This document discusses principles of innovation and product development. It covers compelling offers that provide 10x improvement, the importance of immediate connection between creators and consumers, considering the adoption chain of all parties needed for success, and validating assumptions through experimentation. Teams are encouraged to observe user needs, question assumptions, network across organizations, and test hypotheses to develop products that deliver meaningful value.
The document discusses the evolution of agile development approaches over time from a contract focus to a development focus and now toward a customer focus. It notes agile has reached an "inflection point" where the focus has shifted from processes to interactions and working software, and now toward customer collaboration and initiating change. The document advocates for approaches like validated learning and customer discovery to ensure development focuses on building the right solution to meet customer needs.
The document describes a case study involving a time-and-materials contract between Dave, a division engineering manager, and XRI, a vendor, to develop a new system with the goal of keeping costs down. Over 18 months, the author and Harold, a senior engineer, work with the XRI development team on a monthly basis. In the end, the system is delivered on time and saves the plant half its costs in the first month, making Harold a hero. The contract approach of frequent delivery, assessment and adjustment of requirements allows the project to be successful despite initial uncertainties.
The document provides guidance on building quality into software development through defect prevention rather than defect removal. It discusses how the best companies aim to freeze code and test within 10% of the release cycle, rather than leaving 30-50% for "hardening". An effective process matches tests to specifications and code, rather than introducing defects first. It also advocates optimizing throughput over utilization by limiting work, leveling the workload, and shortening deployment cycles.
1. Business value engineering (BVE) aims to continuously deliver more business value to customers through incremental improvements. It takes a learning approach focused on understanding customer needs.
2. Agile specifications provide just enough documentation for developers to implement user stories, typically being developed for one or a few user stories at a time. The content is determined by the team and improves over time based on feedback.
3. BVE and agile specifications work together when product owners work with stakeholders to develop specifications in sprints before stories, ensuring developers understand needs while avoiding unnecessary documentation. Continuous feedback improves the process.
Software debt slowly creeps into software assets if left unnoticed and can slow down delivery in ways that seemed faster initially. Fortunately, modern tools, frameworks, and software development approaches help us manage software debt effectively at a reasonable cost to implement. This program will show ways to recognize software debt in five debt areas so that you can start to manage it.
"Lean software development: discovering waste" by Mary PoppendieckOperae Partners
The document discusses lean principles for software development. It notes that standard lean tools designed for operations may not be appropriate for application development. Lean principles for development focus on building the right thing, building it right, and delivering fast through techniques like designing based on customer needs, reducing waste from extra features and handoffs, embedding quality through testing, and minimizing technical debt.
The document discusses the various roles and responsibilities of a software developer. It outlines the contribution possibilities for developers, such as providing optimal solutions, clarifying requirements gaps, contributing to solution architecture, and creating reusable code assets. It also describes capacity development possibilities, like learning new technologies, contributing to communities of practice, gaining exposure to processes, and developing time management skills. Finally, it maps out several career pathways for developers, including project management, technical leadership, quality assurance, business analysis, and entrepreneurship. The key takeaway is that software developers have many avenues for professional growth beyond just writing code.
The document provides definitions and context around business value engineering. It discusses business value engineering as a learning and incremental improvement approach focused on delivering more value to customers. The document then summarizes different approaches to business value engineering, comparing the more traditional Procter & Gamble approach of extensive customer research and marketing to the experimental approach used by Google of quickly prototyping and testing ideas.
The document discusses the evolution of agile development approaches over time from a contract focus to a development focus and now toward a customer focus. It notes agile has reached an "inflection point" where the focus has shifted from processes to interactions and working software, and now toward customer collaboration and initiating change. The document advocates for approaches like validated learning and customer discovery to ensure development focuses on building the right solution to meet customer needs.
The document describes a case study involving a time-and-materials contract between Dave, a division engineering manager, and XRI, a vendor, to develop a new system with the goal of keeping costs down. Over 18 months, the author and Harold, a senior engineer, work with the XRI development team on a monthly basis. In the end, the system is delivered on time and saves the plant half its costs in the first month, making Harold a hero. The contract approach of frequent delivery, assessment and adjustment of requirements allows the project to be successful despite initial uncertainties.
The document provides guidance on building quality into software development through defect prevention rather than defect removal. It discusses how the best companies aim to freeze code and test within 10% of the release cycle, rather than leaving 30-50% for "hardening". An effective process matches tests to specifications and code, rather than introducing defects first. It also advocates optimizing throughput over utilization by limiting work, leveling the workload, and shortening deployment cycles.
1. Business value engineering (BVE) aims to continuously deliver more business value to customers through incremental improvements. It takes a learning approach focused on understanding customer needs.
2. Agile specifications provide just enough documentation for developers to implement user stories, typically being developed for one or a few user stories at a time. The content is determined by the team and improves over time based on feedback.
3. BVE and agile specifications work together when product owners work with stakeholders to develop specifications in sprints before stories, ensuring developers understand needs while avoiding unnecessary documentation. Continuous feedback improves the process.
Software debt slowly creeps into software assets if left unnoticed and can slow down delivery in ways that seemed faster initially. Fortunately, modern tools, frameworks, and software development approaches help us manage software debt effectively at a reasonable cost to implement. This program will show ways to recognize software debt in five debt areas so that you can start to manage it.
"Lean software development: discovering waste" by Mary PoppendieckOperae Partners
The document discusses lean principles for software development. It notes that standard lean tools designed for operations may not be appropriate for application development. Lean principles for development focus on building the right thing, building it right, and delivering fast through techniques like designing based on customer needs, reducing waste from extra features and handoffs, embedding quality through testing, and minimizing technical debt.
The document discusses the various roles and responsibilities of a software developer. It outlines the contribution possibilities for developers, such as providing optimal solutions, clarifying requirements gaps, contributing to solution architecture, and creating reusable code assets. It also describes capacity development possibilities, like learning new technologies, contributing to communities of practice, gaining exposure to processes, and developing time management skills. Finally, it maps out several career pathways for developers, including project management, technical leadership, quality assurance, business analysis, and entrepreneurship. The key takeaway is that software developers have many avenues for professional growth beyond just writing code.
The document provides definitions and context around business value engineering. It discusses business value engineering as a learning and incremental improvement approach focused on delivering more value to customers. The document then summarizes different approaches to business value engineering, comparing the more traditional Procter & Gamble approach of extensive customer research and marketing to the experimental approach used by Google of quickly prototyping and testing ideas.
The document discusses agile documentation and how it can coexist with agile principles. It introduces the speaker and their background. Several tips are provided for creating documentation in an agile manner, such as focusing on the minimum needed, documenting decisions, and treating documentation like a backlog item. User stories and acceptance criteria are discussed as important agile requirements techniques. The document advocates for documentation that will actually be used and read.
Learnings from founding a Computer Vision startup: Chapter 8 Software Enginee...Till Quack
The document discusses 5 key challenges in developing a computer vision startup: quality, time to market, changing requirements, user experience, and efficient teamwork. It recommends using an iterative development process like Scrum to balance these challenges by having short iterations, prioritizing requirements, estimating work, and protecting development teams from interruptions during sprints. Scrum uses backlogs, sprints, planning poker for estimating, and burndown charts to help manage the project in a flexible way that can adapt to changing needs.
Crowdsourcing testing and the mobile revolution have inspired the creation of a new open source test management tool called CaseConductor. Released in beta by uTest and Mozilla, CaseConductor aims to better manage testing performed by globally distributed crowdsourced testers on a variety of mobile applications and platforms. Its goals include facilitating remote collaboration among testers, automating the distribution of test cases, and providing a simple interface.
"The Lean Mindset": Mary & Tom Poppendieck's Keynote at AgileDayChile 2013ChileAgil
Mary & Tom Poppendieck bring to us their analysis of the famouse rescue of the 33 chilean miners through lean glasses, and they propose a Lean Mindset grounded in business & technological success cases around the world.
Learnings from founding a Computer Vision startup: Chapter 10: Competition & ...Till Quack
The document discusses competition and positioning for computer vision startups. It provides advice on conducting basic competition checks, differentiating your product or service from competitors, and focusing on your own ideas rather than copying others. While large companies like Google may enter the same space, they likely have different goals, business models, and could even become partners rather than direct competitors. Examples are given of companies driving feature parity through new product releases. Overall the document emphasizes starting early when costs are lower, engaging customers, and explaining complex computer vision technologies in an accessible way.
This lecture was given by Mary Poppendieck, Lean software development expert, in the recent AgileTour 2010 (Haifa Israel) which was organized by Ignite and was held on Nov 11 2010 in the Technion, the leading academic institute for technological studies in Israel
Session Description:
Mobile technology and social media are straining the resources of information companies. On top of their regular responsibilities, Editorial is expected to work with a wider range of media types, such as blogs and videos, some of which they have no experience in. Development needs to syndicate content to an array of smartphones and tablets.
This session offers a portfolio approach to creating successful, profitable mobile and social products. It presents frameworks for:
*Evaluating and supplementing existing talent, content and technology,
*Structuring the organization to be responsive and effective,
*Evaluating and funding new business ideas,
*Prioritizing initiatives so that the most promising are not starved of resources and the “”moonshots”" get a fighting chance, and
*Avoiding the pitfalls that arise from “”not knowing what you don’t know.”"
Learning Points:
This session will address key questions and provide actionable solutions for effectively building out your content offerings for smartphones, tablets and social media:
1. Budget – Are there funds available to support a mobile initiative? What is the new product development process? What features, functions and content should be included?
2. Organization – Is the current organizational structure conducive to creating mobile offerings?
3. Publishing – Can I use or augment my existing streams or do I need new ones?
4. Talent – Do I have the talent I need? If not, should I hire or outsource or train?
Becoming an Enterprise SaaS Company | DecisionDesk @ TechPintJohn Knific
DecisionDesk provides SaaS solutions for streamlining digital admissions processes for higher education institutions. After initial success with online portfolios, they pivoted to focus on larger deals, but struggled with a massive implementation that required rewriting their product. They learned that discovery is cheaper than late discovery, experience is better than being scrappy, and to focus on either SMB or enterprise markets, not both. They now have a process of specialized roles to properly execute large deals and target the right decision makers to avoid getting bogged down in price negotiations.
The document describes a framework called PLOT that was used by an innovation group to deliver quick win solutions and bring sustained results. PLOT stands for Problem, Leak, Opportunity, and Technology. It involves identifying problems, leaks in existing processes, opportunities to solve issues, and implementing technological solutions. A case study is provided of a solution called "Sprite" that was developed using this framework to improve customer satisfaction for a client.
Solution Design - The Hidden Side of UX (for Product Managers)Above the Fold
User Experience is not just about the user interface, it's about understanding customer needs and creating a solution that addresses their needs. Software product managers have a huge, and often understated role, in the creation of a great user experience for customers. At the heart of User Experience is the ability to creatively solve customer problems, which is a key responsibility of a product manager.
Solution Design - The Hidden Side of UX (for Product Managers)Joe Baz
User Experience is not just about the user interface, it's about understanding customer needs and creating a solution that addresses their needs. Software product managers have a huge, and often understated role, in the creation of a great user experience for customers. At the heart of User Experience is the ability to creatively solve customer problems, which is a key responsibility of a product manager.
The document discusses seven principles of lean software development:
1. Eliminate waste - Anything that doesn't add value to the product is considered waste. Tools are used to identify and reduce waste.
2. Amplify learning - Software development relies on learning through short feedback loops. Tools like frequent testing and prototyping are used to increase feedback.
3. Decide as late as possible - High stakes decisions are deferred until necessary to increase flexibility. Options thinking and asynchronous development help with this.
This document provides tips for thinking like a product manager. It recommends getting a notepad, finding a quiet place, and focusing on one idea at a time. It suggests thinking from different perspectives like a CEO and applying questioning and labeling techniques. The document lists leadership books and a YouTube video on leadership. It suggests having diverse knowledge aids thinking. Practical tips include asking "why?" constantly, treating life like a project, and making up new products. An exercise asks how to address an 80% drop in a key metric for a streaming service. The document provides guidance on analyzing the issue and potential solutions.
Walk, Don't Run: Incremental Change in Enterprise UXuxpin
You'll learn:
- A realistic approach to product improvement in large enterprises
- How to create and execute a pilot program for overcoming “product stagnation”
- How to scale the program to a growth team dedicated to improving existing products
This document discusses a proven system of creativity techniques called Structured Innovation Techniques (SIT) for achieving breakthrough innovation results. It provides discussion questions for practitioners to apply the techniques, including questions about how specific organizations have used subtraction, division, multiplication, task unification and attribute dependency to develop new products and services. The document explores how overcoming barriers like fixedness and addressing contradictions can lead to innovative solutions.
Nicholas Hoffmeyer - Adobe Systems - BL_S2_2016Nick Hoffmeyer
Adobe Systems successfully transformed its business model from desktop software licenses to cloud-based subscriptions under CEO Shantanu Narayen. Facing challenges like slowing growth and high piracy rates, Narayen shifted Adobe's focus to the entire creative content value chain and cloud subscriptions. This transition was difficult but enabled faster innovation, recurring revenues, and access to new customers. Through acquisitions, restructuring, and convincing employees of the vision, Narayen completed the transformation in just three years, propelling Adobe's growth and market position.
This presentation covers key aspects of Dual Track Agile and provides real-world examples and case studies. It also gives some background on the Discovery and Framing framework and is meant for practitioners who have been using Lean-Agile methodology for at least a year.
While the slides do not describe UCD (User-Centered Design), Pair Programming, TDD (Test Driven Development), or DDD (Domain Driven Development), these concepts are assumed in the approach. That's how VMware Pivotal builds great products.
The approach described here is only ideal for Lean-Agile methodology.
This document provides an outline for presenting an innovation project in 10 slides. It includes sections for introducing the team and problem, describing the solution and innovation, analyzing the market opportunity and competitive landscape, presenting the business model and technology, and introducing the team members. The goal is to concisely explain the key details of the project in each section to effectively pitch the idea to investors.
The document provides an agenda for a workshop on agile and scrum topics, including introductions, exercises on the role of the product owner and team formation, discussions on invention versus innovation and product failures, and ceremonies in scrum. The workshop aims to help participants understand key agile concepts and share experiences in agile roles through interactive exercises and discussions.
This document provides guidance on conducting user experience (UX) work for a client project. It outlines the key initial steps as:
1. Conducting a client interview to understand goals, priorities, target users, and requirements.
2. Performing requirement gathering to define the target audience, design aesthetics, technology constraints, and business needs.
3. Conducting task analysis to identify the primary and secondary user tasks, as well as support needs like FAQs.
4. Determining the functional allocation of machine resources, backend functionality, automated and manual tasks.
It then provides instructions for a class exercise where students interview each other as clients and designers. Homework involves creating a creative brief and
Moving from an idea to a Minimum Viable Product
A quick introduction to the notion of the MVP – what a Minimum Viable Product is, why you need, and why it is a critical success factor for startups
How to move from a problem to a properly-defined MVP - steps, activity and best practices to follow
the book: https://www.theinnovationmode.com/
The document discusses agile documentation and how it can coexist with agile principles. It introduces the speaker and their background. Several tips are provided for creating documentation in an agile manner, such as focusing on the minimum needed, documenting decisions, and treating documentation like a backlog item. User stories and acceptance criteria are discussed as important agile requirements techniques. The document advocates for documentation that will actually be used and read.
Learnings from founding a Computer Vision startup: Chapter 8 Software Enginee...Till Quack
The document discusses 5 key challenges in developing a computer vision startup: quality, time to market, changing requirements, user experience, and efficient teamwork. It recommends using an iterative development process like Scrum to balance these challenges by having short iterations, prioritizing requirements, estimating work, and protecting development teams from interruptions during sprints. Scrum uses backlogs, sprints, planning poker for estimating, and burndown charts to help manage the project in a flexible way that can adapt to changing needs.
Crowdsourcing testing and the mobile revolution have inspired the creation of a new open source test management tool called CaseConductor. Released in beta by uTest and Mozilla, CaseConductor aims to better manage testing performed by globally distributed crowdsourced testers on a variety of mobile applications and platforms. Its goals include facilitating remote collaboration among testers, automating the distribution of test cases, and providing a simple interface.
"The Lean Mindset": Mary & Tom Poppendieck's Keynote at AgileDayChile 2013ChileAgil
Mary & Tom Poppendieck bring to us their analysis of the famouse rescue of the 33 chilean miners through lean glasses, and they propose a Lean Mindset grounded in business & technological success cases around the world.
Learnings from founding a Computer Vision startup: Chapter 10: Competition & ...Till Quack
The document discusses competition and positioning for computer vision startups. It provides advice on conducting basic competition checks, differentiating your product or service from competitors, and focusing on your own ideas rather than copying others. While large companies like Google may enter the same space, they likely have different goals, business models, and could even become partners rather than direct competitors. Examples are given of companies driving feature parity through new product releases. Overall the document emphasizes starting early when costs are lower, engaging customers, and explaining complex computer vision technologies in an accessible way.
This lecture was given by Mary Poppendieck, Lean software development expert, in the recent AgileTour 2010 (Haifa Israel) which was organized by Ignite and was held on Nov 11 2010 in the Technion, the leading academic institute for technological studies in Israel
Session Description:
Mobile technology and social media are straining the resources of information companies. On top of their regular responsibilities, Editorial is expected to work with a wider range of media types, such as blogs and videos, some of which they have no experience in. Development needs to syndicate content to an array of smartphones and tablets.
This session offers a portfolio approach to creating successful, profitable mobile and social products. It presents frameworks for:
*Evaluating and supplementing existing talent, content and technology,
*Structuring the organization to be responsive and effective,
*Evaluating and funding new business ideas,
*Prioritizing initiatives so that the most promising are not starved of resources and the “”moonshots”" get a fighting chance, and
*Avoiding the pitfalls that arise from “”not knowing what you don’t know.”"
Learning Points:
This session will address key questions and provide actionable solutions for effectively building out your content offerings for smartphones, tablets and social media:
1. Budget – Are there funds available to support a mobile initiative? What is the new product development process? What features, functions and content should be included?
2. Organization – Is the current organizational structure conducive to creating mobile offerings?
3. Publishing – Can I use or augment my existing streams or do I need new ones?
4. Talent – Do I have the talent I need? If not, should I hire or outsource or train?
Becoming an Enterprise SaaS Company | DecisionDesk @ TechPintJohn Knific
DecisionDesk provides SaaS solutions for streamlining digital admissions processes for higher education institutions. After initial success with online portfolios, they pivoted to focus on larger deals, but struggled with a massive implementation that required rewriting their product. They learned that discovery is cheaper than late discovery, experience is better than being scrappy, and to focus on either SMB or enterprise markets, not both. They now have a process of specialized roles to properly execute large deals and target the right decision makers to avoid getting bogged down in price negotiations.
The document describes a framework called PLOT that was used by an innovation group to deliver quick win solutions and bring sustained results. PLOT stands for Problem, Leak, Opportunity, and Technology. It involves identifying problems, leaks in existing processes, opportunities to solve issues, and implementing technological solutions. A case study is provided of a solution called "Sprite" that was developed using this framework to improve customer satisfaction for a client.
Solution Design - The Hidden Side of UX (for Product Managers)Above the Fold
User Experience is not just about the user interface, it's about understanding customer needs and creating a solution that addresses their needs. Software product managers have a huge, and often understated role, in the creation of a great user experience for customers. At the heart of User Experience is the ability to creatively solve customer problems, which is a key responsibility of a product manager.
Solution Design - The Hidden Side of UX (for Product Managers)Joe Baz
User Experience is not just about the user interface, it's about understanding customer needs and creating a solution that addresses their needs. Software product managers have a huge, and often understated role, in the creation of a great user experience for customers. At the heart of User Experience is the ability to creatively solve customer problems, which is a key responsibility of a product manager.
The document discusses seven principles of lean software development:
1. Eliminate waste - Anything that doesn't add value to the product is considered waste. Tools are used to identify and reduce waste.
2. Amplify learning - Software development relies on learning through short feedback loops. Tools like frequent testing and prototyping are used to increase feedback.
3. Decide as late as possible - High stakes decisions are deferred until necessary to increase flexibility. Options thinking and asynchronous development help with this.
This document provides tips for thinking like a product manager. It recommends getting a notepad, finding a quiet place, and focusing on one idea at a time. It suggests thinking from different perspectives like a CEO and applying questioning and labeling techniques. The document lists leadership books and a YouTube video on leadership. It suggests having diverse knowledge aids thinking. Practical tips include asking "why?" constantly, treating life like a project, and making up new products. An exercise asks how to address an 80% drop in a key metric for a streaming service. The document provides guidance on analyzing the issue and potential solutions.
Walk, Don't Run: Incremental Change in Enterprise UXuxpin
You'll learn:
- A realistic approach to product improvement in large enterprises
- How to create and execute a pilot program for overcoming “product stagnation”
- How to scale the program to a growth team dedicated to improving existing products
This document discusses a proven system of creativity techniques called Structured Innovation Techniques (SIT) for achieving breakthrough innovation results. It provides discussion questions for practitioners to apply the techniques, including questions about how specific organizations have used subtraction, division, multiplication, task unification and attribute dependency to develop new products and services. The document explores how overcoming barriers like fixedness and addressing contradictions can lead to innovative solutions.
Nicholas Hoffmeyer - Adobe Systems - BL_S2_2016Nick Hoffmeyer
Adobe Systems successfully transformed its business model from desktop software licenses to cloud-based subscriptions under CEO Shantanu Narayen. Facing challenges like slowing growth and high piracy rates, Narayen shifted Adobe's focus to the entire creative content value chain and cloud subscriptions. This transition was difficult but enabled faster innovation, recurring revenues, and access to new customers. Through acquisitions, restructuring, and convincing employees of the vision, Narayen completed the transformation in just three years, propelling Adobe's growth and market position.
This presentation covers key aspects of Dual Track Agile and provides real-world examples and case studies. It also gives some background on the Discovery and Framing framework and is meant for practitioners who have been using Lean-Agile methodology for at least a year.
While the slides do not describe UCD (User-Centered Design), Pair Programming, TDD (Test Driven Development), or DDD (Domain Driven Development), these concepts are assumed in the approach. That's how VMware Pivotal builds great products.
The approach described here is only ideal for Lean-Agile methodology.
This document provides an outline for presenting an innovation project in 10 slides. It includes sections for introducing the team and problem, describing the solution and innovation, analyzing the market opportunity and competitive landscape, presenting the business model and technology, and introducing the team members. The goal is to concisely explain the key details of the project in each section to effectively pitch the idea to investors.
The document provides an agenda for a workshop on agile and scrum topics, including introductions, exercises on the role of the product owner and team formation, discussions on invention versus innovation and product failures, and ceremonies in scrum. The workshop aims to help participants understand key agile concepts and share experiences in agile roles through interactive exercises and discussions.
This document provides guidance on conducting user experience (UX) work for a client project. It outlines the key initial steps as:
1. Conducting a client interview to understand goals, priorities, target users, and requirements.
2. Performing requirement gathering to define the target audience, design aesthetics, technology constraints, and business needs.
3. Conducting task analysis to identify the primary and secondary user tasks, as well as support needs like FAQs.
4. Determining the functional allocation of machine resources, backend functionality, automated and manual tasks.
It then provides instructions for a class exercise where students interview each other as clients and designers. Homework involves creating a creative brief and
Moving from an idea to a Minimum Viable Product
A quick introduction to the notion of the MVP – what a Minimum Viable Product is, why you need, and why it is a critical success factor for startups
How to move from a problem to a properly-defined MVP - steps, activity and best practices to follow
the book: https://www.theinnovationmode.com/
This document provides an overview of the design firm IDEO and discusses a case where they were asked to design a new handheld computer called the Visor for Handspring on an accelerated 10 month timeline. This would require IDEO to cut many of their early development stages focused on user research and prototyping. The document outlines the alternatives available to IDEO, including not accepting the project, only accepting if more time is given, or negotiating for more time while still accepting. It suggests the possible solution of requesting more time for proper market research and development to create a high quality product, or engaging in what research they can before design if time cannot be extended.
MARKETING STRATEGIES OF BRANDING APPLE INCVivek Mahajan
This document provides a literature review on Apple Inc.'s branding strategies and the benefits of branding. It discusses Apple's brand personality as focusing on emotions, lifestyle, innovation and simplicity. Branding helps Apple differentiate itself from competitors and builds brand awareness, equity and loyalty. Some key benefits of Apple's branding include emotional appeal of its product names, memorability of its logo, ability to charge premium prices, potential for new product extensions, and lower marketing expenses over time. The literature review provides context on branding and how Apple has effectively utilized branding strategies.
This document provides an overview of the CS207 course on software economics taught by Professor Gio Wiederhold. The course will cover topics related to valuing software, including open source software, principles of valuation, intellectual property, and business models. It lists the main topics to be covered in the 12 lectures. The class meets weekly on Fridays and involves a short written report. Slides and materials from past years are available online. The goal of the course is to help students understand how to maximize the economic benefits of software.
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
1) Web application security is often approached incorrectly, focusing too much on annual penetration tests and compliance, rather than ongoing monitoring and prevention through the development process.
2) Many vulnerabilities are introduced through third party libraries and dependencies, which are not properly tested or managed. Continuous testing across the full software supply chain is needed.
3) Not all vulnerabilities are equal - context is important. A risk-based approach should prioritize the most critical issues based on factors like impact, likelihood, and the development environment. Compliance alone does not ensure real security.
This document summarizes a presentation about the mobile security Linux distribution Santoku Linux. It discusses how Santoku Linux was created by modifying Lubuntu to include mobile forensic and security tools from the company viaForensics. Some key tools discussed include AFLogical OSE for Android logical acquisitions, iPhone Backup Analyzer, and utilities for analyzing mobile malware samples. Real-world examples of analyzing the Any.DO task manager app and Korean banking malware are also provided.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
The document discusses code review techniques for advanced mobile applications. It begins with an overview of why mobile security is important given the rise in mobile usage. It then discusses different mobile application types and architectures that can be code reviewed, including native, hybrid, and HTML5 applications. The document outlines the goals of mobile application code reviews, such as understanding the application and finding security vulnerabilities. It provides the methodology for conducting code reviews, which includes gaining access to source code, understanding the technology, threat modeling, analyzing the code, and creating automation scripts. Finally, it discusses specific vulnerabilities that may be found in Windows Phone, hybrid, Android, and iOS applications.
The document discusses research conducted by Gregg Ganley and Gavin Black at MITRE in FY13-14 on iOS mobile application security. It describes their work on a tool called iMAS (iOS Mobile Application Security) which aims to provide additional security controls and containment for native iOS applications. iMAS addresses vulnerabilities related to runtime access, device access, application access, data at rest, and threats from app stores/malware. It utilizes techniques like encrypted code modules, forced inlining, secure MDM and more to raise security levels above standard iOS but below a fully customized/rooted mobile device environment. The document outlines the motivation, capabilities and future research directions for the iMAS project.
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.
This document summarizes a presentation on defending against CSRF (cross-site request forgery) attacks. It discusses four main design patterns for CSRF defenses: the synchronizer token pattern, double submit cookies, challenge-response systems, and checking the referrer header. It then provides details on implementing these patterns, specifically looking at libraries and features in .NET, .NET MVC, Anticsrf, CSRFGuard, and HDIV that can help implement CSRF tokens and validation. The document covers the tradeoffs of different approaches and considerations for using them effectively on the code and server level.
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
This document provides an overview of the OWASP Broken Web Applications (OWASP BWA) project. It discusses the background and motivation for the project, describes the current status including what applications are included in the virtual machine, outlines future plans, and solicits feedback to help guide and expand the project. The goal of OWASP BWA is to provide a free, open-source virtual machine containing a variety of intentionally vulnerable web applications to aid in testing tools and techniques for finding and addressing security issues.
This document provides a summary of a presentation by Robert Hansen on the future of browser security. Hansen argues that while browser developers want to improve security and privacy, their companies' business models focused on advertising revenue prohibit them from doing so. He outlines various techniques used by advertisers and browser companies to track users against their preferences. Hansen advocates for technical controls that allow users to opt out of tracking through a "can not track" approach, rather than relying on ineffective "do not track" policies. He concludes by discussing WhiteHat Security's focus on privacy and their plans to add more security and privacy features to their Aviator browser.
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
(1) A study surveyed 600 software developers and found that most did not have a basic understanding of software security concepts, with 73% failing an initial survey and the average score being 59% before training. (2) However, after training, developers' understanding of key concepts increased, with some areas like cross-site scripting seeing a 20 percentage point gain. (3) The study concluded that targeted security training can improve developers' knowledge in the short-term, though retention of this knowledge may require refresher training over time.
This document summarizes Bruno Gonçalves de Oliveira's talk on hacking web file servers for iOS. It introduces Bruno and his background in offensive security and discusses how iOS devices store a lot of information and mobile applications are often poorly designed and vulnerable. It provides examples of vulnerable file storage apps, outlines features and vulnerabilities like lack of encryption, authentication, XSS issues, and path traversal flaws. The document demonstrates exploits like unauthorized access to file systems on jailbroken devices and how to find vulnerable systems through mDNS queries. It concludes that mobile apps are the future but designers still do not prioritize security and there are too many apps for users to vet carefully.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Appsec2013 assurance tagging-robert martindrewz lin
The document discusses engineering software systems to be more secure against attacks. It notes that reducing a system's attack surface alone is not enough, as software and networks are too complex and it is impossible to know all vulnerabilities. It then discusses characteristics of advanced persistent threats, including that the initial attack may go unnoticed and adversaries cannot be fully kept out. Finally, it argues that taking a threat-driven perspective beyond just operational defense can help balance mitigation with detection and response.
The document summarizes a presentation on vulnerabilities found in SCADA systems between 2009-2013. It analyzed vulnerabilities by component, with the majority (66%) found in communication components like Modbus and DNP3 protocols. Examples of vulnerabilities are described for several devices. Real-world issues with SCADA systems are discussed like lack of authentication and patching. Recommendations are provided like auditing SCADA networks, implementing secure protocols and password policies, and keeping systems updated.
This 3-page document discusses the real-world challenges of implementing an agile software development lifecycle (SDLC) approach from the perspectives of Chris Eng and Ryan O'Boyle. It was presented at the OWASP AppSec USA conference on November 20, 2013 and focuses on practical lessons learned and best practices for incorporating security throughout an agile SDLC.
This document outlines a presentation given by Simón Roses Femerling on software security verification tools. It discusses BinSecSweeper, an open source tool created by VulnEx to scan binaries and check that security best practices were followed in development. The presentation covers using BinSecSweeper to verify in-house software, assess a company's software security posture, and compare the security of popular browsers. Examples of plugin checks and reports generated by BinSecSweeper are also provided.