Integrating security into an existing agile SDLC

ARC208

once upon a time design code stuff ideas test deploy

security was all about gates design code stuff idea test
deploy

and goodness do we love gates design code stuff idea
test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

same thing, just more frequently?

Why don’t you do security?

we can make you look good Proactive security engagement increases:
Preparedness Credibility Market awareness Strategic thinking

So what does agile security need to be 1. Able
to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

common misconceptions

avoidance != management

too little to fail (at security)

the sky is not always falling* *except when it is
(then you should really do something about it)

agility increases risk

Ten steps to a better, stronger and more secure you
regardless of budget, organisation size or how cool you are

1. know your stack Languages Libraries Operating Systems Applications Third
Party Services

2. learn to add, adapt and abandon

3. create a simple risk taxonomy Critical High Medium Low
Informational False Positive

4. understand your security and technical debt it’s natural and
awesome but you can’t run from it forever

5. bring security into your requirements “engage security early and
often and be sure to have it included in your definition of done”

6. prepare for the worst Monitoring Analysis Understanding Response Feedback

7. build an empire one developer at a time

8. design your workflows “the best technical people I know
work really hard to make themselves redundant. “

10. outsource smartly “if you are going to spend the
money, research your options, scope well and be demanding”

common challenges and how to conquer, obliterate or otherwise win

compliance is a priority “nothing is more fatal to a
new business than the fines for non-compliance”

maintain momentum “more secure today than yesterday”

use your words No Simple way to remove risk Must
be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage

Ready to get started? …take a deep breath

Integrating security into an existing agile SDLC

Integrating security into an existing agile SDLC

Laura Bell

More Decks by Laura Bell

Other Decks in Technology

Featured

Transcript

ARC208

once upon a time design code stuff ideas test deploy

security was all about gates design code stuff idea test

and goodness do we love gates design code stuff idea

same thing, just more frequently?

Why don’t you do security?

we can make you look good Proactive security engagement increases:

So what does agile security need to be 1. Able

common misconceptions

avoidance != management

too little to fail (at security)

the sky is not always falling* *except when it is

agility increases risk

Ten steps to a better, stronger and more secure you

1. know your stack Languages Libraries Operating Systems Applications Third

2. learn to add, adapt and abandon

3. create a simple risk taxonomy Critical High Medium Low

4. understand your security and technical debt it’s natural and

5. bring security into your requirements “engage security early and

6. prepare for the worst Monitoring Analysis Understanding Response Feedback

7. build an empire one developer at a time

8. design your workflows “the best technical people I know

fails

10. outsource smartly “if you are going to spend the

common challenges and how to conquer, obliterate or otherwise win

compliance is a priority “nothing is more fatal to a

maintain momentum “more secure today than yesterday”

use your words No Simple way to remove risk Must

Ready to get started? …take a deep breath