Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating security into an existing agile SDLC

Laura Bell
September 12, 2014
Technology
0
140

Integrating security into an existing agile SDLC

Laura Bell

September 12, 2014
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
240
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
140
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
59
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.7k
Blindsided by security
ladynerd
0
85
Practical tools for privacy audit
ladynerd
0
180

Other Decks in Technology

See All in Technology
Swiftの “private” を テストする / Testing Swift "private"
yutailang0119
0
130
エンジニアが加速させるプロダクトディスカバリー 〜最速で価値ある機能を見つける方法〜 / product discovery accelerated by engineers
rince
4
320
プロダクトエンジニア構想を立ち上げ、プロダクト志向な組織への成長を続けている話 / grow into a product-oriented organization
hiro_torii
1
170
一度 Expo の採用を断念したけど、 再度 Expo の導入を検討している話
ichiki1023
1
170
RSNA2024振り返り
nanachi
0
580
2.5Dモデルのすべて
yu4u
2
860
急成長する企業で作った、エンジニアが輝ける制度/ 20250214 Rinto Ikenoue
shift_evolve
3
1.3k
RECRUIT TECH CONFERENCE 2025 プレイベント【高橋】
recruitengineers
PRO
0
160
TAMとre:Capセキュリティ編 〜拡張脅威検出デモを添えて〜
fujiihda
2
240
分解して理解する Aspire
nenonaninu
1
110
OpenID BizDay#17 KYC WG活動報告(法人) / 20250219-BizDay17-KYC-legalidentity
oidfj
0
240
全文検索+セマンティックランカー+LLMの自然文検索サ−ビスで得られた知見
segavvy
2
100

Featured

See All Featured
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Code Review Best Practice
trishagee
67
18k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
7
630
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
29
1k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Agile that works and the tools we love
rasmusluckow
328
21k
Bash Introduction
62gerente
611
210k
Code Reviewing Like a Champion
maltzj
521
39k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Raft: Consensus for Rubyists
vanstee
137
6.8k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k

Transcript

  1. ARC208

  2. once upon a time design code stuff ideas test deploy

  3. security was all about gates design code stuff idea test

    deploy

  4. and goodness do we love gates design code stuff idea

    test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

  5. same thing, just more frequently?

  6. None

  7. Why don’t you do security?

  8. we can make you look good Proactive security engagement increases:

    Preparedness Credibility Market awareness Strategic thinking

  9. So what does agile security need to be 1. Able

    to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

  10. common misconceptions

  11. avoidance != management

  12. too little to fail (at security)

  13. the sky is not always falling* *except when it is

    (then you should really do something about it)

  14. agility increases risk

  15. Ten steps to a better, stronger and more secure you

    regardless of budget, organisation size or how cool you are

  16. 1. know your stack Languages Libraries Operating Systems Applications Third

    Party Services

  17. 2. learn to add, adapt and abandon

  18. 3. create a simple risk taxonomy Critical High Medium Low

    Informational False Positive

  19. 4. understand your security and technical debt it’s natural and

    awesome but you can’t run from it forever

  20. 5. bring security into your requirements “engage security early and

    often and be sure to have it included in your definition of done”

  21. 6. prepare for the worst Monitoring Analysis Understanding Response Feedback

  22. 7. build an empire one developer at a time

  23. 8. design your workflows “the best technical people I know

    work really hard to make themselves redundant. “

  24. fails

  25. 10. outsource smartly “if you are going to spend the

    money, research your options, scope well and be demanding”

  26. common challenges and how to conquer, obliterate or otherwise win

  27. compliance is a priority “nothing is more fatal to a

    new business than the fines for non-compliance”

  28. maintain momentum “more secure today than yesterday”

  29. use your words No Simple way to remove risk Must

    be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
  30. None

  31. Ready to get started? …take a deep breath

  32. None
  33. None