Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Integrating security into an existing agile SDLC
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Laura Bell
September 12, 2014
Technology
170
0
Share
Integrating security into an existing agile SDLC
Laura Bell
September 12, 2014
More Decks by Laura Bell
See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
300
Hackcon 11 - Protecting our people
ladynerd
0
250
Security in a container based world
ladynerd
0
160
Securing Microservice Architectures
ladynerd
2
370
Better Connected
ladynerd
0
83
Continuous Security
ladynerd
3
1.2k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
140
Practical tools for privacy audit
ladynerd
0
230
Other Decks in Technology
See All in Technology
キャリア25年目にしてTypeScript に出会うまで - 「型」を通じて振り返るプログラミング言語遍歴 / Meeting TypeScript After 25 Years in Tech - Looking Back at My Programming Language Journey Through "Types"
bitkey
PRO
2
290
JJUG CCC 2026 Spring AI時代の開発こそ標準化を武器に! ― 方式・プロセス・プラットフォームの標準化
s27watanabe
2
450
AI時代から振り返るTerraform drift運用の歴史 / AI Age Reflections on the History of Terraform Drift Operations
aeonpeople
0
520
Harnessing the Power of Mocks and Stubs in PHPUnit / #laravellivejp
asumikam
0
700
電子辞書Brainをネットに繋げてみた(自力編)
raspython3
0
220
AIAgentと取り組むKaggle
508shuto
2
610
Copilot CLI・IDE・Web・スマホで途切れない開発フローを目指して / One Copilot flow - CLI IDE Web Mobile
aeonpeople
1
1.1k
Oracle Cloud Infrastructure:2026年5月度サービス・アップデート
oracle4engineer
PRO
1
180
Javaで学ぶSOLID原則
negima
1
200
Don't Just Patch — MOTTAINAI! Learn Security from Laravel CVE Diffs
codmoninc
0
120
はじめてのAI-DLC
yoshidashingo
2
580
checker.tsにチキンレースを仕掛けてみた:型エラー(TS2589)が発生する境界線を求めて
hal_spidernight
1
210
Featured
See All Featured
How STYLIGHT went responsive
nonsquared
100
6.1k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
32
2.9k
Effective software design: The role of men in debugging patriarchy in IT @ Voxxed Days AMS
baasie
0
370
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
210
The Cult of Friendly URLs
andyhume
79
6.9k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
17k
Bridging the Design Gap: How Collaborative Modelling removes blockers to flow between stakeholders and teams @FastFlow conf
baasie
0
560
Stewardship and Sustainability of Urban and Community Forests
pwiseman
0
210
Docker and Python
trallard
47
3.8k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
32
3.2k
KATA
mclloyd
PRO
35
15k
Accessibility Awareness
sabderemane
1
130
Transcript
ARC208
once upon a time design code stuff ideas test deploy
security was all about gates design code stuff idea test
deploy
and goodness do we love gates design code stuff idea
test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing
same thing, just more frequently?
None
Why don’t you do security?
we can make you look good Proactive security engagement increases:
Preparedness Credibility Market awareness Strategic thinking
So what does agile security need to be 1. Able
to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable
common misconceptions
avoidance != management
too little to fail (at security)
the sky is not always falling* *except when it is
(then you should really do something about it)
agility increases risk
Ten steps to a better, stronger and more secure you
regardless of budget, organisation size or how cool you are
1. know your stack Languages Libraries Operating Systems Applications Third
Party Services
2. learn to add, adapt and abandon
3. create a simple risk taxonomy Critical High Medium Low
Informational False Positive
4. understand your security and technical debt it’s natural and
awesome but you can’t run from it forever
5. bring security into your requirements “engage security early and
often and be sure to have it included in your definition of done”
6. prepare for the worst Monitoring Analysis Understanding Response Feedback
7. build an empire one developer at a time
8. design your workflows “the best technical people I know
work really hard to make themselves redundant. “
fails
10. outsource smartly “if you are going to spend the
money, research your options, scope well and be demanding”
common challenges and how to conquer, obliterate or otherwise win
compliance is a priority “nothing is more fatal to a
new business than the fines for non-compliance”
maintain momentum “more secure today than yesterday”
use your words No Simple way to remove risk Must
be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
None
Ready to get started? …take a deep breath
None
None
ladynerd
bitkey
s27watanabe
aeonpeople
asumikam
raspython3
508shuto
oracle4engineer
negima
codmoninc
yoshidashingo
hal_spidernight
nonsquared
bluesmoon
baasie
jacobtomlinson
andyhume
afnizarnur
pwiseman
trallard
garrettdimon
mclloyd
sabderemane
