SlideShare a Scribd company logo

Agile Secure Development Petter Sandholdt

Bosnia Agile
Bosnia Agile

How to make the agile team work with security requirements? To get secure coding practices into agile development is often hard work. A security functional requirement might be included in the sprint, but to get secure testing, secure architecture and feedback of security incidents working is not an easy talk for many agile teams. In my role as Scrum Master and security consultant I have developed a recipe of 7 steps that I will present to you. Where we will talk about agile secure development, agile threat modelling, agile security testing and agile workflows with security. Many of the steps can be made without costly tools, and I will present open source alternatives for all steps. This to make a test easier and to get a lower startup of your teams security process.

Technology
1 of 30
Download to read offline
SARAJEVO, 27.10.2014 Agile Secure Development Petter Sandholdt -How to make the agile team work with security requirements
Who am I? Petter Sandholdt -Senior Developer -Senior Security Consultant -Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp -Security in R&D for last 6 years ... in agile teams the last 5 years
Easy targets Verizon Enterprise’s 2013 Data Breach Investigations Report ●47,000reported security incidents, ●621confirmed data security breaches ●companies of all sizes. http://www.verizonenterprise.com/DBIR/2013/ 78% of successful security intrusions were simple to pull off
What do Dev and SO think? http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Developers Security Officers Security of applications is not addressed There is no build security in process SSDLC Application had a security breach during the past 2 years Did not receive software and application security training Application meets security regulations 70% 50% 80% 64% 68% 47% 50% 50% 15% 12%
Agile application ≠ Secure? Agile moto: ●Do what’s in the sprint XP moto: ●Never do more that what’s required TDD moto: ●Code until its green
Agile application = Secure? REQS CODE
Agile application = Secure? CODE REQS NOT TESTED
When is an application secure? ●Requires hard-to-guess passwords? ●Has input validation? ●Has up-to-date and hardened 3rd-party libraries? ●The one that fulfills the security requirementsof the application
How can the POs know about security? POs are OWNERSin that role decide what is important for this application. ●Deployability (Architects or Operations) ●Performance (Architects,Testers & DBA) ●How to code it (Developers)
Secure Software Development Life Cycles ●Microsoft SDL ●Adobe SPLC ●CLASP ●Cigital Touchpoints
Secure Coding in 5 minutes 1.Take Responsibility 2.Never trust data 3.Create a threat model 4.Keep yourself updated 5.Make a fuzz 6.Stay proud of your code 7.Use the best tools http://bit.ly/1dZ6fwA
Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
1. Architecture overview
1. Architecture overview Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
Data-Flow-Diagrams are great
Agile??? WTF! More artifacts! Not on my watch! -Helps collaboration-Find discrepancies-Creates ONE terminology
2. Threat Modeling session ●First session ○Brainstorming ●Following sessions ○Discussions aroundadded entities
2. Threat Modeling session Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidenciality Denial of Service Authentification Elevation of Privilege Authorization
Threat Modeling session Elevation of Privilege (EoP) Card Game
3. Backlog Review Look at the backlog from a security perspective Security Expert (from team) and PO Create checklist to facilitate
3. Checklist Example ●How will this new functionality be accessed? ●Can this affect “protected identites”? ●New entites in theatmodel require adding a new theatmodel session ●New role of users needs new validations on each resource ●Validations needed to be updated if property changes
4. Fix your tools to help you ●Continuous Integration ●Static code analyzers ●Dynamic code analyzers ●Penetration tests tools
4 Continuous Integration ●Find compile errors in configuration ●Automate robustness testing ○Unit ○Integration ○System ○Fuzz
4 Analyze the code ●Evaluate state of code checked in ○Complexity ○Rule breaking ●Tools ○SonarQube ○Coverity ○Fortify
5. Add activities to sprints ●Update high level diagram ●Keep updated ●Fuzz-testing
Buckets ●Verification ○Fuzz ○Data-flow ●Design ○Cryptology ○Privacy ●Planning ○Privacy tests ○Internal symbols
Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
Q & A -This won’t work in my team since… petter.sandholdt@softhouse.se
Thank You

Recommended

Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat DragonSteven Carlson
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 

Recommended

Bug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchBug Bounties and The Path to Secure Software by 451 Research
Bug Bounties and The Path to Secure Software by 451 ResearchHackerOne
 
DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
Zero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsZero to Ninety in Securing DevOps
Zero to Ninety in Securing DevOpsDevSecOps Days
 
Mobile security recipes for xamarin
Mobile security recipes for xamarinMobile security recipes for xamarin
Mobile security recipes for xamarinNicolas Milcoff
 
Adversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldAdversary Driven Defense in the Real World
Adversary Driven Defense in the Real WorldJames Wickett
 
Security Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationSecurity Champions - Introduce them in your Organisation
Security Champions - Introduce them in your OrganisationIves Laaf
 
Threat Modeling with Threat Dragon
Threat Modeling with Threat DragonThreat Modeling with Threat Dragon
Threat Modeling with Threat DragonSteven Carlson
 
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...
#ATAGTR2018 Presentation "Decoding Security in DevSecOps" by Meghashyam Varan...Agile Testing Alliance
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfullyManuel Pistner
 
ExpoQA19 slides security awareness Steven Nienhuis
ExpoQA19 slides security awareness Steven NienhuisExpoQA19 slides security awareness Steven Nienhuis
ExpoQA19 slides security awareness Steven Nienhuissteavy
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projectsJose Manuel Ortega Candel
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021Archana Joshi
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
2020 05-tech saturday-devsecops-#2-v03
2020 05-tech saturday-devsecops-#2-v032020 05-tech saturday-devsecops-#2-v03
2020 05-tech saturday-devsecops-#2-v03Diego Gabriel Cardoso
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 
DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019NotSoSecure Global Services
 
Year Zero
Year ZeroYear Zero
Year Zeroleifdreizler
 

More Related Content

What's hot

Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineDevOps.com
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsDeborah Schalm
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfullyManuel Pistner
 
ExpoQA19 slides security awareness Steven Nienhuis
ExpoQA19 slides security awareness Steven NienhuisExpoQA19 slides security awareness Steven Nienhuis
ExpoQA19 slides security awareness Steven Nienhuissteavy
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDFranklin Mosley
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for securitySuman Sourav
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactSBWebinars
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...Simone Onofri
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOpsArchana Joshi
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021Archana Joshi
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonDevSecCon
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applicationsOWASP
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringAaron Rinehart
 
2020 05-tech saturday-devsecops-#2-v03
2020 05-tech saturday-devsecops-#2-v032020 05-tech saturday-devsecops-#2-v03
2020 05-tech saturday-devsecops-#2-v03Diego Gabriel Cardoso
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowAmien Harisen Rosyandino
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongDevSecCon
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...GoQA
 

What's hot (20)

Bridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD PipelineBridging the Security Testing Gap in Your CI/CD Pipeline
Bridging the Security Testing Gap in Your CI/CD Pipeline
 
Top 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management TeamsTop 10 Practices of Highly Successful DevOps Incident Management Teams
Top 10 Practices of Highly Successful DevOps Incident Management Teams
 
How to automate your DevSecOps successfully
How to automate your DevSecOps successfullyHow to automate your DevSecOps successfully
How to automate your DevSecOps successfully
 
ExpoQA19 slides security awareness Steven Nienhuis
ExpoQA19 slides security awareness Steven NienhuisExpoQA19 slides security awareness Steven Nienhuis
ExpoQA19 slides security awareness Steven Nienhuis
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
DevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CDDevSecOps: A New Hope for Security in CI/CD
DevSecOps: A New Hope for Security in CI/CD
 
Unit testing : what are you missing for security
Unit testing : what are you missing for securityUnit testing : what are you missing for security
Unit testing : what are you missing for security
 
Maturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High ImpactMaturing DevSecOps: From Easy to High Impact
Maturing DevSecOps: From Easy to High Impact
 
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
OWASP AppSec EU 2016 - Security Project Management - How to be Agile in Secu...
 
DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018DevSecOps Days SF at RSA Conference 2018
DevSecOps Days SF at RSA Conference 2018
 
Demystifying DevSecOps
Demystifying DevSecOpsDemystifying DevSecOps
Demystifying DevSecOps
 
Dev week cloud world conf2021
Dev week cloud world conf2021Dev week cloud world conf2021
Dev week cloud world conf2021
 
Elizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unisonElizabeth Lawler - Devops, security, and compliance working in unison
Elizabeth Lawler - Devops, security, and compliance working in unison
 
[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications[OWASP Poland Day] OWASP for testing mobile applications
[OWASP Poland Day] OWASP for testing mobile applications
 
Pivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos EngineeringPivotal APJ Security Chaos Engineering
Pivotal APJ Security Chaos Engineering
 
2020 05-tech saturday-devsecops-#2-v03
2020 05-tech saturday-devsecops-#2-v032020 05-tech saturday-devsecops-#2-v03
2020 05-tech saturday-devsecops-#2-v03
 
Pentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrowPentest is yesterday, DevSecOps is tomorrow
Pentest is yesterday, DevSecOps is tomorrow
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
Why does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline WongWhy does security matter for devops by Caroline Wong
Why does security matter for devops by Caroline Wong
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 

Similar to Agile Secure Development Petter Sandholdt

How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure productMichael Furman
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsDicodingEvent
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateMahaut Gouhier
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingAarno Aukia
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildDevSecCon
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsStefan Streichsbier
 
UX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experienceUX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experienceRaj Lal
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security AgileOleg Gryb
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdfVishwas N
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveWalid Shaari
 

Similar to Agile Secure Development Petter Sandholdt (20)

DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019DevSecOps: What Why and How : Blackhat 2019
DevSecOps: What Why and How : Blackhat 2019
 
Year Zero
Year ZeroYear Zero
Year Zero
 
How can you deliver a secure product
How can you deliver a secure productHow can you deliver a secure product
How can you deliver a secure product
 
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOpsTechTalk 2021: Peran IT Security dalam Penerapan DevOps
TechTalk 2021: Peran IT Security dalam Penerapan DevOps
 
Applying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.MonateApplying formal methods to existing software by B.Monate
Applying formal methods to existing software by B.Monate
 
DevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss BankingDevOps & DevSecOps in Swiss Banking
DevOps & DevSecOps in Swiss Banking
 
Renato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wildRenato Rodrigues - Security in the wild
Renato Rodrigues - Security in the wild
 
Sr Full Stack Developer
Sr Full Stack DeveloperSr Full Stack Developer
Sr Full Stack Developer
 
SCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOpsSCS DevSecOps Seminar - State of DevSecOps
SCS DevSecOps Seminar - State of DevSecOps
 
UX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experienceUX Workshop: How to design a product with great user experience
UX Workshop: How to design a product with great user experience
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
DevSecOps 101
DevSecOps 101DevSecOps 101
DevSecOps 101
 
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
DevSecCon Singapore 2019: Four years of reflection: How (not) to secure Web A...
 
Neha_Maggu
Neha_MagguNeha_Maggu
Neha_Maggu
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Making Security Agile
Making Security AgileMaking Security Agile
Making Security Agile
 
Deepfence.pdf
Deepfence.pdfDeepfence.pdf
Deepfence.pdf
 
Network Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspectiveNetwork Automation Journey, A systems engineer NetOps perspective
Network Automation Journey, A systems engineer NetOps perspective
 

More from Bosnia Agile

Agile is not just for software development, it’s for the whole business! by O...
Agile is not just for software development, it’s for the whole business! by O...Agile is not just for software development, it’s for the whole business! by O...
Agile is not just for software development, it’s for the whole business! by O...Bosnia Agile
 
Supercharge your teams with Value Stream Management by Richard Knaster
Supercharge your teams with Value Stream Management by Richard KnasterSupercharge your teams with Value Stream Management by Richard Knaster
Supercharge your teams with Value Stream Management by Richard KnasterBosnia Agile
 
Data Visualization Techniques in Meteorological and Climatological World usin...
Data Visualization Techniques in Meteorological and Climatological World usin...Data Visualization Techniques in Meteorological and Climatological World usin...
Data Visualization Techniques in Meteorological and Climatological World usin...Bosnia Agile
 
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...Bosnia Agile
 
Production Support - the DevOps way by Mustafa Mehmedić
Production Support - the DevOps way by Mustafa MehmedićProduction Support - the DevOps way by Mustafa Mehmedić
Production Support - the DevOps way by Mustafa MehmedićBosnia Agile
 
The Rationale for Continuous Delivery by Dave Farley
The Rationale for Continuous Delivery by Dave FarleyThe Rationale for Continuous Delivery by Dave Farley
The Rationale for Continuous Delivery by Dave FarleyBosnia Agile
 
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
What’s a Design Sprint and Why Does it Matter? by Elvis PivićWhat’s a Design Sprint and Why Does it Matter? by Elvis Pivić
What’s a Design Sprint and Why Does it Matter? by Elvis PivićBosnia Agile
 
Disciplined Agile:  Past, present, and future. The path to true business agil...
Disciplined Agile:  Past, present, and future. The path to true business agil...Disciplined Agile:  Past, present, and future. The path to true business agil...
Disciplined Agile:  Past, present, and future. The path to true business agil...Bosnia Agile
 
Building a world-class work culture by Rešad Začina
Building a world-class work culture by Rešad ZačinaBuilding a world-class work culture by Rešad Začina
Building a world-class work culture by Rešad ZačinaBosnia Agile
 
Scrum Turns 25 - Usage and the future by Dave West
Scrum Turns 25 - Usage and the future by Dave WestScrum Turns 25 - Usage and the future by Dave West
Scrum Turns 25 - Usage and the future by Dave WestBosnia Agile
 
Scrum + DevOps, Better together? by Ena Durmišević and Mustafa Toroman
Scrum + DevOps, Better together? by Ena Durmišević and Mustafa ToromanScrum + DevOps, Better together? by Ena Durmišević and Mustafa Toroman
Scrum + DevOps, Better together? by Ena Durmišević and Mustafa ToromanBosnia Agile
 
Minimum Viable Psychology (MVP) for Agile Teams by Ender Yüksel
Minimum Viable Psychology (MVP) for Agile Teams by Ender YükselMinimum Viable Psychology (MVP) for Agile Teams by Ender Yüksel
Minimum Viable Psychology (MVP) for Agile Teams by Ender YükselBosnia Agile
 
Managing a product without authority by Ana Pegan
Managing a product without authority by Ana PeganManaging a product without authority by Ana Pegan
Managing a product without authority by Ana PeganBosnia Agile
 
Product Design Possibilities in Fast-Paced Agile Environments by Vildana Lojo
Product Design Possibilities in Fast-Paced Agile Environments by Vildana LojoProduct Design Possibilities in Fast-Paced Agile Environments by Vildana Lojo
Product Design Possibilities in Fast-Paced Agile Environments by Vildana LojoBosnia Agile
 
DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...
DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...
DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...Bosnia Agile
 
Agile Business Process Digitization by Nedzad Junuzovic
Agile Business Process Digitization by Nedzad JunuzovicAgile Business Process Digitization by Nedzad Junuzovic
Agile Business Process Digitization by Nedzad JunuzovicBosnia Agile
 
Transforming Scrum Masters: The Journey from joining a Transformation to tran...
Transforming Scrum Masters: The Journey from joining a Transformation to tran...Transforming Scrum Masters: The Journey from joining a Transformation to tran...
Transforming Scrum Masters: The Journey from joining a Transformation to tran...Bosnia Agile
 
Aha! Moments (Why people are using your app) by Esmar Mesic
Aha! Moments (Why people are using your app) by Esmar MesicAha! Moments (Why people are using your app) by Esmar Mesic
Aha! Moments (Why people are using your app) by Esmar MesicBosnia Agile
 
Implementing Agile Transformation by Maida Zahirovic Salom
Implementing Agile Transformation by Maida Zahirovic SalomImplementing Agile Transformation by Maida Zahirovic Salom
Implementing Agile Transformation by Maida Zahirovic SalomBosnia Agile
 
DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...
DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...
DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...Bosnia Agile
 

More from Bosnia Agile (20)

Agile is not just for software development, it’s for the whole business! by O...
Agile is not just for software development, it’s for the whole business! by O...Agile is not just for software development, it’s for the whole business! by O...
Agile is not just for software development, it’s for the whole business! by O...
 
Supercharge your teams with Value Stream Management by Richard Knaster
Supercharge your teams with Value Stream Management by Richard KnasterSupercharge your teams with Value Stream Management by Richard Knaster
Supercharge your teams with Value Stream Management by Richard Knaster
 
Data Visualization Techniques in Meteorological and Climatological World usin...
Data Visualization Techniques in Meteorological and Climatological World usin...Data Visualization Techniques in Meteorological and Climatological World usin...
Data Visualization Techniques in Meteorological and Climatological World usin...
 
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
Creating transformation in Healthcare by Banu Gülsün, Mutlu Çiçek and Onur Ön...
 
Production Support - the DevOps way by Mustafa Mehmedić
Production Support - the DevOps way by Mustafa MehmedićProduction Support - the DevOps way by Mustafa Mehmedić
Production Support - the DevOps way by Mustafa Mehmedić
 
The Rationale for Continuous Delivery by Dave Farley
The Rationale for Continuous Delivery by Dave FarleyThe Rationale for Continuous Delivery by Dave Farley
The Rationale for Continuous Delivery by Dave Farley
 
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
What’s a Design Sprint and Why Does it Matter? by Elvis PivićWhat’s a Design Sprint and Why Does it Matter? by Elvis Pivić
What’s a Design Sprint and Why Does it Matter? by Elvis Pivić
 
Disciplined Agile:  Past, present, and future. The path to true business agil...
Disciplined Agile:  Past, present, and future. The path to true business agil...Disciplined Agile:  Past, present, and future. The path to true business agil...
Disciplined Agile:  Past, present, and future. The path to true business agil...
 
Building a world-class work culture by Rešad Začina
Building a world-class work culture by Rešad ZačinaBuilding a world-class work culture by Rešad Začina
Building a world-class work culture by Rešad Začina
 
Scrum Turns 25 - Usage and the future by Dave West
Scrum Turns 25 - Usage and the future by Dave WestScrum Turns 25 - Usage and the future by Dave West
Scrum Turns 25 - Usage and the future by Dave West
 
Scrum + DevOps, Better together? by Ena Durmišević and Mustafa Toroman
Scrum + DevOps, Better together? by Ena Durmišević and Mustafa ToromanScrum + DevOps, Better together? by Ena Durmišević and Mustafa Toroman
Scrum + DevOps, Better together? by Ena Durmišević and Mustafa Toroman
 
Minimum Viable Psychology (MVP) for Agile Teams by Ender Yüksel
Minimum Viable Psychology (MVP) for Agile Teams by Ender YükselMinimum Viable Psychology (MVP) for Agile Teams by Ender Yüksel
Minimum Viable Psychology (MVP) for Agile Teams by Ender Yüksel
 
Managing a product without authority by Ana Pegan
Managing a product without authority by Ana PeganManaging a product without authority by Ana Pegan
Managing a product without authority by Ana Pegan
 
Product Design Possibilities in Fast-Paced Agile Environments by Vildana Lojo
Product Design Possibilities in Fast-Paced Agile Environments by Vildana LojoProduct Design Possibilities in Fast-Paced Agile Environments by Vildana Lojo
Product Design Possibilities in Fast-Paced Agile Environments by Vildana Lojo
 
DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...
DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...
DevOps Transformation in Microsoft – Case Study by Ognjen Bajic and Ana Roje ...
 
Agile Business Process Digitization by Nedzad Junuzovic
Agile Business Process Digitization by Nedzad JunuzovicAgile Business Process Digitization by Nedzad Junuzovic
Agile Business Process Digitization by Nedzad Junuzovic
 
Transforming Scrum Masters: The Journey from joining a Transformation to tran...
Transforming Scrum Masters: The Journey from joining a Transformation to tran...Transforming Scrum Masters: The Journey from joining a Transformation to tran...
Transforming Scrum Masters: The Journey from joining a Transformation to tran...
 
Aha! Moments (Why people are using your app) by Esmar Mesic
Aha! Moments (Why people are using your app) by Esmar MesicAha! Moments (Why people are using your app) by Esmar Mesic
Aha! Moments (Why people are using your app) by Esmar Mesic
 
Implementing Agile Transformation by Maida Zahirovic Salom
Implementing Agile Transformation by Maida Zahirovic SalomImplementing Agile Transformation by Maida Zahirovic Salom
Implementing Agile Transformation by Maida Zahirovic Salom
 
DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...
DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...
DevOps Transformation in BH Telecom – Case Study by Jasmin Ahmetbašić and Edi...
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 

Agile Secure Development Petter Sandholdt

  • 1. SARAJEVO, 27.10.2014 Agile Secure Development Petter Sandholdt -How to make the agile team work with security requirements
  • 2. Who am I? Petter Sandholdt -Senior Developer -Senior Security Consultant -Java, C, C++, C#, Cocoa, Erlang, PHP, Pike, Ruby, Cobol, Fortran, Lisp -Security in R&D for last 6 years ... in agile teams the last 5 years
  • 3. Easy targets Verizon Enterprise’s 2013 Data Breach Investigations Report ●47,000reported security incidents, ●621confirmed data security breaches ●companies of all sizes. http://www.verizonenterprise.com/DBIR/2013/ 78% of successful security intrusions were simple to pull off
  • 4. What do Dev and SO think? http://www.pcadvisor.co.uk/news/network-wifi/3345773/developers-say-application-security-lacking/#ixzz2Vj0QCALy Developers Security Officers Security of applications is not addressed There is no build security in process SSDLC Application had a security breach during the past 2 years Did not receive software and application security training Application meets security regulations 70% 50% 80% 64% 68% 47% 50% 50% 15% 12%
  • 5. Agile application ≠ Secure? Agile moto: ●Do what’s in the sprint XP moto: ●Never do more that what’s required TDD moto: ●Code until its green
  • 6. Agile application = Secure? REQS CODE
  • 7. Agile application = Secure? CODE REQS NOT TESTED
  • 8. When is an application secure? ●Requires hard-to-guess passwords? ●Has input validation? ●Has up-to-date and hardened 3rd-party libraries? ●The one that fulfills the security requirementsof the application
  • 9. How can the POs know about security? POs are OWNERSin that role decide what is important for this application. ●Deployability (Architects or Operations) ●Performance (Architects,Testers & DBA) ●How to code it (Developers)
  • 10. Secure Software Development Life Cycles ●Microsoft SDL ●Adobe SPLC ●CLASP ●Cigital Touchpoints
  • 11. Secure Coding in 5 minutes 1.Take Responsibility 2.Never trust data 3.Create a threat model 4.Keep yourself updated 5.Make a fuzz 6.Stay proud of your code 7.Use the best tools http://bit.ly/1dZ6fwA
  • 12. Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
  • 14. 1. Architecture overview Image from: http://msdn.microsoft.com/en-us/library/ff649779.aspx
  • 16. Agile??? WTF! More artifacts! Not on my watch! -Helps collaboration-Find discrepancies-Creates ONE terminology
  • 17. 2. Threat Modeling session ●First session ○Brainstorming ●Following sessions ○Discussions aroundadded entities
  • 18. 2. Threat Modeling session Threat Property we want Spoofing Authentication Tampering Integrity Repudiation Non-repudiation Information Disclosure Confidenciality Denial of Service Authentification Elevation of Privilege Authorization
  • 19. Threat Modeling session Elevation of Privilege (EoP) Card Game
  • 20. 3. Backlog Review Look at the backlog from a security perspective Security Expert (from team) and PO Create checklist to facilitate
  • 21. 3. Checklist Example ●How will this new functionality be accessed? ●Can this affect “protected identites”? ●New entites in theatmodel require adding a new theatmodel session ●New role of users needs new validations on each resource ●Validations needed to be updated if property changes
  • 22. 4. Fix your tools to help you ●Continuous Integration ●Static code analyzers ●Dynamic code analyzers ●Penetration tests tools
  • 23. 4 Continuous Integration ●Find compile errors in configuration ●Automate robustness testing ○Unit ○Integration ○System ○Fuzz
  • 24. 4 Analyze the code ●Evaluate state of code checked in ○Complexity ○Rule breaking ●Tools ○SonarQube ○Coverity ○Fortify
  • 25. 5. Add activities to sprints ●Update high level diagram ●Keep updated ●Fuzz-testing
  • 26. Buckets ●Verification ○Fuzz ○Data-flow ●Design ○Cryptology ○Privacy ●Planning ○Privacy tests ○Internal symbols
  • 27. Recipe that works! 1.Architecture Overview 2.Have threat modelling sessions 3.Review all new requirements/stories 4.Fix your tools to help you 5.Add YOUR activities to sprint
  • 28. Q & A -This won’t work in my team since… petter.sandholdt@softhouse.se
  • 29.