SlideShare a Scribd company logo

Managing Security in Agile Culture

Download as PPTX, PDF
SARCCOM
SARCCOM

Managing Security in Agile Culture by Rendra Perdana, CISSP - Head IT Infrastructure & Security at mataharimall.com @SARCCOM MEETUP http://sarccom.org https://www.meetup.com/Software-Architect-Indonesia

Technology
1 of 24
Managing Security in Agile Culture SARCCOM Meetup
2 Profile Rendra Perdana • MatahariMall.com • Consulting Firm • Oil & Gas Industry • Consultancy & Training • Manufacturing • Breaking things... Currently in: Was in: Hobby:
Agile Framework from security perspective Secure Platform vs. Speedy Development Security: Development vs. Operations Balancing All Together Agenda
Agile Framework
Agile Framework
Agile Goal: 1. Working code 2. Release Often 3. Quickly responding to change Agile Framework Security Expectation: 1. Features are well documented & security tested 2. Changes require retest 3. Cost benefit analysis & Risk assessment What strategy to combine both fast and secure development ?
Secure Platform vs. Speedy Development Resist changes
Secure Platform vs. Speedy Development Design-Assess-Build-Verify Threat Modeling Build Assessment Overall Security Assessment Monitor Business Requirement
Secure Platform vs. Speedy Development Threat Modeling Assess all foreseeable threat, objectives, method Treat assets as objectives Rank the risk of threats Probability of attack (methods) Vulnerability is part of infosec infrastructure that represent weakness to an attack in absence of control http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf
Secure Platform vs. Speedy Development Assessment: Application Security Level Againts easy-to-find and easy-to-exploit vulnerability https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf Againts highly trained attackers and effective tools (e.g. b2b or healthcare application) Reserved for app that REQUIRE significant levels of security verification
Secure Platform vs. Speedy Development Assessment: Application Security Level https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf
Secure Platform vs. Speedy Development All features must be tested according to ASVS level needed for that particular features/modules Security Engineer have rights to put objections/concerns in any development phase (plan, build, verify). However, the decision should be made by product team with adequate information on the risk. Agile vs Secure Compromises Vulnerability that mitigated by external control (eg. WAF) must be treated as technical debt
Secure Platform vs. Speedy Development Scenario: You found critical vulnerability in your apps H-1 from launch date. OR Zero-day on SSH has been made public. It’s Saturday. How do you respond?
Secure Platform vs. Speedy Development Confidentiality AvailabilityIntegrity
Secure Platform vs. Speedy Development Triage (in medical use) the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties.
Secure Platform vs. Speedy Development Triage Sequence & Requirement Verification • Checking Log (SIEM, Tripwire) • Transaction Anomaly (Attacking on what transaction/platform ?) • System Behaviour Anomaly (System Metrics) Severity Assessment • What’s being attacked ? (IP L3/L7, OS, Platform, Features) • Potential Damage (if possible financially) Prioritization • Mitigating the most damaging attack • Alerting other technical team (Eg. DevOps, Fraud Team)
Secure Platform vs. Speedy Development Triage Sequence & Requirement
Infrastructure “Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.“ MIKKO HYPPONEN Chief Research Officer of F-Secure https://www.wired.com/2012/06/internet-security-fail/ Security: Development vs. Operations
Infrastructure To be secure in infrastructure, cutting edge is the only way Security: Development vs. Operations
Infrastructure Now contains > 5 million IP addr blocked Including from botnets 1300 req/s @2.4 GHz per CPU Core (54 bytes response) Latency: 40-60 ms Security: Development vs. Operations
Infrastructure Security: Development vs. Operations
Balancing All Together 1. Metrics… Metrics... Metrics... 2. Anticipating Changes 3. Goals Alignment To achieve Agile & Security balance:
Q & A
Managing Security in Agile Culture

Recommended

Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point SARCCOM
 
Telco Business & Technology
Telco Business & TechnologyTelco Business & Technology
Telco Business & TechnologySARCCOM
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comSARCCOM
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Cultureifnu bima
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21DicodingEvent
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 

Recommended

Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point Blibli Web Application Security Policy Enforcement Point
Blibli Web Application Security Policy Enforcement Point SARCCOM
 
Telco Business & Technology
Telco Business & TechnologyTelco Business & Technology
Telco Business & TechnologySARCCOM
 
Implement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comImplement OpenSAMM on blibli.com
Implement OpenSAMM on blibli.comSARCCOM
 
Architecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering CultureArchitecting for Hyper Growth and Great Engineering Culture
Architecting for Hyper Growth and Great Engineering Cultureifnu bima
 
tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21tantangan menjadi developer di abad 21
tantangan menjadi developer di abad 21DicodingEvent
 
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...
Flight WEST 2018 Presentation - A Buyer Investor Playbook for Successfully Na...Black Duck by Synopsys
 
Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Static Application Security Testing Strategies for Automation and Continuous ...
Static Application Security Testing Strategies for Automation and Continuous ...Kevin Fealey
 
BlackDuck Suite
BlackDuck SuiteBlackDuck Suite
BlackDuck Suitejeff cheng
 
Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with Ballerina[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with BallerinaWSO2
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureTraining Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureOutSystems
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital TransformationWSO2
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
Fortify technology
Fortify technologyFortify technology
Fortify technologyImad Nom de famille
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage [WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage WSO2
 
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPINBACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPINMicro Focus
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Connect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckConnect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckGregor Vogrin
 
JCNC13 Application Lifecycle Management
JCNC13 Application Lifecycle ManagementJCNC13 Application Lifecycle Management
JCNC13 Application Lifecycle ManagementAmbientia
 
Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureSARCCOM
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture IntroductionSARCCOM
 

More Related Content

What's hot

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security ProgramDenim Group
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas Destor
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Black Duck by Synopsys
 
[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with Ballerina[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with BallerinaWSO2
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub Black Duck by Synopsys
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureTraining Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureOutSystems
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital TransformationWSO2
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product SecuritySoftServe
 
Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldRogue Wave Software
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage [WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage WSO2
 
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPINBACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPINMicro Focus
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsjasonhaddix
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Denim Group
 
Connect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckConnect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckGregor Vogrin
 
JCNC13 Application Lifecycle Management
JCNC13 Application Lifecycle ManagementJCNC13 Application Lifecycle Management
JCNC13 Application Lifecycle ManagementAmbientia
 

What's hot (20)

Building a Mobile Security Program
Building a Mobile Security ProgramBuilding a Mobile Security Program
Building a Mobile Security Program
 
Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018Nicolas destor pres_f5agility2018
Nicolas destor pres_f5agility2018
 
Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A Don't Let Open Source be the Deal Breaker In Your M&A
Don't Let Open Source be the Deal Breaker In Your M&A
 
[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with Ballerina[WSO2Con EU 2017] Resilience Patterns with Ballerina
[WSO2Con EU 2017] Resilience Patterns with Ballerina
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub FLIGHT Amsterdam Presentation - From Protex to Hub
FLIGHT Amsterdam Presentation - From Protex to Hub
 
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
apidays LIVE New York 2021 - OWASP cautions against “insufficient logging & m...
 
Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017Micro Focus Filr - #MFSummit2017
Micro Focus Filr - #MFSummit2017
 
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise ArchitectureTraining Webinar: Fitting OutSystems applications into Enterprise Architecture
Training Webinar: Fitting OutSystems applications into Enterprise Architecture
 
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
[WSO2Con EU 2017] IAM: Catalyst for Digital Transformation
 
Digital Product Security
Digital Product SecurityDigital Product Security
Digital Product Security
 
Inflectra Partner Program 2022
Inflectra Partner Program 2022Inflectra Partner Program 2022
Inflectra Partner Program 2022
 
Programming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT worldProgramming languages and techniques for today’s embedded andIoT world
Programming languages and techniques for today’s embedded andIoT world
 
Fortify technology
Fortify technologyFortify technology
Fortify technology
 
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage [WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
[WSO2 API Day Chicago 2019] Sustainable Competitive Advantage
 
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPINBACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
BACK FROM THE EDGE: INFRASTRUCTURE PROTECTION THROUGH PLATESPIN
 
Fortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabsFortify On Demand and ShadowLabs
Fortify On Demand and ShadowLabs
 
Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?Software Security for Project Managers: What Do You Need To Know?
Software Security for Project Managers: What Do You Need To Know?
 
Connect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deckConnect Bridge - Basic intoduction deck
Connect Bridge - Basic intoduction deck
 
JCNC13 Application Lifecycle Management
JCNC13 Application Lifecycle ManagementJCNC13 Application Lifecycle Management
JCNC13 Application Lifecycle Management
 

Viewers also liked

Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureSARCCOM
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture IntroductionSARCCOM
 
Is your code SOLID enough?
Is your code SOLID enough? Is your code SOLID enough?
Is your code SOLID enough?SARCCOM
 
The Evolution of Software for a Startup
The Evolution of Software for a Startup The Evolution of Software for a Startup
The Evolution of Software for a Startup SARCCOM
 
Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)jikbal
 
How to work with us? We are Gen Y!
How to work with us? We are Gen Y!How to work with us? We are Gen Y!
How to work with us? We are Gen Y!SARCCOM
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...padler01
 
Software Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSoftware Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSARCCOM
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedBenjamin Niaulin
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)Jan Wong
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
Security training module
Security training moduleSecurity training module
Security training modulepagare_c
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practicesamiable_indian
 

Viewers also liked (16)

Architecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering CultureArchitecting for Huper Growth and Great Engineering Culture
Architecting for Huper Growth and Great Engineering Culture
 
Software Architecture Introduction
Software Architecture IntroductionSoftware Architecture Introduction
Software Architecture Introduction
 
Is your code SOLID enough?
Is your code SOLID enough? Is your code SOLID enough?
Is your code SOLID enough?
 
The Evolution of Software for a Startup
The Evolution of Software for a Startup The Evolution of Software for a Startup
The Evolution of Software for a Startup
 
Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)Managing a security program (when you are not a security expert)
Managing a security program (when you are not a security expert)
 
How to work with us? We are Gen Y!
How to work with us? We are Gen Y!How to work with us? We are Gen Y!
How to work with us? We are Gen Y!
 
Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...Contractor Responsibilities under the Federal Information Security Management...
Contractor Responsibilities under the Federal Information Security Management...
 
Software Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skillSoftware Architecture Fundamentals Part-1 Architecture soft skill
Software Architecture Fundamentals Part-1 Architecture soft skill
 
SharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons LearnedSharePoint Security Management - Lessons Learned
SharePoint Security Management - Lessons Learned
 
L007 Managing System Security (2016)
L007 Managing System Security (2016)L007 Managing System Security (2016)
L007 Managing System Security (2016)
 
Security training for sis
Security training for sisSecurity training for sis
Security training for sis
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
 
Security training module
Security training moduleSecurity training module
Security training module
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
Security Management Practices
Security Management PracticesSecurity Management Practices
Security Management Practices
 
SOP of Security supervisor
SOP of Security supervisorSOP of Security supervisor
SOP of Security supervisor
 

Similar to Managing Security in Agile Culture

A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application SecurityChristian Martorella
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecLalit Kale
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentInfocyte
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsThierry Zoller
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare ☁
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityKaran Patel
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystifiedPriyanka Aash
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security AssuranceRafal Los
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 

Similar to Managing Security in Agile Culture (20)

Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30Defense In Depth Using NIST 800-30
Defense In Depth Using NIST 800-30
 
A journey into Application Security
A journey into Application SecurityA journey into Application Security
A journey into Application Security
 
Managing security threats in today’s enterprise
Managing security threats in today’s enterpriseManaging security threats in today’s enterprise
Managing security threats in today’s enterprise
 
For Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSecFor Business's Sake, Let's focus on AppSec
For Business's Sake, Let's focus on AppSec
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Managing Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendationsManaging Application Security Risk in Enterprises - Thoughts and recommendations
Managing Application Security Risk in Enterprises - Thoughts and recommendations
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
Manoj Purandare - Application Security - Secure Code Assessment Program - Pre...
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdf
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
Threat modeling demystified
Threat modeling demystifiedThreat modeling demystified
Threat modeling demystified
 
The Future of Software Security Assurance
The Future of Software Security AssuranceThe Future of Software Security Assurance
The Future of Software Security Assurance
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 

More from SARCCOM

Week 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnWeek 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnSARCCOM
 
Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning SARCCOM
 
Week 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionWeek 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionSARCCOM
 
The Secret of Most Wanted Geek
The Secret of Most Wanted GeekThe Secret of Most Wanted Geek
The Secret of Most Wanted GeekSARCCOM
 
Fundamental of Machine Learning
Fundamental of Machine LearningFundamental of Machine Learning
Fundamental of Machine LearningSARCCOM
 
Data Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemData Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemSARCCOM
 
Startup Engineering Culture
Startup Engineering CultureStartup Engineering Culture
Startup Engineering CultureSARCCOM
 
Menggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaMenggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaSARCCOM
 
Requirement Gathering Jump Start
Requirement Gathering Jump StartRequirement Gathering Jump Start
Requirement Gathering Jump StartSARCCOM
 
Legacy code - Taming The Beast
Legacy code - Taming The BeastLegacy code - Taming The Beast
Legacy code - Taming The BeastSARCCOM
 
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)SARCCOM
 
The Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanyThe Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanySARCCOM
 
Best Practice In Software Development
Best Practice In Software DevelopmentBest Practice In Software Development
Best Practice In Software DevelopmentSARCCOM
 

More from SARCCOM (13)

Week 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-OnWeek 3 Deep Learning And POS Tagging Hands-On
Week 3 Deep Learning And POS Tagging Hands-On
 
Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning Week 2 Sentiment Analysis Using Machine Learning
Week 2 Sentiment Analysis Using Machine Learning
 
Week 1 Natural Language Processing Introduction
Week 1 Natural Language Processing IntroductionWeek 1 Natural Language Processing Introduction
Week 1 Natural Language Processing Introduction
 
The Secret of Most Wanted Geek
The Secret of Most Wanted GeekThe Secret of Most Wanted Geek
The Secret of Most Wanted Geek
 
Fundamental of Machine Learning
Fundamental of Machine LearningFundamental of Machine Learning
Fundamental of Machine Learning
 
Data Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data EcosystemData Warehousing Tools on Data Ecosystem
Data Warehousing Tools on Data Ecosystem
 
Startup Engineering Culture
Startup Engineering CultureStartup Engineering Culture
Startup Engineering Culture
 
Menggapai Paripurna Rekayasa
Menggapai Paripurna RekayasaMenggapai Paripurna Rekayasa
Menggapai Paripurna Rekayasa
 
Requirement Gathering Jump Start
Requirement Gathering Jump StartRequirement Gathering Jump Start
Requirement Gathering Jump Start
 
Legacy code - Taming The Beast
Legacy code - Taming The BeastLegacy code - Taming The Beast
Legacy code - Taming The Beast
 
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)The Role of IT Architect in Enterprise Company (Garuda Indonesia)
The Role of IT Architect in Enterprise Company (Garuda Indonesia)
 
The Role of IT Architect in Startup Company
The Role of IT Architect in Startup CompanyThe Role of IT Architect in Startup Company
The Role of IT Architect in Startup Company
 
Best Practice In Software Development
Best Practice In Software DevelopmentBest Practice In Software Development
Best Practice In Software Development
 

Recently uploaded

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsAndrey Dotsenko
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Managing Security in Agile Culture

  • 1. Managing Security in Agile Culture SARCCOM Meetup
  • 2. 2 Profile Rendra Perdana • MatahariMall.com • Consulting Firm • Oil & Gas Industry • Consultancy & Training • Manufacturing • Breaking things... Currently in: Was in: Hobby:
  • 3. Agile Framework from security perspective Secure Platform vs. Speedy Development Security: Development vs. Operations Balancing All Together Agenda
  • 6. Agile Goal: 1. Working code 2. Release Often 3. Quickly responding to change Agile Framework Security Expectation: 1. Features are well documented & security tested 2. Changes require retest 3. Cost benefit analysis & Risk assessment What strategy to combine both fast and secure development ?
  • 7. Secure Platform vs. Speedy Development Resist changes
  • 8. Secure Platform vs. Speedy Development Design-Assess-Build-Verify Threat Modeling Build Assessment Overall Security Assessment Monitor Business Requirement
  • 9. Secure Platform vs. Speedy Development Threat Modeling Assess all foreseeable threat, objectives, method Treat assets as objectives Rank the risk of threats Probability of attack (methods) Vulnerability is part of infosec infrastructure that represent weakness to an attack in absence of control http://www.intel.com/Assets/en_US/PDF/whitepaper/wp_IT_Security_RiskAssessment.pdf
  • 10. Secure Platform vs. Speedy Development Assessment: Application Security Level Againts easy-to-find and easy-to-exploit vulnerability https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf Againts highly trained attackers and effective tools (e.g. b2b or healthcare application) Reserved for app that REQUIRE significant levels of security verification
  • 11. Secure Platform vs. Speedy Development Assessment: Application Security Level https://www.owasp.org/images/3/33/OWASP_Application_Security_Verification_Standard_3.0.1.pdf
  • 12. Secure Platform vs. Speedy Development All features must be tested according to ASVS level needed for that particular features/modules Security Engineer have rights to put objections/concerns in any development phase (plan, build, verify). However, the decision should be made by product team with adequate information on the risk. Agile vs Secure Compromises Vulnerability that mitigated by external control (eg. WAF) must be treated as technical debt
  • 13. Secure Platform vs. Speedy Development Scenario: You found critical vulnerability in your apps H-1 from launch date. OR Zero-day on SSH has been made public. It’s Saturday. How do you respond?
  • 14. Secure Platform vs. Speedy Development Confidentiality AvailabilityIntegrity
  • 15. Secure Platform vs. Speedy Development Triage (in medical use) the assignment of degrees of urgency to wounds or illnesses to decide the order of treatment of a large number of patients or casualties.
  • 16. Secure Platform vs. Speedy Development Triage Sequence & Requirement Verification • Checking Log (SIEM, Tripwire) • Transaction Anomaly (Attacking on what transaction/platform ?) • System Behaviour Anomaly (System Metrics) Severity Assessment • What’s being attacked ? (IP L3/L7, OS, Platform, Features) • Potential Damage (if possible financially) Prioritization • Mitigating the most damaging attack • Alerting other technical team (Eg. DevOps, Fraud Team)
  • 17. Secure Platform vs. Speedy Development Triage Sequence & Requirement
  • 18. Infrastructure “Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.“ MIKKO HYPPONEN Chief Research Officer of F-Secure https://www.wired.com/2012/06/internet-security-fail/ Security: Development vs. Operations
  • 19. Infrastructure To be secure in infrastructure, cutting edge is the only way Security: Development vs. Operations
  • 20. Infrastructure Now contains > 5 million IP addr blocked Including from botnets 1300 req/s @2.4 GHz per CPU Core (54 bytes response) Latency: 40-60 ms Security: Development vs. Operations
  • 22. Balancing All Together 1. Metrics… Metrics... Metrics... 2. Anticipating Changes 3. Goals Alignment To achieve Agile & Security balance:
  • 23. Q & A