Group, providing trusted advice around application development, application rationalization, agile, cloud, mobile, and the SDLC. Other past positions include senior manager at KPMG and other positions working alongside senior stakeholders to drive business value through software development. Altaz is currently the Vice Chair of the Open Group Security Forum, a member of the Safe Code Technical Leadership Council, and also sits in industry working groups at IEEE, Cloud Security Alliance, OASIS, and the OMG, where security, DevSecOps, and privacy challenges are being discussed with broad global impact. So welcome Altaz. Joining Altaz is Rob Akashok, the IT Management Architect at DXC and co-chair of the IT for IT Forum within the Open Group. Rob helps IT organizations to transform to become a lean and agile service provider, ready to manage the new digital ecosystem consisting of a hybrid cloud and multi-vendor sourcing landscape. He's architecting the new IT organization, combining standards, practices, and concepts, such as IT for IT, TOGETH, Scaled Agile Framework, DevOps and continuous delivery and security management with established IT service management methodologies such as ITIL. He assists IT organizations in their automation journey, covering the entire IT value chain including portfolio management, the DevOps tool chain including CICD, test management, monitoring, and event management, risk and security management, ITSM, OMDB, cloud orchestration, etc. So we're in very good hands this morning to hear about using standards to secure the digital product lifecycle. Over to you Altaz and Rob. Welcome. Yes, Steve. Great. Thank you very much. If we could go to the next slide please Rob. So thank you everybody very much for allowing Rob and me the opportunity to present today. We believe that there exists a gap in the industry today that helps to bridge security and digital delivery and the use of standards to achieve this integration represents a tremendous opportunity for the open group to influence and to make a difference in how we're able to help organizations balance this need for both speed of delivery and security and this will come up a number of times in our presentation today. Insofar as the presentation goes there will be four parts to the presentation. We will start by looking at the broader context. In particular we will highlight the security and risk challenges in a digital ecosystem and then we will turn our attention to describe practices in a secure digital operating model and in this part of our presentation we will talk about this idea of a digital product backbone that natively incorporates security practices and what we will do is walk through a use case of the recent log 4j vulnerability to demonstrate how something like this can be useful. At the end of this presentation today we will describe a joint initiative that's taking place between the security forum and the IT for IT forum in helping to create a security reference architecture and at the end of this we'll open it up if you've got any questions please don't hesitate Rob and I would be delighted to answer any questions that you might have. Next slide please. Now when we examine current security practices it's common to see something like this. So broadly speaking we have preventive, detective, responsive practices and there's some kind of an overlay around development and operational activities. The preventive controls are typically exercised at the earlier stages of software delivery and we see a push towards the left of more and more security activities. During the development process we also engage in a number of security tests that help us to detect vulnerabilities prior to deployment and the combination of these preventive and detective controls operate both on the development and operational side so at the bottom of the slide you will see we've even got infrastructure elements so we typically see infrastructure as code and a lot of as code activities today. Normally what happens when we look at DevOps it is the delivery mechanism is done through these DevOps pipelines and they're essentially an integrated set of technologies that enable us to automate much of the CICD pipeline. And finally we have all the way to the right these responsive practices and these are typically executed based on some kind of a stimulus that requires remediation from a security perspective. And this really overall represents where we are today in a number of cases. Now the challenge with this type of model is it misses out on several other contexts. So for example, how do we propose bridging the gap between security and delivery teams? We could slow development down but that's not going to work. We could ignore security and that's not going to work either. And so this brings us now to our next slide. If we could go to the next slide please Rob. So really when we look at security and digital delivery there are multiple stakeholders that we need to consider. Here we've highlighted four groups two at the executive level two at the practitioner level and we've highlighted some examples of where these groups might fit in and what are some of the common roles that we see. So we're going to drill down a little bit deeper now and show you the model that we've developed within Security Compass that we're open to sharing. Next slide please. So within our own efforts we've probed further and this is what the security executive persona looks like. We found that they are focused largely on formulating the right controls in order to reduce risk to the organization in an auditable way. You'll notice that their focus is on a higher level of abstraction here. So the intent is to come up with something that allows risk mitigation organizationally. If you go to the next slide please. When we look at our security practitioners the focus for security practitioner is largely on identifying threats and attackers. And the intent is to try and look for ways to engineer mitigations against these threats and ultimately thwarting any kind of effort for malicious actors. But you'll notice that there are a number of different concepts that converge when we talk about a security practitioner. And the intent here is if you look at what they're finding important in terms of their day-to-day activities they're looking for evidence, root cause analysis a number of these things. Next slide please. And then when we now take a look at the tech executive. The tech executives typically being our CIOs or CTOs. They're focused largely on processes, runbooks, infrastructure. The ability to construct an auditable way to ensure that when we have to report back to the business from a security perspective that our infrastructure and our technologies are in fact secure. And we provide assurance from that perspective. Next slide please. And finally when we get to the tech practitioner the tech practitioner are where we see a lot of our DevOps engineers and their focus is on code, on deployment of software, looking at the infrastructure and ultimately trying to figure out what is the best way for us to go in and to insert security as we go through our delivery pipelines. And this is what we're going to talk about where the convergence of these two is occurring but there isn't a simple way to go in there in terms of an architecture or a framework that will enable this to happen. And at this point I'd like to hand it over to you Rob to explain a little bit in more detail now that we've got an overview of where the challenges sit. Where do we go from here? So over to you. Yeah, so the next step I would like to take you through a short journey of what we see as the initial draft ideas about the security reference architecture. As you probably also know that many organizations are currently changing their digital operating model. They look at how do we deliver value, generate flow, automate, streamline activities. And here you see an example of looking at the end-to-end value streams and in IT we have multiple value streams but one of the key ones of course how do we deliver from an idea getting something in production for example. But what you see is that we have different practices that people starting to use nowadays like TOGA for the enterprise architecture, agile frameworks for development and like SAFE as a former skilled agile perspective, agile development, DevOps, site reliability engineering and we still use ITIL for a lot of service management practices all about continuous planning, continuous delivery, continuous operations and continuous improvement and leveraging IT for IT for example to basically fuel your digital operating model. But the challenge that we see now is that how can we incorporate security and risk management practices into these primary delivery models. And you see there's a whole range of security practices out there. It's a very fragmented and isolated tooling process landscape as well as a tooling landscape by the way. We have risk management practices, security management practices like testing like OVOS. There are many regulatory frameworks for controls like COVID and ISO 27000. There is now initiatives for zero trust. There is NIST as a good example for cybersecurity and incident management. And the challenge that we see nowadays there are so many controls, policy frameworks we need to implement. There are many different security and risk management practices but now our goal with the security reference architecture is how can we incorporate all these best practices and codify that into an end-to-end digital delivery model. And that's why I would like to basically give an example of how that would work in an end-to-end delivery model. And here you see an example of how does my digital supply chain looks like from an end-to-end perspective. And this is basically how organizations are currently looking at their digital delivery model. They have portfolio backlog management. Their source code, development, testing tools, change management, monitoring and security somehow needs to fit in. And I would like to show you how does the security management capabilities and model fit into this overall model. It seems by the way that we have an old slide pack here so maybe what I can do is share my own desktop so we have the latest version if that is okay. Can I do that easily to share my own screen? Yes, of course Rob, go ahead. Yeah, thank you. Just let me know if you can see my screen again. Okay. You see here the digital supply chain. Yeah? That's good. Okay, thank you. So basically what I was saying, we have a digital supply chain. You see here some of the key building blocks if you will based on IT for IT what you need to run a digital organization. Now let's take an example of how security practices and basically components are embedded into your digital delivery model. Let's assume we would like to introduce a new product or service and it could be like a new business opportunity to improve our customer journeys or maybe we need to replace or consolidate something but let's assume we're going to create a new digital product. A key element in a digital life cycle is that we have a single registry of all our digital products and in the past we call this an application portfolio maybe but now digital product portfolio tightly linked to our enterprise architecture capability. So we can identify this new digital product who owns this product. Where is it linked to in our business process model? What data is managed there? And of course there is a moment in time that we're going to basically mobilize a new team, a product team and a product owner that's going to build this new product in incremental ways like it could be an MVP first and here you see that we create the backlog in a basically in a product team backlog. We have the CISD pipeline that needs to be set up. There is requirements and design still generated and here this is the one of the first steps to mobilize this team leveraging continuous delivery tools for example to populate that. Now one of the first security and risk components that we need to address is risk management. Many organizations have not really implemented a good risk management capability. They do risk assessments in Excel but it's not always tightly linked as this example into your portfolio of digital products and your architecture. So what we need is a solid risk management capability where we can address like security impact assessment, privacy impact assessment, vendor risk impact assessment against my product linked that to how does this product enable my business process? What data? What are my user community? What technology components do I use? And out of that we basically need to generate what kind of security controls and privacy requirements are needed for this specific product. We need to generate once for the life cycle of a product but you continuously evaluate that of course. And one of the key challenges that we face is that there's not often real traceability about these non-functional requirements like security requirements like for example or data privacy requirements that we now identify this application has data privacy issues so we need to make sure that the team backlog because all the product teams work from their backlog that security and risk stories are logged in the product backlog here so that we can basically track and trace, have been designed, have them be tested and is the application a product compliant as an example. And then we starting basically to continuously develop that this is more like the continuous integrations flow as you could see here and you see here some new security components that we need to address in this reference architecture as an example for example, code quality scanning. How do we scan against our code quality policies that could be secure coding standards that we apply and they are tested and validated by our quality code scanning tools. Of course, security testing capabilities like static security testing, dynamic penetration testing, vulnerability scanning and a key element in a digital pipeline is our build repository. It's basically where all the formal builds are stored and certified and typically we have something what is called the software component analysis tool that validates the builds for example from license compliance maybe known vulnerabilities of components that are part of this build because a lot of third party libraries are part of your software build. So here we're trying to secure the CISD pipeline and integrate into the overall product and team backlog, the test management and the security related aspect. And of course when we move in that space of continuous delivery where we continuously deploy something to a test environment and acceptance and production then we need to integrate our deployment capabilities with our build repositories. We do then an additional security capabilities come in place basically part of that deployment value stream like a secrets management where do we store our credential certificates? How do we ensure that maybe the pipeline or deployment tools get privileged access to deploy our server components linked into identity and access management as an example? We have basically the whole cycle of development test and check and change management controls. When something is deployed into an operational environment whether it's test or production hopefully we can automatically update the CMDB that we know what has been deployed where and maybe also validate that through discovery. And then you see some additional security components that we need to implement like security monitoring, it could be log analytics, vulnerability scanning configuration compliance, validate whether the configuration that we deploy is compliant to our policies and stays compliant and point protection as an example of components and there are many more and as you could see after that of course when we detect issues then typically we have a security management component with threat analytics and response that could be automation part of that for automated remediation like security run books that are automated and of course if we cannot fix it directly we need to raise an incident, a security incident response plan, security incident management capability. And as you could see here is that you build up a kind of a framework of IT delivery model with the IT for IT capabilities and what kind of security related capabilities and components do you need and this is we're still working on that with the team to create a security reference architecture but this is more like a high level illustration. The key element of our reference model will also be the data model because data is a key element in our basically part of our digital delivery and aspect of the key element there is the digital product backbone do we have a good understanding of what are the digital products we have like a portfolio of product, who owns those products, what teams are involved but also how does this enable my business value streams, my customer journeys what data does this application of product, consumer use, what interface do we have, what technology services are used and so basically our software bill of material we're talking about here and that and basically that reference model is needed to the right risk assessment understanding the design and compliance. A lot of organizations don't have a single digital product portfolio management capability where we say there's a single place where all the digital products are maintained with the product ownership and it's very crucial for managing this new digital economy because we need to understand where the teams, which pipeline we use, where is the product backlog for each of these products so we can continuously provide traceability and automation there. So that's a key element, I will not zoom into that much detail at this moment but let's take an example of log4j to illustrate a bit this kind of a draft security reference architecture. Now probably you have heard about log4j as a vulnerability that was identified. Now I will use this as an example to some of these capabilities. You've probably heard about it because that's been one of the most significant security vulnerabilities that have been identified the last months and thousands or not 100,000 of applications are affected with 100,000 of servers where this vulnerability was identified and this vulnerability when once this was running on a server that is exposed with let's say a Java application running on it, it was the ability hackers to insert malicious code and take over, execute code on the servers where this application is running. So that's a critical issue here. Now let's see how this currently organizations are using to think about how do I resolve these kind of issues. Basically it's the whole value stream of a vulnerability detected to resolution. Now typically how are these vulnerabilities identified? You see that on the right side. The good thing is that we have a public vulnerability database in the market. So where all these vulnerabilities are identified and basically typically are monitoring tools like a vulnerability scanner or an endpoint protection tools are connected to these vulnerability databases and they get fed immediately. There is a new vulnerability, let's say log4j in this case. Where do I see this running this component in my infrastructure? So this is a very reactive way of course, but still it's very essential because now we identify the vulnerability not known before and we detect that. So then all the alarm bells will go off, there's security threats and alarms but then the key challenge will appear and that is which applications or products and product teams need to fix this because we can I maybe have thousands of servers and some organizations have really 10,000 of servers where this problem is identified. But let's say we have about 1000 servers identified where this log4j is running and I can assure you there's many applications that have this and then we need to identify from a server which product team is managed, what application is running there, which product team and product owner do I need to notify because the only person that can fix it, we go to the product team, they need to rebuild, deploy that fetch into the environment and that's our key challenge, having that single product portfolio, understand the resources, IT resources the software bill of material used by this product and where is the team that is accountable for this specific product and that's basically where we need the feedback loop where we identify something, we identify the product we know the product teams, we send basically to the product backlogs think about JIRA or Azure DevOps they create the stories in the backlog and immediately start working on this to fix this and they will download the latest version for log4j for example, they start to build and integrate there, that could be done in a short period of time and then we have our, basically checks here from a security perspective in this case our build repository that I mentioned before, it is scanned and said yeah it's now fixed, this component is not vulnerable anymore, typically component scanning and testing and then basically based on the green light I can start to deploy the patch into operations, into the different environments and done by the different teams by the way and then we can hopefully resolve this vulnerability for this specific application and then for the other applications as well and this is really a race against time and the challenge that many organizations have is that this is not a fluid end-to-end value stream, we have a lot of components in place in many organizations that could be vulnerability monitoring the security and management system, JIRA and Azure DevOps backlog, deployment tools but what's missing is this end-to-end glue of how this should be organized, so many organizations now realize that this end-to-end value stream for vulnerability to remediation is not optimal, they don't have a good reference architect to look at the data flows and integrations needed, they miss a good product portfolio where we identify what are the products and what resources are used by this product so this is one of the basically issues that I identified that they realize we need to work on a security improvement of our security management framework basically and basically that is what we are aiming for and we provide an infrastructure streamlining and automating these kind of end-to-end security value streams as part of our digital operating model and then I hand over to Altas again very thanks Rob, so we started off in the presentation talking about what are the use cases, what are the personas, how do we look to integrate and move away from the siloed ways that we're operating right now and then Rob has taken us through how we might integrate the various components from a digital delivery standpoint and now when we look at an actual reference architecture, when we dig deeper we find that from a security context even when we take a look at vulnerabilities there are many systems that may contain vulnerability information it could be for example in a threat library somewhere it may be in a GRC or a SIEM somewhere else when we consider where do we have our threats and weaknesses they could be in some kind of a GRC tool or it might be tacit knowledge or it may exist in emails and herein lies the problem we are trying to deliver fast and we're trying to deliver securely but the way that we have our systems set up right now is that they're not fully integrated hence the need for a reference architecture that will bring these systems together allow for bi-directional integration across these systems and not just that but if you take a look for example at a vulnerability and eventually that vulnerability needs to be addressed and you will end up with a control how do we translate from a vulnerability to a control it requires understanding the underlying data model of these aspects and bringing all of these things together so that we are able to now move them in an atomic way across these pipelines and so we still have various folks in security and the digital delivery pipelines addressing their primary problems around delivery or security but we have the underlying backbone that brings all of this stuff together based on what Rob was talking about earlier so this becomes a manifestation now of how we could go in and deliver in a way that provides some level of assurance back to business stakeholders that we have in fact addressed security next slide please so here this slide represents what we are planning to do from a security reference architecture perspective first of all the way that we are approaching this is to align with existing standards and practices so for example IT for IT safe that Rob had mentioned earlier ITIL NIST there's some good work that's been done so we don't want to take away from those efforts we want to build those efforts we also want to go in with the mindset that security is an enabler for the business for the delivery for value creation historically security has been perceived as being a blocker and so there are workarounds that are being created we want to change that and we want to begin to look at a reference architecture that is focused primarily on business value creation the way that we are planning to do this is by using use cases and scenarios so at the beginning of the presentation today we talked about four different personas and there are others in the legal domain in the compliance domain but understanding what their problem space looks like helping to drive out three things in particular the first is a capability model this capability model will enable us now to go and to bring this out in a way that maps these capabilities to value creation secondly we want to go in and take a look at a data and information model how do these things integrate how do we translate from one one piece of data to another piece of data and really looking at it from a risk and security perspective and looking at the relationships and the third is looking at security services reference model so when we consider security we are looking at a services based paradigm where we have tools we have an architecture where the required integrations are coming together to help us achieve what we're looking for now as we go forward with this we will align certainly with other emerging frameworks other standards and our next step is really putting a small group of people together we have this now we are creating this and then we will open it up and allow folks to provide some additional feedback on how we're proceeding with this just round tripping this back again to how we opened the presentation today to the best of our understanding this doesn't really exist today in the industry trying to come up with this kind of a security reference architecture and so it provides a great opportunity for the open group to take this out now and with that I'll ask for the next slide and I believe we're in the Q&A portion at this point so we welcome any questions that we have. Thank you. Thank you very much. Great stuff, really great stuff and for me personally it's great to see an initiative between two different forums of the open group and I think initiatives across forums are going to be a key part of putting together the digital framework that we need across the open group so thank you very much for that it's great to see and just a quick point for those watching if you want to see particularly relevant for the panel later but if you want to see both Rob and Altaz at the same time on the screen if you click the layout button that's on your screen and go to Grid hopefully you'll be able to see that but we'll see that may not work until the slides are removed from that so let's go to the questions so you talked about the personas at the beginning if I can name this one at you first Altaz the question is related to the persona slides is there any persona security context for business execs and business practitioners? Yes, absolutely so when we look at business stakeholders in the very first slide that we put up which described how we are doing security today in many cases the business context the business personas are missing and really when we look at their perspective it is typically focused on risk management it is focused on compliance it is focused on value delivery that is a very important use case in terms of the persona that we need to inject into the security models for far too long security has been perceived as a technical activity in fact it is much broader than that so when we consider the use cases we absolutely intend to inject into that the persona of the business stakeholder along with what their concerns are around revenue generation costs management things like that as well and maybe to highlight as well Steve and Altaz is that it's not just security in the smallest it's also risk and compliance aspects for any digital product even like we talked about in the other presentation about sustainability there could be that our business defines some sustainability goals as well and it needs to be part of the delivery of digital services so it's about compliance policies not regulatory it's very broad but anything that we need from almost like a non-functional perspective needs to be embedded in your digital delivery model is part of this so we still have to find a good name security and risk management those together are we talking about absolutely absolutely so a little bit unfair probably at this stage because I heard you Altaz you've got a group of smart people together the security reference architecture looks like a great development any idea on when you expect to see the first version we're on the hook for I hear you I hear you so we are really striving to have a draft up this quarter don't hold us to that but this is what our intent is we believe that this is urgent need in the industry right now that it behooves us to move very very quickly to try and get something up and again this will not be done in isolation the group that is currently creating a draft will then open it up and others can come in and basically provide additional opportunities so people in the IT forum others can come in and have a look at it as well and provide your comments and your thoughts on this so far in the discussions that I've had even with other communities outside of the open group this is a top priority bringing together standards so that we've got these inbuilt best practices to help us develop a security reference architecture is in fact the right way to move forward and what's happening right now because of this gap that exists there are these bespoke approaches appearing in organizations but it really needs a thought around a standards based approach that helps us ultimately provide the assurance that is going to be necessary back upwards to the business otherwise it will become opinionated and that kind of brings the objectivity of security down so hence that's another sort of area of what's impacting the work that we're doing it's great to hear that that's the approach because that's the approach we always prefer at the open group is to use what's there and work on filling in the gaps or bringing them together kind of a standard as standards approach so very much looking forward to that and of course I won't hold you to it Altez of course not so we do have a couple more questions coming in I'm going to save them for the panel session where we have a bit more time I want to be respectful of people's break time meanwhile gentlemen Altez Robb thank you both very much and if you haven't seen them there were some nice compliments on your presentation coming in in the chat so thank you very much it's been an honor thank you see you later on the panel