Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure360 - Agile Security By Example

Matt Konda
May 15, 2013
Technology
0
710

Secure360 - Agile Security By Example

Note: This talk is highly interactive and was delivered primarily through story cards on a story board at the front of a room with stakeholders from the audience helping to prioritize and change direction on the fly. The slides supported that, but were not in themselves a foundational part of the talk.

Conference Abstract:
In this highly interactive talk, we will use Agile methods to present an overview of Agile project management. We will start with four cards or “epics” (topics): Explain Agile, Agile Security Metrics, A Fictional Case Study and Agile Anti-Patterns. The audience will participate by prioritizing and defining additional cards and tasks as the talk progresses. The talk will literally be driven by the agile process that we are trying to explain. Throughout, we will track the metrics of our presentation and at the end we will demonstrate how we set out to do what we wanted to do (or didn’t!).

The core value to the attendee is learning the foundation of Agile by using it and seeing it first hand. We expect to talk at length about the benefits Agile offers to security projects and programs. In addition, we expect to talk about specific security related metrics. If the original plan holds through the talk, we will also cover some anti-patterns – how to know there is something wrong in an agile project. Worst case is that those interfacing with development teams using agile will have a better sense of how that process works. Warning: this talk may eat itself.

Matt Konda

May 15, 2013
Tweet

More Decks by Matt Konda

See All by Matt Konda
Glue Intro
mkonda
0
130
Automate All of the Things
mkonda
0
180
Building Rugged Software in a DevOps World
mkonda
0
100
What is Rugged all about?
mkonda
1
81
Real World Security Testing
mkonda
1
100
Security Automation Pipeline
mkonda
1
190
Security Automation Workshop
mkonda
0
53
Rationalizing Security
mkonda
0
60
Application Security Landscape
mkonda
0
89

Other Decks in Technology

See All in Technology
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
430
Commitment vs Harrisonism - Keynote for Scrum Niseko 2024
miholovesq
6
1.1k
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
120
WINTICKETアプリで実現した高可用性と高速リリースを支えるエコシステム / winticket-eco-system
cyberagentdevelopers
PRO
1
190
物価高なラスベガスでの過ごし方
zakky
0
380
Shift-from-React-to-Vue
calm1205
3
1.3k
生成AIの強みと弱みを理解して、生成AIがもたらすパワーをプロダクトの価値へ繋げるために実践したこと / advance-ai-generating
cyberagentdevelopers
PRO
1
180
ネット広告に未来はあるか?「3rd Party Cookie廃止とPrivacy Sandboxの効果検証の裏側」 / third-party-cookie-privacy
cyberagentdevelopers
PRO
1
130
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
プロダクトエンジニアが活躍する環境を作りたくて 事業責任者になった話 ~プロダクトエンジニアの行き着く先~
gimupop
1
480
Java x Spring Boot Warm up
kazu_kichi_67
2
490
2024-10-30-reInventStandby_StudyGroup_Intro
shinichirokawano
1
630

Featured

See All Featured
Measuring & Analyzing Core Web Vitals
bluesmoon
1
40
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.2k
Code Review Best Practice
trishagee
64
17k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k
The Cost Of JavaScript in 2023
addyosmani
45
6.6k
How GitHub (no longer) Works
holman
311
140k
A designer walks into a library…
pauljervisheath
202
24k
For a Future-Friendly Web
brad_frost
175
9.4k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
43
6.6k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
Art, The Web, and Tiny UX
lynnandtonic
296
20k
Producing Creativity
orderedlist
PRO
341
39k

Transcript

  1. Agile Security By Example Matt Konda @mkonda Jemurai.com

  2. None

  3. Background on me • Developer (~16 years) • Used agile

    a lot (~9 years) • Appsec focused (~5 years) • speaking around dev & sec (~2+ years) jemurai.com @mkonda

  4. DEVELOPER (~16 YEARS) BACKGROUND ON ME

  5. background on you • Management Role? • technical role? •

    CISSP? • How many people “know” agile? • Like agile? • Use agile?
  6. None

  7. How this is going to work • Identify stakeholders •

    Run the talk with agile • Do 5 minute sprints • Start with 4 epics

  8. Initial epics • Explain Agile • A Fictional Case Study

    • Agile Security Metrics • Agile Anti-Patterns

  9. Agile values Individuals and interactions over processes and tools

  10. Agile values Working software over comprehensive documentation

  11. Agile values Customer collaboration over contract negotiation

  12. Agile values Responding to change over following a plan

  13. Traditional Plan Original goal

  14. Traditional Plan Original goal Actual GOAL Agile Plan

  15. Agile concepts Story A narrative description of a feature or

    task. Often in the form of: As a <stakeholder> I need to <action> in order to <actual business objective>.

  16. Agile concepts Stakeholder The people who will be impacted by

    a story. Often product managers and customers in addition to development, quality assurance, operations, security and IT.
  17. None

  18. Agile concepts Sprint An arbitrary unit of time in which

    work will be measured. Often one or two weeks. Also an “iteration”.

  19. Agile concepts Backlog The queue of work to be done.

    Sometimes different backlogs for different types of things – say features, issues, documentation, technical controls.

  20. Agile concepts Release The point where work is made available

    to a broader audience. Often after several Sprints. m Stories per Sprint, n Sprints per release.

  21. Agile concepts Story Board The place where work for the

    current Sprint is easy to see and track. Could be on the wall like we are doing, or in a tool like Trello, AgileZen, Jira/ GreenHopper, etc.

  22. Trello Example

  23. Agilezen Example

  24. Agile concepts Standup A periodic checkpoint meeting attended by stakeholders

    during which issues and progress are reviewed. Best if daily, very short, review any issues.
  25. None

  26. Agile concepts Visibility Stakeholders can see status on story board.

    Built in at a fine grained level of detail.

  27. Agile concepts Parking Lot A process for managing issues as

    they arise. Usually says that new issues will be added to a list of items to be discussed and triaged by the team (including business stakeholders) at the next standup.

  28. Agile concepts Sprint Planning The process by which a team

    chooses and estimates what work to do in a given Sprint. Stakeholders must prioritize and know what is in the Sprint. Team discusses & estimates tasks assigned.
  29. None

  30. Agile concepts Velocity How many tasks get done per Sprint.

    Measured in Stories, Story Points or Estimated Story Hours per Sprint.
  31. None

  32. Agile concepts Retrospective Built in mechanism for continuous improvement. At

    the end of every Sprint, the team talks about ways the processes/project can be improved.
  33. None

  34. Agile concepts Technical Debt A measure of work that should

    be done because corners have been cut in one way or another. Often manifested as lack of documentation, lack of testing, lack of operational process.

  35. Agile concepts Grooming The process of managing the backlog. Let

    longer term goals stay big and broadly estimated, let shorter term upcoming work be estimated at a finer level of detail.

  36. CREDIT: RALLYDEV.COM

  37. Notice that traditional presentations are not especially conducive to Agile

    collaboration

  38. Traditional Plan Original goal

  39. Traditional Plan Original goal Actual GOAL Agile Plan

  40. Case Study The following slides illustrate how Agile could be

    applied to different types of security projects.

  41. Case Study: Policy Framework • A master policy could be

    a story. • Each policy could be a story. • Stakeholders are policy approvers and implementers. • Additional stories for mapping policy to compliance/ standard.

  42. Case Study: Pen test • Each part of a penetration

    test could be a story • Scope & Approval • Recon • Exploitation • Pivot & Exploit • Report

  43. Case Study: DLP Implementation • Requirements (email, file, db, network)

    • Tool/Partner selection • Implementation phases Rule tuning Server prep • Testing

  44. Case Study: remediation • Issue remediation demands tracking and visibility

    • Consolidate issues • Each Sprint assign and track issues • Maintain backlog of issues that haven’t been addressed.

  45. Case Study: All together now • A combined story board

    will show issues across the previous four areas. • By managing at the detailed level, you can choose what tasks are next and easily communicate to management what is and what is not being done.

  46. Agile security metrics The following slides illustrate how Agile security

    metrics can work.

  47. What is hard about metrics? Measures. Time.

  48. Agile security metrics • Agile is GREAT for metrics. •

    Check the case study. • Check out progress so for in the talk.

  49. Agile security metrics • Using standard Agile metrics, you can

    track progress toward any long term project goal, including: Policy development Pen Test Product implementation Issue remediation

  50. Agile metrics Credit: rallydev.com

  51. Agile security metrics • Burndown • Velocity • Easy to

    filter

  52. Use metrics to show your organization what you are doing

    and the impact of their prioritization.

  53. Agile Anti-Patterns How do you know you are doing it

    wrong?
  54. None

  55. Agile security anti-patterns • Stakeholders are not included • Stakeholders

    or team do not participate in process • After a Sprint, substantial work done during the sprint is not what was planned

  56. Agile security anti-patterns • Stories are estimated at bigger than

    a sprint • Stories get stuck as work in progress and never move without raising a red flag • Backlog is disorganized

  57. Agile security anti-patterns • Team not involved in estimation •

    Standup takes an hour
  58. None