Integrating security into an existing agile SDLC

Transcript

1. ARC208

2. once upon a time design code stuff ideas test deploy

3. security was all about gates design code stuff idea test

   deploy

4. and goodness do we love gates design code stuff idea

   test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

5. same thing, just more frequently?

6. None

7. Why don’t you do security?

8. we can make you look good Proactive security engagement increases:

   Preparedness Credibility Market awareness Strategic thinking

9. So what does agile security need to be 1. Able

   to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

10. common misconceptions

11. avoidance != management

12. too little to fail (at security)

13. the sky is not always falling* *except when it is

    (then you should really do something about it)

14. agility increases risk

15. Ten steps to a better, stronger and more secure you

    regardless of budget, organisation size or how cool you are

16. 1. know your stack Languages Libraries Operating Systems Applications Third

    Party Services

17. 2. learn to add, adapt and abandon

18. 3. create a simple risk taxonomy Critical High Medium Low

    Informational False Positive

19. 4. understand your security and technical debt it’s natural and

    awesome but you can’t run from it forever

20. 5. bring security into your requirements “engage security early and

    often and be sure to have it included in your definition of done”

21. 6. prepare for the worst Monitoring Analysis Understanding Response Feedback

22. 7. build an empire one developer at a time

23. 8. design your workflows “the best technical people I know

    work really hard to make themselves redundant. “

24. fails

25. 10. outsource smartly “if you are going to spend the

    money, research your options, scope well and be demanding”

26. common challenges and how to conquer, obliterate or otherwise win

27. compliance is a priority “nothing is more fatal to a

    new business than the fines for non-compliance”

28. maintain momentum “more secure today than yesterday”

29. use your words No Simple way to remove risk Must

    be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
30. None

31. Ready to get started? …take a deep breath

32. None
33. None