Innovation

What is the most inventive or innovative thing you've done? It doesn't have to be something that's
patented. It could be a process change, product idea, a new metric or customer facing interface –
something that was your idea. It cannot be anything your current or previous employer would deem
confidential information. Please provide us with context to understand the invention/innovation. What
problem were you seeking to solve? Why was it important? What was the result? Why or how did it
make a difference and change things?
Writing Guidelines
1. Write in the style you would use to write a business whitepaper or essay and do not use bullet
points, graphics, tables, charts or flow charts.
2. Do not include any confidential or proprietary information from current/past employers.
3. Remember as you write that the reader may not be familiar with specific technical terminology,
corporate cultures, and scenarios. Use language and descriptions in your response that enable
readers to fully understand the situation.
4. Please limit your response to 1-2 pages (no more than 8000 characters).
Need to add a Quote on Application Security Related

Innovation is all about finding and filling people’s unmet needs

Scenario / Problem: A large financial enterprise's cyber security group failed an internal audit (due to
a lack of completed application assessments and coverage), regulatory compliance mandate,
business risk on new mobile apps, and slow adoption of industry standards. The team struggled to
complete application security assessments on critical and high-risk applications (only 75 apps were
covered in the previous two years), requiring a process change and the implementation of additional
security measures.

It was necessary to transform application security services, provide 300+ application security
assessments in less than 8 months, create sustainable scalable process improvements, and embrace
new technologies.

I had implemented two major strategies: First and foremost, examine each LOB stream, user
experience, and difficulties in more depth (microscope approach) and seek a wider picture of the
services and patterns shown as a group (telescope approach). This insight and analysis, as well as
the detailed ground reality check on existing processes, key issues, application data review, customer
expectations (internal, business, and regulatory), existing technical tools, solution, and team
capabilities, aided in the formulation of ideas and plans to address this wide range of needs in a short
timeline.

Second, I propose implementing a three-dimensional strategic solution (process modifications,

automation / extra tools, and staff expansion). I assembled a core team of five people (BA, Security
Architect, Senior Developer, Project Manager, and a LOB representative), presented my viewpoint,
had a brainstorming session, gathered input and comments, and developed a plan for leadership
review and financing approval. The financing was authorized, and I began putting the plan into action.
Create and identify leads for seven parallel tracks: Business Analyst Track, Engineering Track,
Application Delivery Track, Project Management Track, Vendor Evaluation Track, Developer
Enablement Track, and Customer / LOB Track (led by me) Implemented a collaboration tool, a share
point, delegated decision-making authority to the leaders, and provided teams with extra logistical and
operational assistance.

A survey on application inventory and categorization has been started to gather information on
applications such as LOB, Technology / Language, Type of application Web (internet, intranet),
Legacy, Third party, Regulatory requirement, and Source code accessible with enterprise. Based on
this, the updated number of apps requiring application security assessments was determined. As a
result, we discovered that around 300 apps (critical and high) must be protected (35 percent internet
facing, 40 percent intranet and rest 25 percent of them are legacy and regulatory need)

Identified security champions in each LOB, conducted an evaluation of application scope, customer
priority, and expectations. Based on this, I submitted the final scope and timeline for application
evaluation delivery to the company owner and gained his approval.

My concept worked as a game changer, because of my previous expertise dealing with a big number
of applications, engaging with clients, technical depth, automation attitude, and industry link.

Adoption of new tools, automation of existing tools, shift left approach, enable developer / self-service
mode, augment additional Head Count for limited time period (bring external vendor support), make
changes to the existing process (adoption of mandatory security controls, approvals by LOB Security
champion), application security trainings, remediation support, and creation of reusable certified
components & libraries are all required at a high level.

The vendor evaluation track, which included representatives from the BA and PM tracks, floated an
RFP (requiring 16 hours of coverage, false positive analysis, and substantial tool expertise) in order to
pick the bidder for speedier delivery of scanning and analyzing the source code. I gave the RFP
presentation and clarified everything. Five worldwide vendors submitted quotes, and the technical
review was done with the core team as well as the cross-functional Procurement and Legal teams.
Finalized the provider that could match our need in terms of delivery, technical capabilities, and cost /
pricing.

Additional RFPs were issued and processed quickly in order to complete the Mobile Security, Open
Source Assessments, and Developer Training platform. I took responsibility, evaluated with the
teams, and made the choice based on previous implementation expertise and industry connections,
onboarding three new technologies in a record-breaking three months.

The engineering team is at the core of this effort; the current tool had a problem with creating a
significant number of false positives, the rule engine was out of date, and there were reporting issues.
I previously worked on minimizing the amount of false positives, fine tuning the rule engine,
introducing security standards such as demanding adherence to the OWASP Top 10, and providing
summary and detailed reports. The team took the suggestions, contacted the current tool vendor, and
fine-tuned the rules to eliminate false positives. The engineering team performed a fast proof of
concept to integrate the SCA tool on the code repository Jenkins and enable developers to run the
code analyzer in self-service mode.

The technical team also integrated new technologies for Mobile Application Security and Open-
Source Assessment. The first-year engineering team performed 40 mobile app evaluations and open-
source reviews, allowing the delivery track to take on more assessment services.

The Application Delivery & Support track is a collaboration of in-house developers, analysts, and
vendor personnel who performed admirably in terms of faster turnaround of application code
assessment reports, walking developers through vulnerabilities, providing remediation tips, and
adopting reusable components.

Developer enablement trained LOB developers and users on the source code analyzer (SCA) tool so
that they could execute their code in self-service mode. Based on my previous experience, I know that
the fundamental cause of vulnerabilities may be addressed by providing further training to developers
and introducing a security mentality within the workplace. With this concept, a third-party training
enablement platform has been pushed out throughout the LOB for over 2000 developers, and self-
learning program modules have been allocated with the help of security champions. I implemented
this program in all significant worldwide locations, holding sessions alongside vendors, hosting a
hackathon, and hosting an application security day with business and technology executives, and this
resulted in a strong security culture throughout the firm.

The Project Management track, which worked closely with all of the other tracks, handled process
adjustments, progress reporting, problem tracking, and engagement with key stakeholders, LOB
business owners, and security champions. This team was in charge of the acceptance and delivery of
new services such as Mobile, Open-Source assessment, and Developer training platform (supported
developer enablement track) across digital and business departments.

Customer / LOB track engaged the company, senior management, and delivered monthly updates,
developed an online dashboard, reports, and offered visibility of the application evaluation,
vulnerabilities remediated, and outstanding issues (with plan to address in future)

To recap and summarize, the program was a huge success; it scanned 300 applications in 7 months
(ahead of time), and it fulfilled the internal audit and external regulatory deadlines for application
evaluations (100 percent and remediation 80 percent ). Process modifications for self-service, security
controls, and permission by LOB security champions were implemented, as well as technological
solutions for SCA automation, Tools for Mobile, Open-Source security assessments, and a security
training platform. The success factor for transformation is 95%, and it will attain its full potential in 1-2
years.