Cybersecurity in the financial sector with Python

Video thumbnail (Frame 0) Video thumbnail (Frame 1125) Video thumbnail (Frame 13590) Video thumbnail (Frame 18750) Video thumbnail (Frame 20588) Video thumbnail (Frame 21954) Video thumbnail (Frame 32648)
Video in TIB AV-Portal: Cybersecurity in the financial sector with Python

Formal Metadata

Cybersecurity in the financial sector with Python
Title of Series
Part Number
Number of Parts
CC Attribution - NonCommercial - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Miguel Reguero/Rodrigo Núñez - Cybersecurity in the financial sector with Python When people talk about cybersecurity they often think about ethical hacking and exploits, that is but a fraction of what cybersecurity is about, today we are going to talk about another aspect, which is often deemed as not too important.
Data mining Process (computing) Computer animation Hypermedia Oval Information security Number Product (business)
Gateway (telecommunications) INTEGRAL Code View (database) Multiplication sign Set (mathematics) Mereology Formal language Mathematics Different (Kate Ryan album) Cuboid Information security Social class Vulnerability (computing) Constraint (mathematics) Regulator gene Software developer Electronic mailing list Staff (military) Bit Price index Web application Arithmetic mean Process (computing) Internet service provider Normal (geometry) Website Pattern language Right angle Quicksort Point (geometry) Trail Server (computing) Service (economics) Link (knot theory) Firewall (computing) Connectivity (graph theory) Virtual machine Continuous integration Rule of inference Theory Product (business) Number Operator (mathematics) Authorization Analytic continuation Proxy server Condition number Form (programming) Addition Raw image format Dependent and independent variables Information Cellular automaton Projective plane Division (mathematics) Line (geometry) Cartesian coordinate system Cryptography Word Computer animation Personal digital assistant Point cloud Speech synthesis Video game Window
Slide rule Presentation of a group Latent heat Computer animation Personal digital assistant Telecommunication Mereology Uniform boundedness principle Information technology consulting Condition number Form (programming)
Context awareness Multiplication sign Archaeological field survey Set (mathematics) Survival analysis Frustration Mereology Computer configuration Information security Vulnerability (computing) Social class Physical system Boss Corporation Linear regression Software developer Staff (military) Bit Data management Process (computing) Website Procedural programming Reading (process) Point (geometry) Game controller Service (economics) Link (knot theory) Electronic program guide Branch (computer science) Number Product (business) Power (physics) Element (mathematics) Goodness of fit Term (mathematics) Internetworking Codierung <Programmierung> Renewal theory Plug-in (computing) Mathematical optimization Installable File System Mobile Web Addition Projective plane Incidence algebra Cartesian coordinate system Vector potential Computer animation Personal digital assistant Family
Dependent and independent variables Focus (optics) Presentation of a group Computer animation Multiplication sign Iteration Incidence algebra Instance (computer science)
thank you from everyone for coming
and mining means that there is from nonlinear and we were for maybe the number 1 and financial entities in Mexico and number 2 is that we have over 65 million customers in 35 different countries but more specifically I 1st went to the that's the company that creates the sameAs security presents for the media egg and you should have the number of its products at the front of it if you haven't contactless when you looking for a job and so content OK before we start
this start all we have we have the the company then actually a the end of the around finds that stands around the walls we have the entire parts of the all 1 being in the class in different from providers before accounts and making all that stuff secure do you have any yes so we're not quite so the security is not Gene expression was limited cease-fire in fact it's just a matter of very small quantities and that all of these things use work for job is to take care of everything else in the wall is willing to acquire language continuous integration and want to use that URI is so much and this is what it is you won't all week as the security guys find behind here we're always so so always talking the development of the themes and such so we need a new tools make these security faster you know talking once and then in the there every step the development work site so we great navigation products so this is get given then the market for the justice in 3 different points in development life that sigh can the 1st called and as security it's a complete overview of your security all that of your the during every step of the development good it provides an additional security by applying for you to get sick every security the need for the project and that the duke and integrated with your all pipelines OK so you have your condition division but 9 and then and 1 point of then you call Chimera octameric 6 your called CC's everything is obtained from a security point of view and then say OK you can go OK and this is not good for all lot of fix it so and for the for that thing it uses patterns if I'm using BET show from other forms of point of view we can't say I'm out of the box you cold sick is everything is OK and then go go ahead and also yeah integrates on an additional the party or to get high risk assessment from your project saying you wanna go to the you wanna put your product into production and then you know get that the application says OK for your application you want anything with the Praat with application firewall I reverse proxy you have to change this confirmational that proliferation and 1 of your machines maybe uh didn't didn't want to looking used to wrote yourself all that set from and then we have all that from that from that obligation and then OK you have your project you have development and you want to go to production then that's the 2nd point of the mirror which is called the operation have the bread provision hadn't provides us with this risk assessment we can check every step off by the immediate as from a strategic point of view and do it for you OK you would need a web application 5 OK will decline with permission from the word for the project link located there good to go you don't have to do anything we did it for you you have to change any confirmation for the machines for your service OK not problem problem we connect without in which entities with 6 which happens every machine from your project for you you have to do in the years since the security policies defined from all company we don't everything without having to change everything at hand and everything he isn't it and then OK you have your priorities security you need and the 3 100 % security but almost you have the every repeats needed OK you lot during production but you may need additional speech services all your for the last uh maybe you need a new day out indication authorization cryptography access rights from maybe additional security that's was the here point of which we called Cloud Security Foundation dealt a In the rights used in security services for you with only 1 gateway your soul you have to integrate only with the and the mayor of provides every services needed for you so you want and additionally affected you want draw the heart everything you need from us at this point of view additional to your project staff additional services you have a we've got to get information even if we change 1 of all probe application provided from the inside of the and we found a new world tapping out indication applications and has that if futures and that's bad and all of that we can change it from behind the it and and you don't have to change a line of code OK it's from stands for you here and also all the work for you you have all the tools to properly America and you mirror both for the walk so that's what we do to work with every step of the way under development process but what happens next of of that OK so with with all this stuff about the class and continue delivery continuous integration and another situation arises where you might not know where your server are and I mean not physically because they're in the cloud in this magical place where everything that works but women but you you have to you have to know exactly what the you have and and where you have a what's visible to the outside and what's not because if you don't it if there were a number of you will know you might not know what to fix it you might not know exactly what you have so and so you have to keep up the good inventory of all that stuff the maybe you have a team of people out there whose purpose is to keep on keep up with the news of the nobility is maybe they manage technology of servers but that's boring and it's very inefficient so we create another score that's and and the 1st issue we tackled with that was that as a bad we have many regulations in Boston very strict restrictions to ensure that that the same and the and the way we live about set out to do create security policies with and have to enforce them by sitting on all the other services that don't fall in the norm but you know if the you follow the set of rules and policies that doesn't really meant mean that you're to get because many of our uh he knew all them will never with these and other threats are being discovered all the time and that's not going to to stop any time soon so you might you you have to practice it works because not all vulnerabilities are as critical as so there's not really a server there will never open to the outside and exploitable and if you give me a list of 500
vulnerabilities to your abstained and say what the what am I supposed to do with this so that's 1 having a real-time inventory of your of your services comes in handy but keeping that's on our infrastructure is not really easy especially in like in our case if you have many different and that the center centers many many different provided and so 1 of 1 approach to solve this is having a Department of people whose job is to make sure that everything goes to the and the 1 that creates machine is that the 1 that that updates are but that responsibility it makes people do not have the freedom they need but I want to fit in some which we have to wait a week because it there's obvious that to the machine they have to figure and such and such so we created what we call an agent it runs every single machine that's the budget constraint stuff and it keeps it reports the 17th and keep track of all the machines that and reports that the different vulnerabilities and problems that might might appear in the future but you might be wondering well we tell you about all this stuff like with the care about the morality tale about that's so the thing is completely nullified time we we made both of them with and here's a small list of the and the fear and and technologies we use use a bit of pattern to 7 but we started a long time and work it's mostly and from 3 5 and journal and OK and mainly here I use a word on everything with Python 3 5 fundamental tomato and his mom would be on theory so that of sort of don't get there and by using Python 3 5 0 from points intervals that mainly some parts of tomato Maria DVD movies every every out of things and also we don't have only these technologies OK we have a lot of them walking only for those 2 litigation against the cell by people I We features 52 OK we do our Windows services for those for the stadium and as a real pain to work with Windows so out of the ball the the component to be a lot of services related to you already sent 3 OK amount of gap is the will out of and we're only these 4 to be obligations we have a lot of more applications coming out not only of vitamins a lot of languages so and this just think of all everything we do is so thank you everyone for coming in and if you want to have any questions we have the which hi
consultations for your presentation condition from Canada opens 1 slide deck yes so this so
what are you doing here I mean it seems like you're just collecting the but more distinctly is there any reason you want to use for example a messenger Mr. reach every and Q and so on 0 yeah have to some I mean here we're talking about uh both of of it's not really the same anonymous and we use it for internal communications and we use that form of killing was very and so yeah it's just to different parts of the of application and anonymous it was really that was much easier to use for the this specific case than rabbits limited so I think 1 of the interesting challenges that you have when you have a really big stack
yourself and you seem to have a especially in the light of you providing security relevant applications how do you make sure that what you're using is actually secure because more dependencies you basically the the amount of potential vulnerabilities explodes exponentially so you're asking what have Michael keep up to date yeah well basically we I not of the steps in we we take every all the time the vulnerabilities and some of our that Nancy's is as follows so we search for the different options our own we try to add to move that answers your question be out and
don't forget them maybe I I come from me and my and my question 1 has to do with with my own frustration with how hard it is because sure you can go to every website check for new news on security disclosures maybe brothers these but of the problem by that I see the Python ecosphere there's not really a service that does it for you know from node j world there actually these staff out there that basically scan you're that package requirements and tell you OK you've got involved number vulnerability right there so you basically have people that dedicate all their time to staying up to date so as I was actually wondering whether you know any service like that was actually that's what we do so uh what what was what we know is precisely it said everything a renewal nobility that concept we will where of data with the mobility services and if a new element the concept we know it because that's precisely what application this may refer again it also after all obligations I use using user during all development so which at every everybody married using that we deploy are all obligations and summarize and it on admissible also all although terms now continued to but using the recent price process we checked the last person of every dependency which active if anyone read the survival for that and then when everything is OK is implemented by already in the new products for new notion of the application so we have everything almost all the control and that's and stuff because it's and we develop it from the bag for but also we use of the Internet higher so I was wondering if the if US and Europe focused on security of what's on veterans are you using internally to make sure that there are some of funny stuff going on like do have a policy where you have to always use context managers which handle various resources the hollow mentions that that and on how or how you doing reviewing if somebody who has for some future connect to it's a relevant and Q or something like that I do have some automatic procedure that checks all the resources were closed and hold do management links and or resources fixed motivation and the city of your question is how we have internal guiding status and people who would technical in case we so I imagine you have some internal guides but the question is now how do you enforce them do you have like and to request the use as this would have for the rest of reviews nothing goes into production or anything if it hasn't been taken by the people development and the security inside of company OK but could you talk about a bit more about good practices that especially related to fight for example I mentioned contexts managers vocational good practices some of them are being used as a set of context managers are a good idea but not every not every you use is class countries managers so maybe you can do it for the for and can them for yourself you will if the required reading just basically is called probably who provide another application and the answers regression once in the question and then went towards the use for coded reviewing the boss what the OK OK for good muon and before we have the 1 side we use and US are mainly because repository then then we have article the branches systems with request will review from more than 2 people but I have to the it in the 1st point over here and I don't security we have a lot of stuff for could be really going we got internally Aegean it's it's up these composed with drinking and so what you can also all additional tools for encode review so even if we pass from the plugins for requests from that we also take it with Chimera internally using all all until it will give stack a number of different you will model they could reduce their power it's yet and in this there's a there's a part of that is going to what a good OK we know we bottom 6 but you can't also do it and wondering about that the other person optimal people actually entirely we have when we in the political as we take with people manually will still have the a commodity and we also use the technologies thanks on our hands that they a template for and I have to it's not a question and so on and so for his the dataset surveys that these scores given assumed of course that the usually and he takes a the search for Will inedibility its own genome serve for groovy projects but it's it's not now they also supports a pint of approach thank you for a llttle habitable pushing bills 2 or home bills incident responds things like that the dust moral
support incident responses here I
mainly focus is just more iterations and back but does not check for instance response of them at the time OK thank you OK any other questions no thank you guys the presentation