+
+
+ 📚 Mapping Presentation Topics to ISMS-PUBLIC Security Policies
+ Demonstrating Security Through Transparency
+
+ 
+ 📄 Document Type: Reference Guide | + 🏢 Scope: Presentations & Technical Talks | + 👥 Audience: Public +
+ +--- + +## 📋 Purpose + +This reference guide provides a comprehensive mapping between the security and compliance topics discussed in Hack23's presentations and the corresponding policies in our [ISMS-PUBLIC repository](https://github.com/Hack23/ISMS-PUBLIC). This demonstrates our commitment to transparency by providing verifiable documentation for all security claims and practices discussed in public forums. + +> *"At Hack23, we believe that security through transparency builds trust. Every security practice we discuss in presentations is backed by documented policies that anyone can review and verify."* +> +> — **James Pether Sörling**, CEO & Founder, Hack23 AB + +--- + +## 🎯 How to Use This Guide + +1. **For Presentation Attendees**: Find the talk you attended and explore the referenced ISMS policies to verify claims and learn more about our security practices +2. **For Security Professionals**: Use this as a template for mapping your own presentations to documented policies +3. **For Compliance Teams**: Reference this guide to understand how presentation materials align with formal security documentation + +--- + +## 🎤 Secure Development Pipeline Talk + +**Presentation:** SecureDevelopmentPipeline20190919 (PowerPoint/OpenDocument) +**Event:** Javaforum Göteborg +**Video:** [YouTube](https://www.youtube.com/watch?v=A_hq2Y03d6I) +**Podcast:** [Shift Left Like A Boss](https://www.youtube.com/watch?v=aYwSd1Wu28Q&ab_channel=Soluble/) + +### Topic-to-Policy Mapping + +| Presentation Topic | +ISMS-PUBLIC Policy | +Key Sections | +
|---|---|---|
| 🔐 DevSecOps Integration Shifting security left in the development pipeline |
+ Secure Development Policy | +
+ • DevSecOps Principles + • Security in CI/CD Pipelines + • Automated Security Testing + |
+
| 🔍 Static Application Security Testing (SAST) SonarQube integration and code quality gates |
+ Secure Development Policy | +
+ • SAST Requirements + • Code Quality Standards + • Security Metrics + |
+
| ⚡ Dynamic Application Security Testing (DAST) OWASP ZAP and runtime vulnerability scanning |
+ Secure Development Policy | +
+ • DAST Requirements + • Penetration Testing + • Runtime Security Validation + |
+
| 📦 Software Composition Analysis (SCA) Dependency vulnerability scanning and license compliance |
+
+ Secure Development Policy + Open Source Policy + |
+
+ • SCA Requirements + • Dependency Management + • SBOM Generation + • License Compliance + |
+
| 🔄 CI/CD Security Pipeline Automated security testing in Jenkins/GitHub Actions |
+
+ Secure Development Policy + Change Management Procedure + |
+
+ • Pipeline Security Controls + • Automated Testing Requirements + • Deployment Security + |
+
| 🛡️ Compliance Automation Automated compliance validation and reporting |
+
+ Information Security Policy + Secure Development Policy + |
+
+ • Compliance Frameworks + • Automated Evidence Collection + • Continuous Compliance + |
+
| 🚨 Vulnerability Management CVE tracking, patching, and remediation |
+ Vulnerability Management Procedure | +
+ • Vulnerability Identification + • Risk Assessment + • Remediation Timelines + |
+
| ☁️ CloudFormation Security Infrastructure as Code security scanning (cfn_nag) |
+
+ Secure Development Policy + Cloud Security Policy + |
+
+ • IaC Security Requirements + • Cloud Resource Security + • Configuration Management + |
+
| Documentation Topic | +ISMS-PUBLIC Policy | +Key Sections | +
|---|---|---|
| 📋 Software Component Verification (SCVS) OWASP standards for component verification |
+ Open Source Policy | +
+ • Component Inventory + • SBOM Requirements + • Supply Chain Security + |
+
| 🔍 License Compliance Tools Maven plugins, SonarQube, FOSSA, BlackDuck |
+
+ Open Source Policy + Secure Development Policy + |
+
+ • License Scanning Requirements + • Approved License List + • Tool Requirements + |
+
| 📦 SBOM Generation CycloneDX and SPDX formats |
+ Open Source Policy | +
+ • SBOM Standards + • Distribution Requirements + • Update Frequency + |
+
| 🤝 OpenChain Compliance Industry standard for open source compliance |
+
+ Open Source Policy + Third Party Management + |
+
+ • Compliance Framework + • Process Requirements + • Training & Awareness + |
+
| ⚖️ License Compatibility Managing conflicting licenses and dependencies |
+ Open Source Policy | +
+ • License Compatibility Matrix + • Conflict Resolution + • Approval Workflow + |
+
| Documentation Topic | +ISMS-PUBLIC Policy | +Key Sections | +
|---|---|---|
| 🚨 Threat Intelligence ENISA threat landscape and MITRE ATT&CK |
+
+ Information Security Policy + Incident Response Plan + |
+
+ • Threat Monitoring + • Threat Intelligence Sources + • Risk Assessment + |
+
| ⚠️ Common Weaknesses (CWE) MITRE CWE and SANS Top 25 vulnerabilities |
+
+ Secure Development Policy + Vulnerability Management Procedure + |
+
+ • Secure Coding Standards + • Common Weakness Prevention + • Code Review Requirements + |
+
| 🔍 CVE Management NVD vulnerability tracking and CVSS scoring |
+ Vulnerability Management Procedure | +
+ • CVE Tracking Process + • Risk Scoring (CVSS) + • Remediation Timelines + |
+
| 📊 NIST 800-53 Controls Control families and implementation guidance |
+
+ Information Security Policy + Access Control Policy + Network Security Policy + |
+
+ • Control Implementation + • Compliance Mapping + • Continuous Monitoring + |
+
| 🔐 ISO 27001 Compliance Annex A controls and implementation |
+
+ Information Security Policy + All ISMS-PUBLIC Policies + |
+
+ • ISO 27001:2022 Alignment + • Annex A Control Mapping + • ISMS Documentation + |
+
| Category | +Documents | +
|---|---|
| 🔐 Core Policies | +
+ Information Security Policy + Acceptable Use Policy + Data Classification Framework + |
+
| 🛠️ Development & Operations | +
+ Secure Development Policy + Open Source Policy + Change Management Procedure + Vulnerability Management Procedure + |
+
| 🔑 Access & Identity | +
+ Access Control Policy + Password Policy + Multi-Factor Authentication Policy + |
+
| ☁️ Cloud & Infrastructure | +
+ Cloud Security Policy + Network Security Policy + Backup and Recovery Policy + |
+
| 🚨 Incident & Business Continuity | +
+ Incident Response Plan + Business Continuity Plan + Disaster Recovery Plan + |
+
| 🤝 Third-Party & Compliance | +
+ Third Party Management + Data Protection Policy (GDPR) + Privacy Policy + |
+
| Benefit | +Description | +Stakeholder Value | +
|---|---|---|
| ✅ Verifiable Claims | +All security practices discussed are backed by documented policies | +Attendees can independently verify our security approach | +
| 🏆 Competitive Advantage | +Public ISMS demonstrates security maturity | +Differentiation in client proposals and procurement | +
| 🤝 Trust Building | +Transparency reduces information asymmetry | +Enhanced credibility with clients and partners | +
| 📚 Educational Value | +Others can learn from our documented approach | +Community contribution and thought leadership | +
| ⚡ Audit Readiness | +Pre-documented policies accelerate audits | +Reduced audit preparation time and cost | +
| 🔄 Continuous Improvement | +Public accountability drives policy refinement | +Higher quality security program | +
| Approved By | +James Pether Sörling, CEO, Hack23 AB | +
| Distribution | +Public - Conference Attendees, Clients, Partners, Security Community | +
| Classification | + |
+
| Effective Date | +2025-01-10 (UTC) | +
| Next Review | +2026-01-10 (Annual Review) | +
+ 
+ 
+ 
+Security Through Transparency
+Hack23 AB | Org.nr 559534-7807 | Sweden
+ +
+ 
---
@@ -15,6 +16,7 @@ This repository contains resources and talks by James Pether Sörling, focusing
## 📋 Contents
+- [Referenced ISMS Policies](#-referenced-isms-policies)
- [Secure Development Pipeline Talk](#secure-development-pipeline-talk)
- [License Tools for Java Projects](#license-tools-for-java-projects)
- [Security Testing Tools](#security-testing-tools)
@@ -24,6 +26,55 @@ This repository contains resources and talks by James Pether Sörling, focusing
---
+## 🔐 Referenced ISMS Policies
+
+All security practices and compliance approaches discussed in these presentations are backed by Hack23 AB's publicly available Information Security Management System (ISMS). This demonstrates our commitment to security-through-transparency.
+
+
+
+| Policy Area | +Document | +Description | +
|---|---|---|
| 🔐 Information Security | +Information Security Policy | +Foundation of our security management system, defining security principles and governance structure | +
| 🛠️ Secure Development | +Secure Development Policy | +DevSecOps practices, CI/CD security, SAST/DAST/SCA requirements, and compliance automation | +
| 📜 Open Source Compliance | +Open Source Policy | +Open source license compliance, SBOM generation, and vulnerability management | +
| 🤝 Third-Party Management | +Third Party Management | +Vendor security assessment, supply chain risk management, and procurement security | +
| 🔍 Vulnerability Management | +Vulnerability Management Procedure | +Systematic approach to identifying, assessing, and remediating security vulnerabilities | +