Key Note Speaker
Alain Pannetrat – Senior Researcher at Cloud Security Alliance
Title: Measuring security for continuous assurance
Abstract: For some cloud customers in sensitive or highly-regulated industries such as banking or healthcare, traditional security certification built on annual or bi-annual audits does not provide enough assurance to move to the cloud. To address the concerns of this segment of the industry, we need to move away from traditional “point-in-time” assurance models and enter the era of continuous assurance through continuous auditing. This introduces a paradigm shift in the models that are used to built assurance around information systems: instead of reasoning about security controls evaluated manually by auditors, we need to consider measuring security through automated means, based on regular testing and evidence collection. Here the notion of security metrics becomes a central foundation of assurance. While traditional security audits can rely on strong foundations such as ISO27001 or NIST 800-53, no such foundation exists for continuous audit-based assurance. A whole new framework needs to be built, with both promising opportunities for information system security and broad challenges ahead.
Speaker – Alain Pannetrat: Alain is a senior researcher at Cloud Security Alliance (CSA) where he leads the development of continuous certification of cloud services. He supports CSA’s research contributions in national and EU funded projects as well as in cross-industry European R&D initiatives. He is a security and privacy expert, specialized in cryptography, cloud computing and smart-cards.
Before joining CSA, he worked as an IT Specialist for the CNIL, the French data protection authority, and was an active member of the Technology Subgroup of the Article 29 Working Party, which informed European policy on data protection. He started his career as an IT Security consultant specialized in bank card systems. He received a PhD in Computer Science after conducting research at Institut Eurecom on novel cryptographic protocols for IP multicast security.
Alain Pannetrat is also the founder of OMZLO, a business that designs and manufactures open-source embedded systems with a focus on wired internet of things.
The Industrial Session will bring together industry professionals, researchers and practitioners to present and discuss the most recent innovations, experiences and open challenges related to testing software and systems and measuring software quality.
Title: Automation, methodologies and techniques for continuous security assessment (Accenture)
Abstract: Security is a shared responsibility integrated from end to end. The talk will explore how the Security is integrated within DevOps process, what are the hidden difficulties of DevSecOps implementation and how the automation technologies can help covering the gaps and establishing a holistic continuous security assessment within the company.
Speaker – Pietro Petrella: Security Associate Manager at Accenture with a career spanning over 20 years on both technical (offensive and defensive) and management roles. Pietro Petrella is specialized on Vulnerability Management, Penetration Testing, Software Security, and Automotive systems. Aside his experience Pietro has given several talks as an invited speaker for many Italian universities.
Title: Security Testing methodologies for certified digital identity systems (Bit4ID)
Abstract: Security testing is an essential function of a modern ICT company, as it provides relevant benefits in terms of reduced maintenance costs, increased compliance (especially in light of the GDPR) and better market positioning. This is particularly true for a company that develops security-sensitive and security centered applications like digital identity management systems, digital signature components and it is also an eIDAS Trusted Service Provider. These many different products and services, used every day by millions of people around the world, require specific and tailored solutions for their security testing, as the one-size-fits-all approach does not cover and manage all the complexities and differences in a reasonable and efficient way. In this talk, we’ll discuss how an ISO-27001 certified company manages security testing in a competitive, dynamic and interconnected world, loyal to its founding principle that simplicity is the key to security
Speaker – Paolo Campegiani, Ph.D. : Senior project manager, in charge of all the research and innovation projects of the company. He is the Project Leader of ISO/TC307/TR23249 on “Overview of DLT systems for identity management” and he is also a member of ISO CEN CENELEC JTC 19 on “Distributed Ledger and blockchain technologies”. He is company representative in EEMA, INATBA (as a founder), GAIA-X (as a founder), ECSO, CifrisChain, Italia4Blockchain. He is frequently consulted by national and supra-national organizations in the field of digital identity and blockchains.
Security Testing Session
The Security Testing Special Session will collect original research on methodologies and techniques for continuous security assessment, security monitoring, security review, penetration testing, verification of certification compliance and automation of security testing processes.