Baby steps and pervasive feedback agile2012drewz lin
This document provides an overview of feedback systems with no feedback. It discusses several key aspects of feedback systems including control systems, human system dynamics, communication protocols, and conversations. It also examines learning from experience, successive approximation, and active stakeholder participation. Diagrams are included to illustrate effects of feedback and a feedback system with feedback.
Kate tries using Scrum and Kanban methodologies for project management but finds they are not effective. The project owner and team members go through multiple sprints of Scrum where things seem off and not quite right. They then try Kanban which seems to work better for their projects and teams. In the end, Kate advocates for finding a methodology that truly fits each individual project and team rather than following practices just for the sake of using a particular framework.
This document outlines Diana Larsen's approach to a personal retrospective on developing her craft. The retrospective includes sections on looking back at past accomplishments and challenges, assessing her strengths and areas for growth, establishing goals and rules to guide her learning, and planning next steps to continue improving. The overall aim is for Larsen to thoughtfully evaluate her skills and development over time in order to further enhance her abilities.
This document discusses using visuals to illustrate project challenges. It provides examples of using charts and graphs to show how scope is growing rapidly on a medical records project, putting the release date at risk. The visuals show scope additions over iterations, a trend line of increasing scope growth, and inputs that certain high-value features and rich user interfaces are taking more effort than planned. The visuals are meant to help stakeholders understand the risks to the release date and available trade-offs to get the project back on schedule during a critical discussion.
This document discusses enterprise agility and adaptive leadership. It describes three levels of agility within organizations: strategic, portfolio, and operational. Strategic agility allows an organization to create and respond to changes in a turbulent business environment. Portfolio agility focuses on high-value projects and reducing work bottlenecks. Operational agility refers to agile development practices. True enterprise agility requires an adaptive leadership approach that can facilitate organizational changes across all levels.
The document discusses communities of practice, which are informal groups of people who share a common domain of interest and work together to develop their knowledge and expertise. It provides examples of early communities of practice at Chrysler and Xerox, and defines the key elements of a community as having a domain, practice, and community. The rest of the document outlines reasons for using communities of practice, examples of how different organizations have implemented them, and recommendations for starting a new community of practice, including engaging members, establishing a shared vision, and finding ways to quickly provide value.
This document discusses test-driven development (TDD) for embedded C code. It covers the reasons for using TDD, how to apply TDD principles to embedded systems, and techniques for abstracting hardware and operating systems to allow for testing. Some key techniques mentioned include mocking the silicon, function pointer substitution, preprocessor substitution, and using TDD alongside a real-time operating system. The document argues that TDD finds bugs earlier and reduces debugging time compared to traditional "debug later" programming approaches.
Rubin agile 2012_strategies_for_porfolio_management.pdfdrewz lin
Kenny Rubin gave a presentation on strategies for portfolio management. He discussed optimizing a portfolio to maximize lifecycle profits by focusing on variables like cost of delay, accuracy of estimates over precision, applying an economic filter, and managing project arrival and completion rates. He advocated for establishing work-in-process limits based on team capacity, waiting for complete teams to be available before starting new work, and using marginal economics to determine when to terminate a project.
The document discusses leadership at Nokia Siemens Networks. It begins with an overview of Nokia Siemens Networks as a joint venture between Nokia and Siemens that acquired Motorola's wireless networks business. The rest of the document discusses concepts related to agile leadership, including servant leadership, self-organization, power, empowerment, and influencing others. It emphasizes the importance of empowering teams and individuals to increase engagement and autonomy.
Geocent scrum cmmi (without animations) 2drewz lin
The document provides guidance on adopting the Capability Maturity Model Integration (CMMI) framework into an existing Scrum methodology to improve processes and enable additional business opportunities, mapping Scrum artifacts and activities like product vision, release planning, backlog grooming, sprint planning, daily standups, and sprint reviews to relevant CMMI process areas at maturity level 2 like project planning and monitoring. It also includes an agenda and instructions for a mini-Scrum exercise to demonstrate how the mapping would work in practice.
Ashish thusoo evolution of big data architecturesdrewz lin
The document discusses the evolution of big data architectures driven by increasing data volumes, velocities, and varieties. Early architectures focused on performance and rigid structures, but scalability and flexibility became more important with the growth of data. Key-value stores and NoSQL databases provided more flexible schemas and MapReduce enabled large-scale analytics on diverse data. Sharding and replication were developed to improve scalability and availability across many servers and locations.
Baby steps and pervasive feedback agile2012drewz lin
This document provides an overview of feedback systems with no feedback. It discusses several key aspects of feedback systems including control systems, human system dynamics, communication protocols, and conversations. It also examines learning from experience, successive approximation, and active stakeholder participation. Diagrams are included to illustrate effects of feedback and a feedback system with feedback.
Kate tries using Scrum and Kanban methodologies for project management but finds they are not effective. The project owner and team members go through multiple sprints of Scrum where things seem off and not quite right. They then try Kanban which seems to work better for their projects and teams. In the end, Kate advocates for finding a methodology that truly fits each individual project and team rather than following practices just for the sake of using a particular framework.
This document outlines Diana Larsen's approach to a personal retrospective on developing her craft. The retrospective includes sections on looking back at past accomplishments and challenges, assessing her strengths and areas for growth, establishing goals and rules to guide her learning, and planning next steps to continue improving. The overall aim is for Larsen to thoughtfully evaluate her skills and development over time in order to further enhance her abilities.
This document discusses using visuals to illustrate project challenges. It provides examples of using charts and graphs to show how scope is growing rapidly on a medical records project, putting the release date at risk. The visuals show scope additions over iterations, a trend line of increasing scope growth, and inputs that certain high-value features and rich user interfaces are taking more effort than planned. The visuals are meant to help stakeholders understand the risks to the release date and available trade-offs to get the project back on schedule during a critical discussion.
This document discusses enterprise agility and adaptive leadership. It describes three levels of agility within organizations: strategic, portfolio, and operational. Strategic agility allows an organization to create and respond to changes in a turbulent business environment. Portfolio agility focuses on high-value projects and reducing work bottlenecks. Operational agility refers to agile development practices. True enterprise agility requires an adaptive leadership approach that can facilitate organizational changes across all levels.
The document discusses communities of practice, which are informal groups of people who share a common domain of interest and work together to develop their knowledge and expertise. It provides examples of early communities of practice at Chrysler and Xerox, and defines the key elements of a community as having a domain, practice, and community. The rest of the document outlines reasons for using communities of practice, examples of how different organizations have implemented them, and recommendations for starting a new community of practice, including engaging members, establishing a shared vision, and finding ways to quickly provide value.
This document discusses test-driven development (TDD) for embedded C code. It covers the reasons for using TDD, how to apply TDD principles to embedded systems, and techniques for abstracting hardware and operating systems to allow for testing. Some key techniques mentioned include mocking the silicon, function pointer substitution, preprocessor substitution, and using TDD alongside a real-time operating system. The document argues that TDD finds bugs earlier and reduces debugging time compared to traditional "debug later" programming approaches.
Rubin agile 2012_strategies_for_porfolio_management.pdfdrewz lin
Kenny Rubin gave a presentation on strategies for portfolio management. He discussed optimizing a portfolio to maximize lifecycle profits by focusing on variables like cost of delay, accuracy of estimates over precision, applying an economic filter, and managing project arrival and completion rates. He advocated for establishing work-in-process limits based on team capacity, waiting for complete teams to be available before starting new work, and using marginal economics to determine when to terminate a project.
The document discusses leadership at Nokia Siemens Networks. It begins with an overview of Nokia Siemens Networks as a joint venture between Nokia and Siemens that acquired Motorola's wireless networks business. The rest of the document discusses concepts related to agile leadership, including servant leadership, self-organization, power, empowerment, and influencing others. It emphasizes the importance of empowering teams and individuals to increase engagement and autonomy.
Geocent scrum cmmi (without animations) 2drewz lin
The document provides guidance on adopting the Capability Maturity Model Integration (CMMI) framework into an existing Scrum methodology to improve processes and enable additional business opportunities, mapping Scrum artifacts and activities like product vision, release planning, backlog grooming, sprint planning, daily standups, and sprint reviews to relevant CMMI process areas at maturity level 2 like project planning and monitoring. It also includes an agenda and instructions for a mini-Scrum exercise to demonstrate how the mapping would work in practice.
Ashish thusoo evolution of big data architecturesdrewz lin
The document discusses the evolution of big data architectures driven by increasing data volumes, velocities, and varieties. Early architectures focused on performance and rigid structures, but scalability and flexibility became more important with the growth of data. Key-value stores and NoSQL databases provided more flexible schemas and MapReduce enabled large-scale analytics on diverse data. Sharding and replication were developed to improve scalability and availability across many servers and locations.
Program Guide: Let Agile Fly! Scrum Gathering Shanghai 2012 ConferenceShining Hsiong
This is the program guide for the coming Let Agile Fly: Scrum Gathering Shanghai 2012 Conference, to be held on June 7~9 (conference), and June 6 (tutorial), in Shanghai, Beijing.
This is the fifth time that China agile funs organize such a big community conference. Last year's Scrum Gathering brings more than 400 delegated from China as well as the world. This year we will bring Scrum Gathering to an even bigger success!
Some of the most world influential agile experts will come and speak in the conference, such as Jurgen Appelo, Lyssa Adkins, and Craig Larman. Rich and profound programs will be designed by the community with no bias and no commercial purpose. The estimated size of the conference is 500~600 attendees per day. With the largest CS*s gathering in China, you can’t miss the chance to expand your connections in China, and even in Asia.
Distributed Agile - Building Co-Innovative Delivery Centre at ScaleHerry Wiputra
This talk was presented in Top 100 Summit in Beijing on November 2013 by Ma Qiang, Thoughtworks and Herry Wiputra, REA Group.
This talk discusses how to build and operate a co-innovative agile delivery center and create a distributed operation model at scale.
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
1) Web application security is often approached incorrectly, focusing too much on annual penetration tests and compliance, rather than ongoing monitoring and prevention through the development process.
2) Many vulnerabilities are introduced through third party libraries and dependencies, which are not properly tested or managed. Continuous testing across the full software supply chain is needed.
3) Not all vulnerabilities are equal - context is important. A risk-based approach should prioritize the most critical issues based on factors like impact, likelihood, and the development environment. Compliance alone does not ensure real security.
This document summarizes a presentation about the mobile security Linux distribution Santoku Linux. It discusses how Santoku Linux was created by modifying Lubuntu to include mobile forensic and security tools from the company viaForensics. Some key tools discussed include AFLogical OSE for Android logical acquisitions, iPhone Backup Analyzer, and utilities for analyzing mobile malware samples. Real-world examples of analyzing the Any.DO task manager app and Korean banking malware are also provided.
This document discusses sandboxing untrusted JavaScript from third parties to improve security. It proposes a two-tier sandbox architecture that uses JavaScript libraries and wrappers, without requiring browser modifications. Untrusted code is executed in an isolated environment defined by policy code, and can only access approved APIs. This approach aims to mediate access between code and the browser securely and efficiently while maintaining compatibility with existing third-party scripts.
This document discusses how HTML5 features can be used for authentication purposes and addresses some security challenges. It describes APIs like local storage, canvas, geolocation, and notifications that could be leveraged for authentication factors like passwords, patterns, and one-time passwords. However, it also notes risks like storing sensitive data on devices, spoofing locations, and notifications not being reliable. The document advocates using HTML5 responsibly and understanding privacy and user behavior when designing authentication solutions.
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
The document discusses code review techniques for advanced mobile applications. It begins with an overview of why mobile security is important given the rise in mobile usage. It then discusses different mobile application types and architectures that can be code reviewed, including native, hybrid, and HTML5 applications. The document outlines the goals of mobile application code reviews, such as understanding the application and finding security vulnerabilities. It provides the methodology for conducting code reviews, which includes gaining access to source code, understanding the technology, threat modeling, analyzing the code, and creating automation scripts. Finally, it discusses specific vulnerabilities that may be found in Windows Phone, hybrid, Android, and iOS applications.
The document discusses research conducted by Gregg Ganley and Gavin Black at MITRE in FY13-14 on iOS mobile application security. It describes their work on a tool called iMAS (iOS Mobile Application Security) which aims to provide additional security controls and containment for native iOS applications. iMAS addresses vulnerabilities related to runtime access, device access, application access, data at rest, and threats from app stores/malware. It utilizes techniques like encrypted code modules, forced inlining, secure MDM and more to raise security levels above standard iOS but below a fully customized/rooted mobile device environment. The document outlines the motivation, capabilities and future research directions for the iMAS project.
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
This document discusses how to defeat cross-site scripting (XSS) and cross-site request forgery (XSRF) when using JavaServer Faces (JSF) frameworks. It covers validating user input, encoding output, and protecting view states to prevent XSS, as well as configuring JSF implementations to protect against XSRF by encrypting view states and adding tokens to URLs. The presentation emphasizes testing validation, encoding, and protection in specific JSF implementations since behaviors can differ.
This document summarizes a presentation on defending against CSRF (cross-site request forgery) attacks. It discusses four main design patterns for CSRF defenses: the synchronizer token pattern, double submit cookies, challenge-response systems, and checking the referrer header. It then provides details on implementing these patterns, specifically looking at libraries and features in .NET, .NET MVC, Anticsrf, CSRFGuard, and HDIV that can help implement CSRF tokens and validation. The document covers the tradeoffs of different approaches and considerations for using them effectively on the code and server level.
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
This document provides an overview of the OWASP Broken Web Applications (OWASP BWA) project. It discusses the background and motivation for the project, describes the current status including what applications are included in the virtual machine, outlines future plans, and solicits feedback to help guide and expand the project. The goal of OWASP BWA is to provide a free, open-source virtual machine containing a variety of intentionally vulnerable web applications to aid in testing tools and techniques for finding and addressing security issues.
This document provides a summary of a presentation by Robert Hansen on the future of browser security. Hansen argues that while browser developers want to improve security and privacy, their companies' business models focused on advertising revenue prohibit them from doing so. He outlines various techniques used by advertisers and browser companies to track users against their preferences. Hansen advocates for technical controls that allow users to opt out of tracking through a "can not track" approach, rather than relying on ineffective "do not track" policies. He concludes by discussing WhiteHat Security's focus on privacy and their plans to add more security and privacy features to their Aviator browser.
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
This document summarizes Stefano di Paola's talk on security issues with JavaScript libraries. It discusses how jQuery's $() method can be considered a "sink" that executes HTML passed to it, including examples of XSS via jQuery selectors and AJAX calls. It also covers problems with JSON parsing regular expressions, AngularJS expression injection, and credentials exposed in URLs. Solutions proposed include validating all input, auditing third-party libraries, and moving away from approaches like eval() that execute untrusted code.
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
(1) A study surveyed 600 software developers and found that most did not have a basic understanding of software security concepts, with 73% failing an initial survey and the average score being 59% before training. (2) However, after training, developers' understanding of key concepts increased, with some areas like cross-site scripting seeing a 20 percentage point gain. (3) The study concluded that targeted security training can improve developers' knowledge in the short-term, though retention of this knowledge may require refresher training over time.
This document summarizes Bruno Gonçalves de Oliveira's talk on hacking web file servers for iOS. It introduces Bruno and his background in offensive security and discusses how iOS devices store a lot of information and mobile applications are often poorly designed and vulnerable. It provides examples of vulnerable file storage apps, outlines features and vulnerabilities like lack of encryption, authentication, XSS issues, and path traversal flaws. The document demonstrates exploits like unauthorized access to file systems on jailbroken devices and how to find vulnerable systems through mDNS queries. It concludes that mobile apps are the future but designers still do not prioritize security and there are too many apps for users to vet carefully.
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
This document discusses forensic investigations of web exploitations. It presents a scenario where a web server in a DMZ zone was exploited but logs are unavailable, so network traffic must be analyzed. Wireshark will be used to analyze a PCAP file of recorded traffic to determine what happened and find any traces of commands or malware. The document also provides information on the costs of different types of cyber attacks, how to decode HTTP requests, and discusses tools that can be used for network forensics investigations like Wireshark, tcpdump, and Xplico.
Appsec2013 assurance tagging-robert martindrewz lin
The document discusses engineering software systems to be more secure against attacks. It notes that reducing a system's attack surface alone is not enough, as software and networks are too complex and it is impossible to know all vulnerabilities. It then discusses characteristics of advanced persistent threats, including that the initial attack may go unnoticed and adversaries cannot be fully kept out. Finally, it argues that taking a threat-driven perspective beyond just operational defense can help balance mitigation with detection and response.
The document summarizes a presentation on vulnerabilities found in SCADA systems between 2009-2013. It analyzed vulnerabilities by component, with the majority (66%) found in communication components like Modbus and DNP3 protocols. Examples of vulnerabilities are described for several devices. Real-world issues with SCADA systems are discussed like lack of authentication and patching. Recommendations are provided like auditing SCADA networks, implementing secure protocols and password policies, and keeping systems updated.
This 3-page document discusses the real-world challenges of implementing an agile software development lifecycle (SDLC) approach from the perspectives of Chris Eng and Ryan O'Boyle. It was presented at the OWASP AppSec USA conference on November 20, 2013 and focuses on practical lessons learned and best practices for incorporating security throughout an agile SDLC.
This document outlines a presentation given by Simón Roses Femerling on software security verification tools. It discusses BinSecSweeper, an open source tool created by VulnEx to scan binaries and check that security best practices were followed in development. The presentation covers using BinSecSweeper to verify in-house software, assess a company's software security posture, and compare the security of popular browsers. Examples of plugin checks and reports generated by BinSecSweeper are also provided.