Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Integrating security into an existing agile SDLC
Search
Laura Bell
September 12, 2014
Technology
0
140
Integrating security into an existing agile SDLC
Laura Bell
September 12, 2014
Tweet
Share
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
220
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
50
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
78
Practical tools for privacy audit
ladynerd
0
170
Other Decks in Technology
See All in Technology
Efficient zero-copy networking using io_uring
ennael
PRO
0
280
AI時代のアジャイル開発(XP祭り2024版) / Agile Development in the AI Era in XPJUG
takaking22
13
3.5k
OPENLOGI Company Profile
hr01
0
53k
小さな勉強会の始め方、広げ方、あるいは友達の作り方 / How to Start, Grow, and Build Connections with Small Study Groups
ar_tama
2
1.1k
普通の Web エンジニアのための様相論理入門 #yapcjapan / YAPC Hakodate 2024
ytaka23
2
530
Consoles, printk, Nested-NMIs_ Oh my!
ennael
PRO
0
160
【shownet.conf_】ShowNet x 宇宙ネットワーク
shownet
PRO
0
310
映像・音声伝送システム
jtes
0
200
LeSSはスクラムではない!?LeSSにおけるスクラムマスターの振る舞い方とは / Scrum Master Behavior in LeSS
toma_sm
0
110
VS CodeでF1〜12キーつかってますか? / Do you use the F1-12 keys in VS Code?
74th
2
280
Tracking down sources of kernel errors with retsnoop
ennael
PRO
0
140
低コストで実現する社内文書RAG機能を搭載したAIチャットボット開発
takapy
3
590
Featured
See All Featured
The Invisible Customer
myddelton
119
13k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
249
21k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
109
6.9k
Typedesign – Prime Four
hannesfritz
39
2.3k
No one is an island. Learnings from fostering a developers community.
thoeni
19
2.9k
Docker and Python
trallard
40
3k
Pencils Down: Stop Designing & Start Developing
hursman
119
11k
10 Git Anti Patterns You Should be Aware of
lemiorhan
653
59k
Building Your Own Lightsaber
phodgson
102
6k
Designing Experiences People Love
moore
138
23k
[RailsConf 2023] Rails as a piece of cake
palkan
49
4.7k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.1k
Transcript
ARC208
once upon a time design code stuff ideas test deploy
security was all about gates design code stuff idea test
deploy
and goodness do we love gates design code stuff idea
test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing
same thing, just more frequently?
None
Why don’t you do security?
we can make you look good Proactive security engagement increases:
Preparedness Credibility Market awareness Strategic thinking
So what does agile security need to be 1. Able
to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable
common misconceptions
avoidance != management
too little to fail (at security)
the sky is not always falling* *except when it is
(then you should really do something about it)
agility increases risk
Ten steps to a better, stronger and more secure you
regardless of budget, organisation size or how cool you are
1. know your stack Languages Libraries Operating Systems Applications Third
Party Services
2. learn to add, adapt and abandon
3. create a simple risk taxonomy Critical High Medium Low
Informational False Positive
4. understand your security and technical debt it’s natural and
awesome but you can’t run from it forever
5. bring security into your requirements “engage security early and
often and be sure to have it included in your definition of done”
6. prepare for the worst Monitoring Analysis Understanding Response Feedback
7. build an empire one developer at a time
8. design your workflows “the best technical people I know
work really hard to make themselves redundant. “
fails
10. outsource smartly “if you are going to spend the
money, research your options, scope well and be demanding”
common challenges and how to conquer, obliterate or otherwise win
compliance is a priority “nothing is more fatal to a
new business than the fines for non-compliance”
maintain momentum “more secure today than yesterday”
use your words No Simple way to remove risk Must
be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
None
Ready to get started? …take a deep breath
None
None