Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure360 - Agile Security By Example

Matt Konda
May 15, 2013
Technology
0
710

Secure360 - Agile Security By Example

Note: This talk is highly interactive and was delivered primarily through story cards on a story board at the front of a room with stakeholders from the audience helping to prioritize and change direction on the fly. The slides supported that, but were not in themselves a foundational part of the talk.

Conference Abstract:
In this highly interactive talk, we will use Agile methods to present an overview of Agile project management. We will start with four cards or “epics” (topics): Explain Agile, Agile Security Metrics, A Fictional Case Study and Agile Anti-Patterns. The audience will participate by prioritizing and defining additional cards and tasks as the talk progresses. The talk will literally be driven by the agile process that we are trying to explain. Throughout, we will track the metrics of our presentation and at the end we will demonstrate how we set out to do what we wanted to do (or didn’t!).

The core value to the attendee is learning the foundation of Agile by using it and seeing it first hand. We expect to talk at length about the benefits Agile offers to security projects and programs. In addition, we expect to talk about specific security related metrics. If the original plan holds through the talk, we will also cover some anti-patterns – how to know there is something wrong in an agile project. Worst case is that those interfacing with development teams using agile will have a better sense of how that process works. Warning: this talk may eat itself.

Matt Konda

May 15, 2013
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
130
Automate All of the Things
mkonda
0
190
Building Rugged Software in a DevOps World
mkonda
0
100
What is Rugged all about?
mkonda
1
82
Real World Security Testing
mkonda
1
100
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
55
Rationalizing Security
mkonda
0
60
Application Security Landscape
mkonda
0
89

Other Decks in Technology

See All in Technology
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
Flutterによる 効率的なAndroid・iOS・Webアプリケーション開発の事例
recruitengineers
PRO
0
120
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
160
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
100
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
110
生成AIが変えるデータ分析の全体像
ishikawa_satoru
0
170
OCI Vault 概要
oracle4engineer
PRO
0
9.7k
組織成長を加速させるオンボーディングの取り組み
sudoakiy
2
210
OCI Network Firewall 概要
oracle4engineer
PRO
0
4.2k
CDCL による厳密解法を採用した MILP ソルバー
imai448
3
140
FlutterアプリにおけるSLI/SLOを用いたユーザー体験の可視化と計測基盤構築
ostk0069
0
100

Featured

See All Featured
Building an army of robots
kneath
302
43k
Faster Mobile Websites
deanohume
305
30k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Optimizing for Happiness
mojombo
376
70k
GitHub's CSS Performance
jonrohan
1030
460k
Music & Morning Musume
bryan
46
6.2k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
364
24k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Practical Orchestrator
shlominoach
186
10k
How to train your dragon (web standard)
notwaldorf
88
5.7k

Transcript

  1. Agile Security By Example Matt Konda @mkonda Jemurai.com

  2. None

  3. Background on me • Developer (~16 years) • Used agile

    a lot (~9 years) • Appsec focused (~5 years) • speaking around dev & sec (~2+ years) jemurai.com @mkonda

  4. DEVELOPER (~16 YEARS) BACKGROUND ON ME

  5. background on you • Management Role? • technical role? •

    CISSP? • How many people “know” agile? • Like agile? • Use agile?
  6. None

  7. How this is going to work • Identify stakeholders •

    Run the talk with agile • Do 5 minute sprints • Start with 4 epics

  8. Initial epics • Explain Agile • A Fictional Case Study

    • Agile Security Metrics • Agile Anti-Patterns

  9. Agile values Individuals and interactions over processes and tools

  10. Agile values Working software over comprehensive documentation

  11. Agile values Customer collaboration over contract negotiation

  12. Agile values Responding to change over following a plan

  13. Traditional Plan Original goal

  14. Traditional Plan Original goal Actual GOAL Agile Plan

  15. Agile concepts Story A narrative description of a feature or

    task. Often in the form of: As a <stakeholder> I need to <action> in order to <actual business objective>.

  16. Agile concepts Stakeholder The people who will be impacted by

    a story. Often product managers and customers in addition to development, quality assurance, operations, security and IT.
  17. None

  18. Agile concepts Sprint An arbitrary unit of time in which

    work will be measured. Often one or two weeks. Also an “iteration”.

  19. Agile concepts Backlog The queue of work to be done.

    Sometimes different backlogs for different types of things – say features, issues, documentation, technical controls.

  20. Agile concepts Release The point where work is made available

    to a broader audience. Often after several Sprints. m Stories per Sprint, n Sprints per release.

  21. Agile concepts Story Board The place where work for the

    current Sprint is easy to see and track. Could be on the wall like we are doing, or in a tool like Trello, AgileZen, Jira/ GreenHopper, etc.

  22. Trello Example

  23. Agilezen Example

  24. Agile concepts Standup A periodic checkpoint meeting attended by stakeholders

    during which issues and progress are reviewed. Best if daily, very short, review any issues.
  25. None

  26. Agile concepts Visibility Stakeholders can see status on story board.

    Built in at a fine grained level of detail.

  27. Agile concepts Parking Lot A process for managing issues as

    they arise. Usually says that new issues will be added to a list of items to be discussed and triaged by the team (including business stakeholders) at the next standup.

  28. Agile concepts Sprint Planning The process by which a team

    chooses and estimates what work to do in a given Sprint. Stakeholders must prioritize and know what is in the Sprint. Team discusses & estimates tasks assigned.
  29. None

  30. Agile concepts Velocity How many tasks get done per Sprint.

    Measured in Stories, Story Points or Estimated Story Hours per Sprint.
  31. None

  32. Agile concepts Retrospective Built in mechanism for continuous improvement. At

    the end of every Sprint, the team talks about ways the processes/project can be improved.
  33. None

  34. Agile concepts Technical Debt A measure of work that should

    be done because corners have been cut in one way or another. Often manifested as lack of documentation, lack of testing, lack of operational process.

  35. Agile concepts Grooming The process of managing the backlog. Let

    longer term goals stay big and broadly estimated, let shorter term upcoming work be estimated at a finer level of detail.

  36. CREDIT: RALLYDEV.COM

  37. Notice that traditional presentations are not especially conducive to Agile

    collaboration

  38. Traditional Plan Original goal

  39. Traditional Plan Original goal Actual GOAL Agile Plan

  40. Case Study The following slides illustrate how Agile could be

    applied to different types of security projects.

  41. Case Study: Policy Framework • A master policy could be

    a story. • Each policy could be a story. • Stakeholders are policy approvers and implementers. • Additional stories for mapping policy to compliance/ standard.

  42. Case Study: Pen test • Each part of a penetration

    test could be a story • Scope & Approval • Recon • Exploitation • Pivot & Exploit • Report

  43. Case Study: DLP Implementation • Requirements (email, file, db, network)

    • Tool/Partner selection • Implementation phases Rule tuning Server prep • Testing

  44. Case Study: remediation • Issue remediation demands tracking and visibility

    • Consolidate issues • Each Sprint assign and track issues • Maintain backlog of issues that haven’t been addressed.

  45. Case Study: All together now • A combined story board

    will show issues across the previous four areas. • By managing at the detailed level, you can choose what tasks are next and easily communicate to management what is and what is not being done.

  46. Agile security metrics The following slides illustrate how Agile security

    metrics can work.

  47. What is hard about metrics? Measures. Time.

  48. Agile security metrics • Agile is GREAT for metrics. •

    Check the case study. • Check out progress so for in the talk.

  49. Agile security metrics • Using standard Agile metrics, you can

    track progress toward any long term project goal, including: Policy development Pen Test Product implementation Issue remediation

  50. Agile metrics Credit: rallydev.com

  51. Agile security metrics • Burndown • Velocity • Easy to

    filter

  52. Use metrics to show your organization what you are doing

    and the impact of their prioritization.

  53. Agile Anti-Patterns How do you know you are doing it

    wrong?
  54. None

  55. Agile security anti-patterns • Stakeholders are not included • Stakeholders

    or team do not participate in process • After a Sprint, substantial work done during the sprint is not what was planned

  56. Agile security anti-patterns • Stories are estimated at bigger than

    a sprint • Stories get stuck as work in progress and never move without raising a red flag • Backlog is disorganized

  57. Agile security anti-patterns • Team not involved in estimation •

    Standup takes an hour
  58. None