SlideShare a Scribd company logo

Are Agile And Secure Development Mutually Exclusive?

Source Conference
Source Conference

SOURCE Barcelona 2011 - Matt Bartoldus

Technology
1 of 34
Download to read offline
Matt Bartoldus matt@gdssecurity.com Are Agile and Secure Development Mutually Exclusive? Source Barcelona November 2011 ©2011 Gotham Digital Science, Ltd
Introduction o Me o Who Are You? – Assessment (Penetration Tester; Security Auditors) – Developer – IT Architect – Management – Academia – Consultant (2 or more above) – Here because someone told you that you now have to do security 2
Agenda  ‘Traditional’ Project Method  Agile Project Method  Agile Conditions and Culture  Project Managers and Objectives  QA and Agile Testing  Frameworks and Agile  Security in Agile Development  Waterfall vs Agile  Real World Examples  Are Agile and Secure Development Mutually Exclusive? 3
‘Traditional’ Project Method  Tasks are completed in a stage by stage manner - linear;  Each stage assigned to a different team  Requires a significant part of the project to be planned up front;  Once a phase is complete, it is assumed that it will not be revisited;  Lays out the steps for development teams;  Stresses the importance of requirements 4
‘Traditional’ Waterfall i.e. PRINCE2 5
Manifesto for Agile Software Development Signatories in 2001 (following a decade of Agile methodology practices): We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan That is, while there is value in the items on the right, we value the items on the left more Source: www.agilemanifesto.org 6
Agile Method  Working in cycles i.e. a week, a month, etc;  Project priorities are re-evaluated and at the end of each cycle;  Aims to cut down the big picture into puzzle size bits, fitting them together when the time is right;  Agile methods benefit small teams with constantly changing requirements, rather more than larger projects. 7
Agile Method 8
Conditions for Agile  Project value is clear  Customer actively participates throughout the project  Customer, designers, and developers are located together  Incremental feature-driven development is possible (focus on one feature at a time) 9
Culture of Organisation and How It Affects Agile Unhelpful characteristics Helpful characteristics  Top-Down  Holistic  Command and Control  Systems thinking  Hierarchical  Delegated  Micromanaged  Macromanaged 10
Not my job 11
PM - Define Security Objectives  Understand current threats and risks – As well as control objectives and controls  Know security drivers  Understand Resources (skills needed)  Have defined requirements  Have a Plan 12
PM - Align with IT Objectives Handover – Ensure security objectives for  Who will own the project the project align with those of solution? IT and the organisation as a – Accountability whole.  How will it be supported? • Beyond the project – Maintenance • Quality • Compliance  Responsible for security and • Availability compliance to policy? • KPIs – Security Operations and Monitoring – Compliance 13
PM - Align with IT  Embed Security skills within IT – Development = secure code skills – Architecture = security technology and architecture skills – Communications (Networks) = network and infrastructure security skills – Support = security training and awareness, security operations and monitoring – Quality = security testers, auditors  Develop working relationships with IT management and help them understand security objectives aligned with theirs. 14
PM Objective - Quality  What is Quality? – Subjective – Depends on context ISO 9001 Six Sigma "Degree to which a set of inherent "Number of defects characteristics fulfills per million requirements." opportunities." Quality Assurance Quality Control • Prevention of defects • Detection of defects 15
The role for QA  Traditional – Testing performed at end of waterfall process – Document centric: specifications and test plans – Developer-QA interaction: throw over wall  Agile – Testing activity at all stages of the development lifecycle – Face to face interactions matter more than documents • Testers talk to developers – QA is essential for a complete Agile process (by-passing the QA team is high risk) 16
Agile Testing  Requirements documents give way to stories tied with User Acceptance Tests  Specifications give way to prototypes, mock ups, examples – but some documents are necessary  QA and testers are part of Agile team, interact with developers, end users, and customer 17
How much automated testing? Ideal Typical UI (end-to-end) UI Service Service Unit Unit  UI: What is meant here is testing the whole application through the UI layer – becomes difficult to tell where the problem is 18
Security within a Generic Waterfall Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 19 1 9
Agile Lifecycle: what happens before first Sprint Project Setup: . Requirements gathering, Team, infrastructure … Project Idea: Project Sprint 0: Sprint 1 Sprint 2 Sprint N Inception: Is this 1st worthwhile? Issues, risks, architecture Sprint or Iteration opportunities, iteration Is this marketing, feasible? High view green/red light design 20
Benefits of a Framework Approach  Primary Benefit – A way to link the inherent threats and risks of applications and underlying infrastructure to those facing the organisation as a whole. That’s business speak for ‘get all of the super techies and business types on the same page’ 21
Microsoft Security Development Lifecycle  Software development processes designed to improve the security of the software – Reaction to negative security reputation in early 2000’s – Three core concepts—education, continuous process improvement, and accountability. 22
Software Assurance Security Model o An OWASP Project o Open framework to help organizations formulate and implement a strategy for software security. 23
Microsoft SDL for Agile  Security practices – Every-Sprint practices: Essential security practices that should be performed in every release. • Threat Assessment • Code Review • Design Review – Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. • Dynamic Security testing • Fuzz Testing (mis-use) – One-Time practices: Foundational security practices that must be established once at the start of every new Agile project. • Risk Assessment • Define Requirements • Incident Response 24
Security within Agile Development Focus: • Coding guidelines/standards/secure design patterns • Continuous Testing 25
Security within a Development Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 26 2 6
Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity throughout project 27
Threat Assessment • Structured process to identify, categorise and document application level risks; • Provides important input in to subsequent phases of the SDLC such as the formulation of application security requirements, generation of abuse cases, targeted code review and most importantly the design of compensating controls to protect against specific threats. 28
Example – Threat Assessment Mobile Device Customer Banking Application Performed threat assessment of proposed solution • Assessed Use Cases and Scenarios (story boards) – Results lead to the following: • Understand primary threats • Derive Primary Security Objectives • Validated Security Requirements • Security considerations for solution design prior to and while coding 29
Example – Integrated Code Review Financial Transaction Processing Application  Security Code Review Capabilities to project teams – Integrated security code review capabilities within the development infrastructure • On to developer desktops • Within build environment – Results led to the following: • Increased awareness of security within teams • Ability to perform continuous testing • Emergence of ‘secure code libraries’ 30
Are Agile and Secure Development Mutually Exclusive? 31
Summary of security vulnerabilities, and how Agile can help:  Code weaknesses – Code standards: These can be tested using security unit tests  Architecture/Design weaknesses – Agile iterations revisit the design every iteration, raise security as first class consideration  Social engineering / cognitive hacking – Run an Agile security sprint to simulate scenarios and identify weak spots  Lack of motivation to implement security – Agile collaboration can raise security profile: it may not be seen to add value to an application but it lowers customer’s risk (fear) 32
Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity pre-release throughout project 33
Conclusions  Agile Management processes compliment GRC objectives: – Continuous auditing and controls monitoring  Like any processes, success is dependent on a number of factors: – People (Skills) – Metrics – Defined Clear Objectives – Clear Requirements  Stronger Emphasis on coding guidelines/standards/secure design patterns 34

Recommended

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 

Recommended

Agile and Secure SDLC
Agile and Secure SDLCAgile and Secure SDLC
Agile and Secure SDLCNazar Tymoshyk, CEH, Ph.D.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"
Dmitriy Desyatkov "Secure SDLC or Security Culture to be or not to be"WrikeTechClub
 
24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'24may 1200 valday eric anklesaria 'secure sdlc – core banking'
24may 1200 valday eric anklesaria 'secure sdlc – core banking'Positive Hack Days
 
Secure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiSecure Agile SDLC BSides 14 - 2017 - Raphael Denipotti
Secure Agile SDLC BSides 14 - 2017 - Raphael DenipottiRaphael Denipotti
 
Secure Software Development Life Cycle
Secure Software Development Life CycleSecure Software Development Life Cycle
Secure Software Development Life CycleMaurice Dawson
 
Intro to Security in SDLC
Intro to Security in SDLCIntro to Security in SDLC
Intro to Security in SDLCTjylen Veselyj
 
What’s making way for secure sdlc
What’s making way for secure sdlcWhat’s making way for secure sdlc
What’s making way for secure sdlcAvancercorp
 
Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure DevelopmentNazar Tymoshyk, CEH, Ph.D.
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLCBDPA Charlotte - Information Technology Thought Leaders
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
The security sdlc
The security sdlcThe security sdlc
The security sdlcMohamed Siraj
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and TipsSoftServe
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 
Agile and Secure
Agile and SecureAgile and Secure
Agile and SecureDenim Group
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future TechnologiesSwati Singh
 

More Related Content

What's hot

Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIshrath Sultana
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiNazar Tymoshyk, CEH, Ph.D.
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleNazar Tymoshyk, CEH, Ph.D.
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemRogue Wave Software
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSoftServe
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCSuman Sourav
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Klocwork
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool ImplementationCheckmarx
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Rogue Wave Software
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and TipsSoftServe
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsCprime
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Imola Informatica
 

What's hot (20)

Integrating Security Across SDLC Phases
Integrating Security Across SDLC PhasesIntegrating Security Across SDLC Phases
Integrating Security Across SDLC Phases
 
Agile and Secure Development
Agile and Secure DevelopmentAgile and Secure Development
Agile and Secure Development
 
OWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav BreslavskyiOWASP Top 10 practice workshop by Stanislav Breslavskyi
OWASP Top 10 practice workshop by Stanislav Breslavskyi
 
Security as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development LifecycleSecurity as a new metric for Business, Product and Development Lifecycle
Security as a new metric for Business, Product and Development Lifecycle
 
Information Security and the SDLC
Information Security and the SDLCInformation Security and the SDLC
Information Security and the SDLC
 
Cyber security - It starts with the embedded system
Cyber security - It starts with the embedded systemCyber security - It starts with the embedded system
Cyber security - It starts with the embedded system
 
The security sdlc
The security sdlcThe security sdlc
The security sdlc
 
Security Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar TymoshykSecurity Services and Approach by Nazar Tymoshyk
Security Services and Approach by Nazar Tymoshyk
 
Devops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLCDevops security-An Insight into Secure-SDLC
Devops security-An Insight into Secure-SDLC
 
Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009Introducing: Klocwork Insight Pro | November 2009
Introducing: Klocwork Insight Pro | November 2009
 
A Successful SAST Tool Implementation
A Successful SAST Tool ImplementationA Successful SAST Tool Implementation
A Successful SAST Tool Implementation
 
Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization Shifting the conversation from active interception to proactive neutralization
Shifting the conversation from active interception to proactive neutralization
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
Testing Tools and Tips
Testing Tools and TipsTesting Tools and Tips
Testing Tools and Tips
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC Framework
 
Perforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and MovePerforce on Tour 2015 - Grab Testing By the Horns and Move
Perforce on Tour 2015 - Grab Testing By the Horns and Move
 
The What, Why, and How of DevSecOps
The What, Why, and How of DevSecOpsThe What, Why, and How of DevSecOps
The What, Why, and How of DevSecOps
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018Secure Software Development Lifecycle - Devoxx MA 2018
Secure Software Development Lifecycle - Devoxx MA 2018
 

Similar to Are Agile And Secure Development Mutually Exclusive?

Agile and Secure
Agile and SecureAgile and Secure
Agile and SecureDenim Group
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future TechnologiesSwati Singh
 
Introduction to Agile
Introduction to AgileIntroduction to Agile
Introduction to AgileRichard Cheng
 
Skyward Erp Presentation
Skyward Erp PresentationSkyward Erp Presentation
Skyward Erp Presentationvishalnvora1
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdmguestc990b6
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsSuman Sourav
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalrkadayam
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020Brian Levine
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps TransformationMichele Chubirka
 
Top 7 Myths of Agile Testing - Busted!
Top 7 Myths of Agile Testing - Busted!Top 7 Myths of Agile Testing - Busted!
Top 7 Myths of Agile Testing - Busted!Aricent
 
Pivotal Overview: Canadian Team
Pivotal Overview: Canadian TeamPivotal Overview: Canadian Team
Pivotal Overview: Canadian TeamVMware Tanzu
 
Agile Product Management
Agile Product ManagementAgile Product Management
Agile Product ManagementSVPMA
 
Agile- To Infinity and Beyond
Agile- To Infinity and BeyondAgile- To Infinity and Beyond
Agile- To Infinity and BeyondInnoTech
 
From Waterfall to Agile - from predictive to adaptive methods
From Waterfall to Agile - from predictive to adaptive methodsFrom Waterfall to Agile - from predictive to adaptive methods
From Waterfall to Agile - from predictive to adaptive methodsBjörn Jónsson
 
Scrum Portugal Meeting 1 Lisbon - ALM
Scrum Portugal Meeting 1 Lisbon - ALMScrum Portugal Meeting 1 Lisbon - ALM
Scrum Portugal Meeting 1 Lisbon - ALMMarco Silva
 
Application Lifecycle Management (ALM), by Marco Silva
Application Lifecycle Management (ALM), by Marco SilvaApplication Lifecycle Management (ALM), by Marco Silva
Application Lifecycle Management (ALM), by Marco SilvaAgile Connect®
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsKurt Solarte
 

Similar to Are Agile And Secure Development Mutually Exclusive? (20)

Agile and Secure
Agile and SecureAgile and Secure
Agile and Secure
 
Think Future Technologies
Think Future TechnologiesThink Future Technologies
Think Future Technologies
 
Agile
AgileAgile
Agile
 
Software Lifecycle
Software LifecycleSoftware Lifecycle
Software Lifecycle
 
Introduction to Agile
Introduction to AgileIntroduction to Agile
Introduction to Agile
 
Skyward Erp Presentation
Skyward Erp PresentationSkyward Erp Presentation
Skyward Erp Presentation
 
5 Quality
5 Quality5 Quality
5 Quality
 
Software Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And WisdmSoftware Engineering The Multiview Approach And Wisdm
Software Engineering The Multiview Approach And Wisdm
 
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOpsDevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
DevSecOps Indonesia : Pain & Pleasure of doing AppSec in DevOps
 
Succeeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps finalSucceeding-Marriage-Cybersecurity-DevOps final
Succeeding-Marriage-Cybersecurity-DevOps final
 
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
A Warrior's Journey: Building a Global AppSec Program - OWASP Global AppSec 2020
 
Security's DevOps Transformation
Security's DevOps TransformationSecurity's DevOps Transformation
Security's DevOps Transformation
 
Top 7 Myths of Agile Testing - Busted!
Top 7 Myths of Agile Testing - Busted!Top 7 Myths of Agile Testing - Busted!
Top 7 Myths of Agile Testing - Busted!
 
Pivotal Overview: Canadian Team
Pivotal Overview: Canadian TeamPivotal Overview: Canadian Team
Pivotal Overview: Canadian Team
 
Agile Product Management
Agile Product ManagementAgile Product Management
Agile Product Management
 
Agile- To Infinity and Beyond
Agile- To Infinity and BeyondAgile- To Infinity and Beyond
Agile- To Infinity and Beyond
 
From Waterfall to Agile - from predictive to adaptive methods
From Waterfall to Agile - from predictive to adaptive methodsFrom Waterfall to Agile - from predictive to adaptive methods
From Waterfall to Agile - from predictive to adaptive methods
 
Scrum Portugal Meeting 1 Lisbon - ALM
Scrum Portugal Meeting 1 Lisbon - ALMScrum Portugal Meeting 1 Lisbon - ALM
Scrum Portugal Meeting 1 Lisbon - ALM
 
Application Lifecycle Management (ALM), by Marco Silva
Application Lifecycle Management (ALM), by Marco SilvaApplication Lifecycle Management (ALM), by Marco Silva
Application Lifecycle Management (ALM), by Marco Silva
 
Agile Requirements by Agile Analysts
Agile Requirements by Agile AnalystsAgile Requirements by Agile Analysts
Agile Requirements by Agile Analysts
 

More from Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

More from Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 

Recently uploaded

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 

Are Agile And Secure Development Mutually Exclusive?

  • 1. Matt Bartoldus matt@gdssecurity.com Are Agile and Secure Development Mutually Exclusive? Source Barcelona November 2011 ©2011 Gotham Digital Science, Ltd
  • 2. Introduction o Me o Who Are You? – Assessment (Penetration Tester; Security Auditors) – Developer – IT Architect – Management – Academia – Consultant (2 or more above) – Here because someone told you that you now have to do security 2
  • 3. Agenda  ‘Traditional’ Project Method  Agile Project Method  Agile Conditions and Culture  Project Managers and Objectives  QA and Agile Testing  Frameworks and Agile  Security in Agile Development  Waterfall vs Agile  Real World Examples  Are Agile and Secure Development Mutually Exclusive? 3
  • 4. ‘Traditional’ Project Method  Tasks are completed in a stage by stage manner - linear;  Each stage assigned to a different team  Requires a significant part of the project to be planned up front;  Once a phase is complete, it is assumed that it will not be revisited;  Lays out the steps for development teams;  Stresses the importance of requirements 4
  • 6. Manifesto for Agile Software Development Signatories in 2001 (following a decade of Agile methodology practices): We are uncovering better ways of developing software by doing it and helping others do it. Through this work we have come to value: Individuals and interactions over processes and tools Working software over comprehensive documentation Customer collaboration over contract negotiation Responding to change over following a plan That is, while there is value in the items on the right, we value the items on the left more Source: www.agilemanifesto.org 6
  • 7. Agile Method  Working in cycles i.e. a week, a month, etc;  Project priorities are re-evaluated and at the end of each cycle;  Aims to cut down the big picture into puzzle size bits, fitting them together when the time is right;  Agile methods benefit small teams with constantly changing requirements, rather more than larger projects. 7
  • 9. Conditions for Agile  Project value is clear  Customer actively participates throughout the project  Customer, designers, and developers are located together  Incremental feature-driven development is possible (focus on one feature at a time) 9
  • 10. Culture of Organisation and How It Affects Agile Unhelpful characteristics Helpful characteristics  Top-Down  Holistic  Command and Control  Systems thinking  Hierarchical  Delegated  Micromanaged  Macromanaged 10
  • 12. PM - Define Security Objectives  Understand current threats and risks – As well as control objectives and controls  Know security drivers  Understand Resources (skills needed)  Have defined requirements  Have a Plan 12
  • 13. PM - Align with IT Objectives Handover – Ensure security objectives for  Who will own the project the project align with those of solution? IT and the organisation as a – Accountability whole.  How will it be supported? • Beyond the project – Maintenance • Quality • Compliance  Responsible for security and • Availability compliance to policy? • KPIs – Security Operations and Monitoring – Compliance 13
  • 14. PM - Align with IT  Embed Security skills within IT – Development = secure code skills – Architecture = security technology and architecture skills – Communications (Networks) = network and infrastructure security skills – Support = security training and awareness, security operations and monitoring – Quality = security testers, auditors  Develop working relationships with IT management and help them understand security objectives aligned with theirs. 14
  • 15. PM Objective - Quality  What is Quality? – Subjective – Depends on context ISO 9001 Six Sigma "Degree to which a set of inherent "Number of defects characteristics fulfills per million requirements." opportunities." Quality Assurance Quality Control • Prevention of defects • Detection of defects 15
  • 16. The role for QA  Traditional – Testing performed at end of waterfall process – Document centric: specifications and test plans – Developer-QA interaction: throw over wall  Agile – Testing activity at all stages of the development lifecycle – Face to face interactions matter more than documents • Testers talk to developers – QA is essential for a complete Agile process (by-passing the QA team is high risk) 16
  • 17. Agile Testing  Requirements documents give way to stories tied with User Acceptance Tests  Specifications give way to prototypes, mock ups, examples – but some documents are necessary  QA and testers are part of Agile team, interact with developers, end users, and customer 17
  • 18. How much automated testing? Ideal Typical UI (end-to-end) UI Service Service Unit Unit  UI: What is meant here is testing the whole application through the UI layer – becomes difficult to tell where the problem is 18
  • 19. Security within a Generic Waterfall Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 19 1 9
  • 20. Agile Lifecycle: what happens before first Sprint Project Setup: . Requirements gathering, Team, infrastructure … Project Idea: Project Sprint 0: Sprint 1 Sprint 2 Sprint N Inception: Is this 1st worthwhile? Issues, risks, architecture Sprint or Iteration opportunities, iteration Is this marketing, feasible? High view green/red light design 20
  • 21. Benefits of a Framework Approach  Primary Benefit – A way to link the inherent threats and risks of applications and underlying infrastructure to those facing the organisation as a whole. That’s business speak for ‘get all of the super techies and business types on the same page’ 21
  • 22. Microsoft Security Development Lifecycle  Software development processes designed to improve the security of the software – Reaction to negative security reputation in early 2000’s – Three core concepts—education, continuous process improvement, and accountability. 22
  • 23. Software Assurance Security Model o An OWASP Project o Open framework to help organizations formulate and implement a strategy for software security. 23
  • 24. Microsoft SDL for Agile  Security practices – Every-Sprint practices: Essential security practices that should be performed in every release. • Threat Assessment • Code Review • Design Review – Bucket practices: Important security practices that must be completed on a regular basis but can be spread across multiple sprints during the project lifetime. • Dynamic Security testing • Fuzz Testing (mis-use) – One-Time practices: Foundational security practices that must be established once at the start of every new Agile project. • Risk Assessment • Define Requirements • Incident Response 24
  • 25. Security within Agile Development Focus: • Coding guidelines/standards/secure design patterns • Continuous Testing 25
  • 26. Security within a Development Project Secure Development Lifecycle Initiate Plan Design Develop Test Release Development Process High Level Functional Requirements Business End to End Pre / Post Build QA Requirements Design Production Non-Functional Requirements Penetration Testing Secure Development Threat Modelling Source High Level Abuse Cases Code Security Metrics and Reporting Risk Assessment Review Security Requirements Review Checklist Review - Checklist Review Security Code – Infosec Criteria Architecture Review Risk Assessment, Metrics and Reporting Supporting Processes Training and Education (Awareness, Process, Technical) Project Close Down Project Governance and Change Management Defect Management Documents Supporting Development Corporate Acceptance Infosec Standards Standards and Infosec Policies Criteria Guidelines 26 2 6
  • 27. Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity throughout project 27
  • 28. Threat Assessment • Structured process to identify, categorise and document application level risks; • Provides important input in to subsequent phases of the SDLC such as the formulation of application security requirements, generation of abuse cases, targeted code review and most importantly the design of compensating controls to protect against specific threats. 28
  • 29. Example – Threat Assessment Mobile Device Customer Banking Application Performed threat assessment of proposed solution • Assessed Use Cases and Scenarios (story boards) – Results lead to the following: • Understand primary threats • Derive Primary Security Objectives • Validated Security Requirements • Security considerations for solution design prior to and while coding 29
  • 30. Example – Integrated Code Review Financial Transaction Processing Application  Security Code Review Capabilities to project teams – Integrated security code review capabilities within the development infrastructure • On to developer desktops • Within build environment – Results led to the following: • Increased awareness of security within teams • Ability to perform continuous testing • Emergence of ‘secure code libraries’ 30
  • 31. Are Agile and Secure Development Mutually Exclusive? 31
  • 32. Summary of security vulnerabilities, and how Agile can help:  Code weaknesses – Code standards: These can be tested using security unit tests  Architecture/Design weaknesses – Agile iterations revisit the design every iteration, raise security as first class consideration  Social engineering / cognitive hacking – Run an Agile security sprint to simulate scenarios and identify weak spots  Lack of motivation to implement security – Agile collaboration can raise security profile: it may not be seen to add value to an application but it lowers customer’s risk (fear) 32
  • 33. Methods Compared (Security Perspective) Waterfall Agile  Defined in distinct project  Iterative inline with project Timing of phases lifecycle phases Activities  Focus towards end of project/  Focus on continuous testing pre-release throughout project  Specialty skills primarily in  Broader range of security and Security information security software development skills Skills Integration  Brought in as needed  Embedded within project teams  Interaction as needed  Frequent interaction/ involvement  Specific security testing  Hybrid Security Testing Security Testing  Periodic  Continuous  More towards end of project  Steady level of testing activity pre-release throughout project 33
  • 34. Conclusions  Agile Management processes compliment GRC objectives: – Continuous auditing and controls monitoring  Like any processes, success is dependent on a number of factors: – People (Skills) – Metrics – Defined Clear Objectives – Clear Requirements  Stronger Emphasis on coding guidelines/standards/secure design patterns 34