Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating security into an existing agile SDLC

Laura Bell
September 12, 2014
Technology
0
140

Integrating security into an existing agile SDLC

Laura Bell

September 12, 2014
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
220
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
52
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
79
Practical tools for privacy audit
ladynerd
0
170

Other Decks in Technology

See All in Technology
Datachain会社紹介資料(2024年11月) / Company Deck
datachain
3
16k
ガバメントクラウド先行事業中間報告を読み解く
sugiim
1
1.4k
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
430
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.6k
ガチ勢によるPipeCD運用大全〜滑らかなCI/CDを添えて〜 / ai-pipecd-encyclopedia
cyberagentdevelopers
PRO
3
210
プロポーザルのつくり方
〜個人技編〜 / How to come up with proposals
ohbarye
1
110
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120
omakaseしないための.rubocop.yml のつくりかた / How to Build Your .rubocop.yml to Avoid Omakase #kaigionrails
linkers_tech
3
740
GitHub Universe: Evaluating RAG apps in GitHub Actions
pamelafox
0
180

Featured

See All Featured
Building Flexible Design Systems
yeseniaperezcruz
327
38k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
28
9.1k
Practical Orchestrator
shlominoach
186
10k
Typedesign – Prime Four
hannesfritz
39
2.4k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
How to Ace a Technical Interview
jacobian
275
23k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. ARC208

  2. once upon a time design code stuff ideas test deploy

  3. security was all about gates design code stuff idea test

    deploy

  4. and goodness do we love gates design code stuff idea

    test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

  5. same thing, just more frequently?

  6. None

  7. Why don’t you do security?

  8. we can make you look good Proactive security engagement increases:

    Preparedness Credibility Market awareness Strategic thinking

  9. So what does agile security need to be 1. Able

    to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

  10. common misconceptions

  11. avoidance != management

  12. too little to fail (at security)

  13. the sky is not always falling* *except when it is

    (then you should really do something about it)

  14. agility increases risk

  15. Ten steps to a better, stronger and more secure you

    regardless of budget, organisation size or how cool you are

  16. 1. know your stack Languages Libraries Operating Systems Applications Third

    Party Services

  17. 2. learn to add, adapt and abandon

  18. 3. create a simple risk taxonomy Critical High Medium Low

    Informational False Positive

  19. 4. understand your security and technical debt it’s natural and

    awesome but you can’t run from it forever

  20. 5. bring security into your requirements “engage security early and

    often and be sure to have it included in your definition of done”

  21. 6. prepare for the worst Monitoring Analysis Understanding Response Feedback

  22. 7. build an empire one developer at a time

  23. 8. design your workflows “the best technical people I know

    work really hard to make themselves redundant. “

  24. fails

  25. 10. outsource smartly “if you are going to spend the

    money, research your options, scope well and be demanding”

  26. common challenges and how to conquer, obliterate or otherwise win

  27. compliance is a priority “nothing is more fatal to a

    new business than the fines for non-compliance”

  28. maintain momentum “more secure today than yesterday”

  29. use your words No Simple way to remove risk Must

    be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
  30. None

  31. Ready to get started? …take a deep breath

  32. None
  33. None