Integrated Application Security Testing (IAST)
Executive Sponsor: Roland Cloutier, Chief Security Officer, ADP
Project Team: V.Jay LaRosa, Chris Olsen, Atanas Dimitrov, Craig Butler, Owen Buckingham, Joseph Kraft, Manmadh Kancharla, Devi Nekkanti, Raghunath Kunta, Nagasuman Veeranala, Ramakrishna Marella and Sumeet Lakhwani.
Location: Roseland, NJ
In order to support ADP’s continuing drive to increase the speed of our software development release cycles, we have implemented an integrated automated application security testing technology into our quality assurance testing processes. This technology provides the following benefits:
- Provides continual analysis of application code running Java or .NET
- Finds vulnerabilities in real-time
- Allows development teams vision into potential security issues as code is moved into the QA environment
- Allows for minor release testing to be performed without direct interaction with the security testing team
- Simple to install with little performance overhead
- Automated library monitoring and inventory for vulnerability management
Executive Sponsor: Ed Amoroso, Chief Security Officer, AT&T
Project Team: Dan Solero, Michelle Barry, Rodney Dilts and Anthony Ramos, Director.
Location: Bedminster, NJ
AT&T’s Astra project is an innovative, cloud-based platform to protect all internal applications within the AT&T cloud environment. The Astra ecosystem and framework enables virtual security services to be delivered effortlessly via APIs and automated intelligent provisioning, creating micro-perimeters around specific applications based on application specific requirements. Using an Agile software development approach, the project integrated internally developed software with both open source and vendor solutions to create an extensible architecture, providing protection to AT&T’s enterprise network.
Advanced Threat Detection: Enabling the Workforce to Become the Human Sensor
Executive Sponsor: Jay Leek, Chief Information Security Officer, Blackstone
Project Team: Adam Fletcher, Adam Mattina, Mauricio Velazco, Alex Licursi, Padma Menon, Andriy Noble and Renee Pollack.
Location: New York, NY
No matter how many security tools we deploy, the firm is still at risk of compromise via business communication - email. So we empowered our workforce to become the human sensor to protect the firm.
Vendor Risk Management Program Transformation
Executive Sponsor: Tess Martillano, CIRO – Latin America & Global Head of Cross-Functional Risk, BNY Mellon
Project Team: Frank Roppelt, Shelly Kennedy, Christopher Medina, Myrna Alejo-Brusco, John Shea, Deborah Cavish, Yvette Egas, Ehren Dominguez, John Edwards, Mike Lyons, Albert Medina, Jose Morales, Javier Moreno, Edgar Rodriguez, Derek Rose, Adrielle Lim, Fernandes Borda and Graham Sneader.
Location: New York, NY
BNY Mellon embarked on a transformation project to deploy a best-in-the-industry Vendor Risk Management (VRM) program, delivering a seamless, transparent, repeatable, consistent, measurable and automated process to assess information security risk in new and existing vendor relationships, globally. The new VRM program targets information security of both direct and cascaded subcontractors, allowing for recognition and remediation of information security control gaps prior to onboarding. Using a collaborative approach, VRM changed how BNY Mellon manages vendor-related information security risk.
Citi Advanced Third Party Management (CitiATPM)
Executive Sponsor: Dan Tigar, Managing Director, Citigroup Architecture and Technology Engineering (CATE) CitiSecure Platform
Project Team: Bill Sztabnik and Bromin Menezes.
Location: Melville, NY
The CATE CitiSecure Platform sought an organized and consistent process for its work and approach to securely separating divested entities. The driver for this process was the need to support the corporate strategy for reducing non-core assets within Citi Holdings. The process would need to embody a repeatable framework to separate divested Information Technology (IT) assets and workers from Citi that would reduce Information Security (IS) risk to the company. The strength of the CitiATPM solution was demonstrated by obtaining a patent (USPTO # 8,782,770) and CitiATPM has gained recognition as an industry‑leading solution that adds value to Citi’s Intellectual Property. The Patent recognizes Citi’s maturity in the Third Party Management space and the expertise that CATE CitiSecure Third Party Access (TPA) Engineering provides in executing Citi’s IS initiatives for securely separating divested entities.
Comcast 360° Vendor Risk Assurance Program
Executive Sponsor: Myrna Soto, SVP, Chief Information Security Officer, Comcast Cable
Project Team: Myrna Soto, Ramesh Sepehrrad, Charles R. Hudson, Robert Irwin, Kallol Ray and Joseph Gallagher.
Location: Philadelphia, PA
Comcast 360° Vendor Risk Assurance Program powered by Bay Dynamics Risk Fabric Platform is an innovative, scalable and robust program providing a single pane of glass for vendor risk management for Information and Infrastructure Security (IIS), National Governance, Risk and Compliance (GRC) Leadership and SOC teams. The program provides a holistic defense against the targeted attacks leveraging the vendor as a threat vector. With this strategic assurance program in place, Comcast has increased its visibility and control across its vendor ecosystem. Comcast, as a result of this program, has maximized organizational efficiencies, improved timely responsiveness, and measurably reduced vendor related risk by actively engaging vendors with timely and actionable information.
New York Life Mobile Device Protection
Executive Sponsor: Richard Moore, Head of Information Security, New York Life
After years of limiting mobility to Blackberry smartphones, New York Life began its search for an agile mobile security solution that could protect both corporate and BYO iOS and Android devices. Atop the company’s wish list was a solution that would integrate with its existing MDM and be scalable to defend 35,000 mobile devices with proactive threat detection and automated remediation. New York Life also needed its new solution to have a minimal footprint on devices, and run 24/7 without disrupting users by draining battery power, bandwidth and processing power—or stopping mobile usage during an incident.
SAM (Security Access Management) and Automating the Next-Gen IAM
Executive Sponsor: Joe Adornetto, Executive Director, IT Security, Quest Diagnostics
Project Team: Dennis Walsh, Krishna Meruga, Cory Donovan, Phil Rubbo, Amit Patel, James Gover, Omar Radi and Robert Wilkinson.
Location: Lyndhurst, NJ
Security Access Management (SAM) is the root of a three-pronged strategy that automates end-user access, privileged access, and federated identity as part of our Next-Gen identity and access management structure. Prior to building out the solution, Quest Diagnostics had a diverse, autonomous access control structure that was neither efficient nor effective. One of the critical objectives for the development of SAM was for unified access management across the enterprise, starting with a web portal that automates twice-a-year recertification for hundreds of applications, new-hire and transfer provisioning, and privileged access. This automation saves more than 20,000 manager and security administrator hours every 6 months over the prior manual re-certification process alone. It also enables the business with an auditable platform that empowers users, supporting the concept of end user ‘need to know’, while simultaneously protecting systems, devices and applications.