SlideShare a Scribd company logo

Agile software security assurance

Download as PPTX, PDF
Ollie Whitehouse
Ollie Whitehouse

A short presentation covering the important aspects of an software security assurance effort in agile development environments. Towards the end we provide tips of how it can work in the real-world...

1 of 18
Agile software security assurance NCC Group Technical Security Consulting Ollie Whitehouse, Technical Director
Agenda Recap on Waterfall Introduction to Agile Software Security Assurance Solutions and Examples
Waterfall
Agile
Agile Security Challenges Shallow documentation Shorter windows Tighter schedules Security requirements as stories or tasks but should be across all stories
Agile Security Positives Shorter feedback loops Incremental changes Security as a definition of done for stories Integration, build & deployment agility aiding incident response
Agile Companions – CI & CD
Agile Software Security Assurance During the test & QA phase the manual security expertise required should be minimal
Agile Software Security Assurance Software security training Product owners Architects Developers QA Leads Devops / Integration
Agile Software Security Assurance Agree security / privacy requirements Create / agree quality gates Risk management Requirements / Story Development
Agile Software Security Assurance Agree security & privacy design requirements Perform attack surface analysis / reduction Threat modelling Design
Agile Software Security Assurance Local static code analysis Positive / negative unit and functional Test case development At point of commit: Manual code security focused code review Static code analysis Dynamic analysis / testing Complexity analysis / quality Implementation
Agile Software Security Assurance Security artefact review (SAST, DAST & manual) Automated negative test cases (fuzzing) Security focused new feature final verification Test / QA
Agile Software Security Assurance Licensed code security Open source component security Platform security Sustainment
Agile Software Security Assurance Models … post requirements and design phases Manual resources (security QA as is done today) Tooling (SAST / DAST) Tooling + automation and/or manual resources Tooling + automation + manual resources
Agile Software Security Assurance Example Pre-commit: IDE based static code analysis On commit: static code analysis, code quality and complexity measurement Post build: dynamic analysis, regression suite, fuzzing End of sprint: manual code analysis and manual assessment … using CI for a web app
Conclusions Security investment throughout in agile is a path to success: - to make a natural part of the process - to ensure coverage - to ensure minimal surprises Where not possible and it has to happen at test/QA then: - good feature documentation - code deltas - focused sprints - product knowledge
Europe Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes Amsterdam Copenhagen Munich Zurich North America Atlanta Austin Chicago Mountain View New York San Francisco Seattle Australia Sydney

Recommended

Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.com
SARCCOM
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Perforce
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
Erika Barron
 
Real Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps PresentationReal Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps Presentation
Adam Sandman
 

Recommended

Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
Source Conference
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
SoftServe
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.com
SARCCOM
 
Agile & Secure SDLC
Agile & Secure SDLCAgile & Secure SDLC
Agile & Secure SDLC
Paul Yang
 
DevOps Monitoring and Alerting
DevOps Monitoring and AlertingDevOps Monitoring and Alerting
DevOps Monitoring and Alerting
Khairul Zebua
 
How to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty SoftwareHow to Avoid Continuously Delivering Faulty Software
How to Avoid Continuously Delivering Faulty Software
Perforce
 
How To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty SoftwareHow To Avoid Continuously Delivering Faulty Software
How To Avoid Continuously Delivering Faulty Software
Erika Barron
 
Real Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps PresentationReal Testing Scenario Strategy Practical TestOps Presentation
Real Testing Scenario Strategy Practical TestOps Presentation
Adam Sandman
 
Embedded world 2017
Embedded world 2017Embedded world 2017
Embedded world 2017
ChantalWauters
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
Extending Spira With Add-Ons
Extending Spira With Add-OnsExtending Spira With Add-Ons
Extending Spira With Add-Ons
Inflectra
 
Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)
Inflectra
 
Application lifecycle management
Application lifecycle managementApplication lifecycle management
Application lifecycle management
Achintya Kumar
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
Agile Testing Alliance
 
Kloia Quality Assurance
Kloia Quality AssuranceKloia Quality Assurance
Kloia Quality Assurance
kloia
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Exploratory Testing - concept and ideas for SpiraTest
Exploratory Testing - concept and ideas for SpiraTestExploratory Testing - concept and ideas for SpiraTest
Exploratory Testing - concept and ideas for SpiraTest
Adam Sandman
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and Security
New Relic
 
Achieving end to-end bidirectional traceability in complex software projects
Achieving end to-end bidirectional traceability in complex software projectsAchieving end to-end bidirectional traceability in complex software projects
Achieving end to-end bidirectional traceability in complex software projects
Intland Software GmbH
 
Program And Portfolio Management
Program And Portfolio ManagementProgram And Portfolio Management
Program And Portfolio Management
Inflectra
 
Start Your Automation Journey With Rapise
Start Your Automation Journey With Rapise Start Your Automation Journey With Rapise
Start Your Automation Journey With Rapise
Inflectra
 
KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)
Inflectra
 
Quickstart for continuous integration
Quickstart for continuous integrationQuickstart for continuous integration
Quickstart for continuous integration
Fabricio Epaminondas
 
Sast 2021
Sast 2021Sast 2021
Sast 2021
Felix Dobslaw
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Culture
ifnu bima
 
Agile Austin - Peer Code Review An Agile Process
Agile Austin - Peer Code Review An Agile ProcessAgile Austin - Peer Code Review An Agile Process
Agile Austin - Peer Code Review An Agile Process
gsporar
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
Ollie Whitehouse
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
Ollie Whitehouse
 

More Related Content

What's hot

Embedded world 2017
Embedded world 2017Embedded world 2017
Embedded world 2017
ChantalWauters
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat
 
Extending Spira With Add-Ons
Extending Spira With Add-OnsExtending Spira With Add-Ons
Extending Spira With Add-Ons
Inflectra
 
Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)
Inflectra
 
Application lifecycle management
Application lifecycle managementApplication lifecycle management
Application lifecycle management
Achintya Kumar
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
Rogue Wave Software
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
Suman Sourav
 
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
Agile Testing Alliance
 
Kloia Quality Assurance
Kloia Quality AssuranceKloia Quality Assurance
Kloia Quality Assurance
kloia
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
Rogue Wave Software
 
Exploratory Testing - concept and ideas for SpiraTest
Exploratory Testing - concept and ideas for SpiraTestExploratory Testing - concept and ideas for SpiraTest
Exploratory Testing - concept and ideas for SpiraTest
Adam Sandman
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and Security
New Relic
 
Achieving end to-end bidirectional traceability in complex software projects
Achieving end to-end bidirectional traceability in complex software projectsAchieving end to-end bidirectional traceability in complex software projects
Achieving end to-end bidirectional traceability in complex software projects
Intland Software GmbH
 
Program And Portfolio Management
Program And Portfolio ManagementProgram And Portfolio Management
Program And Portfolio Management
Inflectra
 
Start Your Automation Journey With Rapise
Start Your Automation Journey With Rapise Start Your Automation Journey With Rapise
Start Your Automation Journey With Rapise
Inflectra
 
KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)
Inflectra
 
Quickstart for continuous integration
Quickstart for continuous integrationQuickstart for continuous integration
Quickstart for continuous integration
Fabricio Epaminondas
 
Sast 2021
Sast 2021Sast 2021
Sast 2021
Felix Dobslaw
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Culture
ifnu bima
 
Agile Austin - Peer Code Review An Agile Process
Agile Austin - Peer Code Review An Agile ProcessAgile Austin - Peer Code Review An Agile Process
Agile Austin - Peer Code Review An Agile Process
gsporar
 

What's hot (20)

Embedded world 2017
Embedded world 2017Embedded world 2017
Embedded world 2017
 
LF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API'sLF_APIStrat17_Bulletproofing Your API's
LF_APIStrat17_Bulletproofing Your API's
 
Extending Spira With Add-Ons
Extending Spira With Add-OnsExtending Spira With Add-Ons
Extending Spira With Add-Ons
 
Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)Rapise Overview Presentation (2019)
Rapise Overview Presentation (2019)
 
Application lifecycle management
Application lifecycle managementApplication lifecycle management
Application lifecycle management
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud Open Source Libraries - Managing Risk in Cloud
Open Source Libraries - Managing Risk in Cloud
 
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
ATAGTR2017 Static and dynamic code analysis for mobile applications - Act ear...
 
Kloia Quality Assurance
Kloia Quality AssuranceKloia Quality Assurance
Kloia Quality Assurance
 
Create code confidence for better application security
Create code confidence for better application security Create code confidence for better application security
Create code confidence for better application security
 
Exploratory Testing - concept and ideas for SpiraTest
Exploratory Testing - concept and ideas for SpiraTestExploratory Testing - concept and ideas for SpiraTest
Exploratory Testing - concept and ideas for SpiraTest
 
Splitting The Check On Compliance and Security
Splitting The Check On Compliance and SecuritySplitting The Check On Compliance and Security
Splitting The Check On Compliance and Security
 
Achieving end to-end bidirectional traceability in complex software projects
Achieving end to-end bidirectional traceability in complex software projectsAchieving end to-end bidirectional traceability in complex software projects
Achieving end to-end bidirectional traceability in complex software projects
 
Program And Portfolio Management
Program And Portfolio ManagementProgram And Portfolio Management
Program And Portfolio Management
 
Start Your Automation Journey With Rapise
Start Your Automation Journey With Rapise Start Your Automation Journey With Rapise
Start Your Automation Journey With Rapise
 
KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)KronoDesk Overview Presentation (2021)
KronoDesk Overview Presentation (2021)
 
Quickstart for continuous integration
Quickstart for continuous integrationQuickstart for continuous integration
Quickstart for continuous integration
 
Sast 2021
Sast 2021Sast 2021
Sast 2021
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Culture
 
Agile Austin - Peer Code Review An Agile Process
Agile Austin - Peer Code Review An Agile ProcessAgile Austin - Peer Code Review An Agile Process
Agile Austin - Peer Code Review An Agile Process
 

Viewers also liked

Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
Ollie Whitehouse
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
Ollie Whitehouse
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
Ollie Whitehouse
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
Ollie Whitehouse
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
Ollie Whitehouse
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
Ollie Whitehouse
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
Ollie Whitehouse
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
Ollie Whitehouse
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
Ollie Whitehouse
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
Ollie Whitehouse
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
Ollie Whitehouse
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
Ollie Whitehouse
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Ollie Whitehouse
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
Ollie Whitehouse
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
Ollie Whitehouse
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
Ollie Whitehouse
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Ollie Whitehouse
 

Viewers also liked (18)

Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Threat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive CapabilityThreat Intelligence - Routes to a Proactive Capability
Threat Intelligence - Routes to a Proactive Capability
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 

Similar to Agile software security assurance

Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
Suman Sourav
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Raphael Denipotti
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
Nazar Tymoshyk, CEH, Ph.D.
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
SoftServe
 
ALM and DevOps in the health industry
ALM and DevOps in the health industryALM and DevOps in the health industry
ALM and DevOps in the health industry
Agile Partner S.A.
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
Achim D. Brucker
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
Rahul Raghavan
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
Rishi Kant
 
Shift Left continous Testing.pptx
Shift Left continous Testing.pptxShift Left continous Testing.pptx
Shift Left continous Testing.pptx
rajeevrocks
 
Agile security
Agile securityAgile security
Agile security
Arthur Donkers
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
Source Conference
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
PECB
 
Building better product security
Building better product securityBuilding better product security
Building better product security
Bohdan Serednytskyi
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
Mykhailo Antonishyn
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
azida3
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
Eric Smalling
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
Stefan Streichsbier
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
QADay
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
SmartBear
 

Similar to Agile software security assurance (20)

Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
ALM and DevOps in the health industry
ALM and DevOps in the health industryALM and DevOps in the health industry
ALM and DevOps in the health industry
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...
 
Security Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLCSecurity Checkpoints in Agile SDLC
Security Checkpoints in Agile SDLC
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
Introduction of Secure Software Development Lifecycle
Introduction of Secure Software Development LifecycleIntroduction of Secure Software Development Lifecycle
Introduction of Secure Software Development Lifecycle
 
Shift Left continous Testing.pptx
Shift Left continous Testing.pptxShift Left continous Testing.pptx
Shift Left continous Testing.pptx
 
Agile security
Agile securityAgile security
Agile security
 
Matthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security ToolboxMatthew Coles - Izar Tarandach - Security Toolbox
Matthew Coles - Izar Tarandach - Security Toolbox
 
A New Security Management Approach for Agile Environments
A New Security Management Approach for Agile EnvironmentsA New Security Management Approach for Agile Environments
A New Security Management Approach for Agile Environments
 
Building better product security
Building better product securityBuilding better product security
Building better product security
 
Secure SDLC in mobile software development.
Secure SDLC in mobile software development.Secure SDLC in mobile software development.
Secure SDLC in mobile software development.
 
3830100.ppt
3830100.ppt3830100.ppt
3830100.ppt
 
AWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWSAWS live hack: Atlassian + Snyk OSS on AWS
AWS live hack: Atlassian + Snyk OSS on AWS
 
Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016Application Security in an Agile World - Agile Singapore 2016
Application Security in an Agile World - Agile Singapore 2016
 
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
ОЛЬГА АКСЬОНЕНКО «Безпечна розробка програмного забезпечення в Agile проектах...
 
Building an API Security Strategy
Building an API Security StrategyBuilding an API Security Strategy
Building an API Security Strategy
 

Recently uploaded

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
DianaGray10
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 

Recently uploaded (20)

How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5UiPath Test Automation using UiPath Test Suite series, part 5
UiPath Test Automation using UiPath Test Suite series, part 5
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 

Agile software security assurance

  • 1. Agile software security assurance NCC Group Technical Security Consulting Ollie Whitehouse, Technical Director
  • 2. Agenda Recap on Waterfall Introduction to Agile Software Security Assurance Solutions and Examples
  • 5. Agile Security Challenges Shallow documentation Shorter windows Tighter schedules Security requirements as stories or tasks but should be across all stories
  • 6. Agile Security Positives Shorter feedback loops Incremental changes Security as a definition of done for stories Integration, build & deployment agility aiding incident response
  • 8. Agile Software Security Assurance During the test & QA phase the manual security expertise required should be minimal
  • 9. Agile Software Security Assurance Software security training Product owners Architects Developers QA Leads Devops / Integration
  • 10. Agile Software Security Assurance Agree security / privacy requirements Create / agree quality gates Risk management Requirements / Story Development
  • 11. Agile Software Security Assurance Agree security & privacy design requirements Perform attack surface analysis / reduction Threat modelling Design
  • 12. Agile Software Security Assurance Local static code analysis Positive / negative unit and functional Test case development At point of commit: Manual code security focused code review Static code analysis Dynamic analysis / testing Complexity analysis / quality Implementation
  • 13. Agile Software Security Assurance Security artefact review (SAST, DAST & manual) Automated negative test cases (fuzzing) Security focused new feature final verification Test / QA
  • 14. Agile Software Security Assurance Licensed code security Open source component security Platform security Sustainment
  • 15. Agile Software Security Assurance Models … post requirements and design phases Manual resources (security QA as is done today) Tooling (SAST / DAST) Tooling + automation and/or manual resources Tooling + automation + manual resources
  • 16. Agile Software Security Assurance Example Pre-commit: IDE based static code analysis On commit: static code analysis, code quality and complexity measurement Post build: dynamic analysis, regression suite, fuzzing End of sprint: manual code analysis and manual assessment … using CI for a web app
  • 17. Conclusions Security investment throughout in agile is a path to success: - to make a natural part of the process - to ensure coverage - to ensure minimal surprises Where not possible and it has to happen at test/QA then: - good feature documentation - code deltas - focused sprints - product knowledge
  • 18. Europe Manchester - Head Office Cheltenham Edinburgh Leatherhead London Milton Keynes Amsterdam Copenhagen Munich Zurich North America Atlanta Austin Chicago Mountain View New York San Francisco Seattle Australia Sydney