Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating security into an existing agile SDLC

Laura Bell
September 12, 2014
Technology
0
140

Integrating security into an existing agile SDLC

Laura Bell

September 12, 2014
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
250
Hackcon 11 - Protecting our people
ladynerd
0
230
Security in a container based world
ladynerd
0
140
Securing Microservice Architectures
ladynerd
2
350
Better Connected
ladynerd
0
61
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
89
Practical tools for privacy audit
ladynerd
0
180

Other Decks in Technology

See All in Technology
RAGの基礎から実践運用まで:AWS BedrockとLangfuseで実現する構築・監視・評価
sonoda_mj
0
440
スケールアップ企業のQA組織のバリューを最大限に引き出すための取り組み
tarappo
4
970
「ラベルにとらわれない」エンジニアでいること/Be an engineer beyond labels
kaonavi
0
170
AWS CDK コントリビュート はじめの一歩
yendoooo
1
120
大規模サービスにおける カスケード障害
takumiogawa
3
660
AIエージェント完全に理解した
segavvy
4
290
アプリケーション固有の「ロジックの脆弱性」を防ぐ開発者のためのセキュリティ観点
flatt_security
34
13k
17年のQA経験が導いたスクラムマスターへの道 / 17 Years in QA to Scrum Master
toma_sm
0
430
コード品質向上で得られる効果と実践的取り組み
ham0215
2
210
ソフトウェアプロジェクトの成功率が上がらない原因-「社会価値を考える」ということ-
ytanaka5569
0
130
Go製のマイグレーションツールの git-schemalex の紹介と運用方法
shinnosuke_kishida
1
450
20250328_RubyKaigiで出会い鯛_____RubyKaigiから始まったはじめてのOSSコントリビュート.pdf
mterada1228
0
180

Featured

See All Featured
Fontdeck: Realign not Redesign
paulrobertlloyd
83
5.5k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Large-scale JavaScript Application Architecture
addyosmani
511
110k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
7.1k
Testing 201, or: Great Expectations
jmmastey
42
7.4k
A Modern Web Designer's Workflow
chriscoyier
693
190k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
30k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
60k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
666
120k
GraphQLとの向き合い方2022年版
quramy
45
14k
Music & Morning Musume
bryan
46
6.4k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
31
4.8k

Transcript

  1. ARC208

  2. once upon a time design code stuff ideas test deploy

  3. security was all about gates design code stuff idea test

    deploy

  4. and goodness do we love gates design code stuff idea

    test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

  5. same thing, just more frequently?

  6. None

  7. Why don’t you do security?

  8. we can make you look good Proactive security engagement increases:

    Preparedness Credibility Market awareness Strategic thinking

  9. So what does agile security need to be 1. Able

    to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

  10. common misconceptions

  11. avoidance != management

  12. too little to fail (at security)

  13. the sky is not always falling* *except when it is

    (then you should really do something about it)

  14. agility increases risk

  15. Ten steps to a better, stronger and more secure you

    regardless of budget, organisation size or how cool you are

  16. 1. know your stack Languages Libraries Operating Systems Applications Third

    Party Services

  17. 2. learn to add, adapt and abandon

  18. 3. create a simple risk taxonomy Critical High Medium Low

    Informational False Positive

  19. 4. understand your security and technical debt it’s natural and

    awesome but you can’t run from it forever

  20. 5. bring security into your requirements “engage security early and

    often and be sure to have it included in your definition of done”

  21. 6. prepare for the worst Monitoring Analysis Understanding Response Feedback

  22. 7. build an empire one developer at a time

  23. 8. design your workflows “the best technical people I know

    work really hard to make themselves redundant. “

  24. fails

  25. 10. outsource smartly “if you are going to spend the

    money, research your options, scope well and be demanding”

  26. common challenges and how to conquer, obliterate or otherwise win

  27. compliance is a priority “nothing is more fatal to a

    new business than the fines for non-compliance”

  28. maintain momentum “more secure today than yesterday”

  29. use your words No Simple way to remove risk Must

    be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
  30. None

  31. Ready to get started? …take a deep breath

  32. None
  33. None