Hello everyone. Uh, this is Nhan nda, senior I three B, member and, uh, cloud architect to be talking about the building unbreakable systems, the risk driven DevSecOps and actions. So the practical, the best practices. Securing a distributed system is complex, but true resilience comes from. Robust practices, not just tools. Alright. The evolving challenges of modern enterprise systems. You know, the dynamic, interconnected, and rapidly evolving. Whereas coming to the complex systems, you know, the modern enterprise systems are complex way above the cloud infrastructure like, you know, SaaS, APIs and third party integration. The forming a, the vast digital fabric. Hidden vulnerabilities like you know, vulnerabilities, luck and misconfigurations, identity sprawl and supply chain weakness, often unseen by traditional security. The proactive resilience. You know, the true resilience requires shifting from a reactive firefighting to proactive foresightful security assurance. Right. Why traditional devs SEC apps is not enough, right? Limited scope, the pipeline focus. DevSecOps leaves the critical grabs, you know, across SaaS platforms, identity and access management and integration layer that exist outside traditional ci cd workflows. Reactive push security becomes a downstream checkpoint focused on scanning and gating releases rather than an upstream design principle that prevents issue before they manifest. Scattered dispute without centralized risk visibility, organization struggles to prioritize, uh, remediation efforts or understand the true security posture across distributed systems. We must expand dev apps behind infrastructure and pipelines to encompass the full ecosystem, the shift to risk driven dev apps. The first thing, identify critical assets. You know, understand the key business value and the potential impact of the failure. The second, prioritize by impact, you know, allocate security resources based on business impact. Anchor decision and risk. Use risk to guide engineering priorities, automation and architecture. You know, the risk driven dev sec apps. The build Reside by focusing efforts on protecting critical systems and data. Seeing the wild risk landscape. Map the ecosystem, not just the pipeline. Okay, the cloud misconfiguration storage buckets, network rules. Encryption settings and resource permissions across multi-cloud environments. Such third party risk, external integrations, you know, a PA connections, the vendor access and data sharing relationships, identity surfaces, user permissions, service accounts, or the grants and privilege escalation parts. The data flows, cross system dependencies. The data movement patterns and integrations, touch point, comprehensive visibility across your entire technology ecosystem is the foundation of the residence. You cannot protect what you cannot see. Continuous monitoring complaints as a practice detect issues before they become incidents. Right. Rule number one, establish baselines, define guardrails for common failure points across cloud SaaS identity and a PA configurations. The next thing, continuency policy checks audit. Automated validation runs constantly catching a drift and violations in real time rather than during periodic audits, always on feedback. Treat compliance as continuous feedback mechanism that informs engineering decisions and improve system design. Okay. Alright. What's the key insight? The monitoring is not about deploying more tools, it's about establishing disciplined continuous validations as a core operational practice. I'm reading Zalen in CICD development. The build systems that can bend without breaking. Automate early checks. Okay. Integrate security validations directly into development workflows to proactively identify and fix issues. Dependency hygiene. Ensure supply chain integrity, buy consistently auditing and updating all third party components. Strengthen extension. Fortify the custom scripts and integration points with strict security standards to eliminate common vulnerabilities. You know, the pipelines became resilience engines when practices enforce consistency and predictability across every deployment. Access governance and audit as a risk controls, reduce exposure through good operational hygiene hub. The role-based access control design, RBAC. Roles that map to a real job. Responsibilities, not generic templates. Regular reviews. Ensure permissions remind aligned permissions. With current duties and follow least privileged principles, conditional access standards, implement contextual access policies as a default considering device health, location, risk signals, and user behavior, not as a special case exceptions. Reliable audit trials? Yes. Maintaining comprehensive tamper evidence logs that support both accountability. Organizational learning. Audit data becomes a strategic asset for improving security portion. Governance and identity disciplines are quite superpowers and resilient systems. Alright, but essential foundations for security as a scale. Connecting DSEC apps to your business risk speak the language of impact, right? Translate technical into business risks, frame vulnerabilities and exposures into terms of potential business impact, revenue loss, complaints, violations, reputation damage, not just the technical T codes aligned with enterprise frameworks. Right. Integrate Dev Ssec apps with existing risk management frameworks. The board reporting on strategic planning cycles show progress through risk metrics report using risk deduction metrics that resonate with executive leadership meantime to remediate the critical exposures. Attacks, surface face reduction. Control effectiveness, making system hard to break. Actionable resilience. Resilience is built through a practice, not tools. Look behind your code quarterly SA security reviews. FMA, enforce access. Annual API Penetration Test what new pattern within two weeks and focus on business impact. Mag technical issues to business impact. Remediate critical risk within seven days. Automate security steps. Integrate S-C-A-T-S-C-A into CICD, halt critical flaws. Policy as a code for 98% complaints, configuration as a code for auto fixes within 24 hours. Connect to company goals, monthly risky meetings. Leadership dashboards to show reduction attack, surface shrinkage, automating, measuring and collaborating. Build resilient systems, aligning with business goals. Thank you. Thank you for engagement. Um, we appreciate your time and attention. These presentation aim to provide a valuable insights into building design system through a risk driven EC app approach. Building resilient system by prioritizing business impact, automating security and aligned efforts with company goals before systems that are truly hard to break this strategy drives continuous implement, and a proactive security portion. Uh, you're welcome to take any questions now. We are now engaged to hear your thoughts and questions and look forward to simulation discussions and making system hard to break.