Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating security into an existing agile SDLC

Laura Bell
September 12, 2014
Technology
0
140

Integrating security into an existing agile SDLC

Laura Bell

September 12, 2014
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
230
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
54
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
79
Practical tools for privacy audit
ladynerd
0
170

Other Decks in Technology

See All in Technology
TypeScriptの次なる大進化なるか!? 条件型を返り値とする関数の型推論
uhyo
2
1.6k
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
300
DMARC 対応の話 - MIXI CTO オフィスアワー #04
bbqallstars
1
160
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
250
SSMRunbook作成の勘所_20241120
koichiotomo
2
130
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
940
ドメイン名の終活について - JPAAWG 7th -
mikit
33
20k
Engineer Career Talk
lycorp_recruit_jp
0
160

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Code Review Best Practice
trishagee
64
17k
Why Our Code Smells
bkeepers
PRO
334
57k
Practical Orchestrator
shlominoach
186
10k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
For a Future-Friendly Web
brad_frost
175
9.4k
Designing for humans not robots
tammielis
250
25k
10 Git Anti Patterns You Should be Aware of
lemiorhan
654
59k
BBQ
matthewcrist
85
9.3k

Transcript

  1. ARC208

  2. once upon a time design code stuff ideas test deploy

  3. security was all about gates design code stuff idea test

    deploy

  4. and goodness do we love gates design code stuff idea

    test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

  5. same thing, just more frequently?

  6. None

  7. Why don’t you do security?

  8. we can make you look good Proactive security engagement increases:

    Preparedness Credibility Market awareness Strategic thinking

  9. So what does agile security need to be 1. Able

    to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

  10. common misconceptions

  11. avoidance != management

  12. too little to fail (at security)

  13. the sky is not always falling* *except when it is

    (then you should really do something about it)

  14. agility increases risk

  15. Ten steps to a better, stronger and more secure you

    regardless of budget, organisation size or how cool you are

  16. 1. know your stack Languages Libraries Operating Systems Applications Third

    Party Services

  17. 2. learn to add, adapt and abandon

  18. 3. create a simple risk taxonomy Critical High Medium Low

    Informational False Positive

  19. 4. understand your security and technical debt it’s natural and

    awesome but you can’t run from it forever

  20. 5. bring security into your requirements “engage security early and

    often and be sure to have it included in your definition of done”

  21. 6. prepare for the worst Monitoring Analysis Understanding Response Feedback

  22. 7. build an empire one developer at a time

  23. 8. design your workflows “the best technical people I know

    work really hard to make themselves redundant. “

  24. fails

  25. 10. outsource smartly “if you are going to spend the

    money, research your options, scope well and be demanding”

  26. common challenges and how to conquer, obliterate or otherwise win

  27. compliance is a priority “nothing is more fatal to a

    new business than the fines for non-compliance”

  28. maintain momentum “more secure today than yesterday”

  29. use your words No Simple way to remove risk Must

    be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
  30. None

  31. Ready to get started? …take a deep breath

  32. None
  33. None