Security from Inception

Transcript

1. Security from inception Matt Konda @mkonda Jemurai.com

2. Introduction 1997 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl Java Applet C++ J2EE J2EE
 Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager ! Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 MS in CS Founder Consultant Agile Clojure Graph Database Trying to hack a business model that succeeds while helping developers. Domains: Projects: ! Training Coaching Code Review Plugged in to SDLC Consulting Assessments

3. BACKGROUND ON ME

4. What is an inception?

5. exercise

6. ARE STAKEHOLDERS ASKING FOR SECURITY?

7. villain Persona

8. Baseline security requirements

9. story points

10. estimates to include security considerations

11. Agile metrics Credit: rallydev.com

12. Agile values Individuals and interactions over processes and tools

13. Agile values Working software over comprehensive documentation

14. Agile values Customer collaboration over contract negotiation

15. Agile values Responding to change over following a plan

16. Traditional Plan Original goal

17. Traditional Plan Original goal Actual GOAL Agile Plan

18. Example: 2FA

19. placeholder for building picture

20. Example: auditing

21. story review

22. CREDIT:
 RALLYDEV.COM

23. incremental code review

24. hipchat

25. continuous integration

26. Speaking of tools…

27. there is no
    !

28. checklists

29. bug tracking

30. EVIL False Positives Are a Necessary

31. standup

32. None

33. provide scenarios for negative testing

34. built in architecture review

35. operationalize

36. None

37. Facilitate

38. ask questions

39. None
40. None

41. Ɣ Ɣ 5(/,$%,/,7< 0$,17$,1$%,/,7< Ɣ Ɣ Ɣ Ɣ Ɣ Ɣ

    Ɣ Ɣ 6(&85,7< ruggeddev.org @ruggeddev rugged

42. make developer friends
    !

43. None

44. goal: describe some practical ways to engage with real world

    development teams

45. Summary • Villain Person from Inception • baseline Security Requirements

    Up Front • Story Review for Security: acceptance criteria • Security Requirements included in stories PRE estimation • Incremental Code Review • Share Tools: planning, collaboration, build • Participate in Standup • operational and monitoring guide • Facilitate - ask questions - stay involved

46. Thank you

47. Thank you

48. Security from inception Matt Konda @mkonda Jemurai.com