Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Integrating security into an existing agile SDLC

Laura Bell
September 12, 2014
Technology
0
140

Integrating security into an existing agile SDLC

Laura Bell

September 12, 2014
Tweet

More Decks by Laura Bell

See All by Laura Bell
DIY security for the amateur superhero
ladynerd
0
230
Hackcon 11 - Protecting our people
ladynerd
0
220
Security in a container based world
ladynerd
0
130
Securing Microservice Architectures
ladynerd
2
340
Better Connected
ladynerd
0
55
Continuous Security
ladynerd
3
1.1k
Automated Human Vulnerability Scanning with AVA
ladynerd
3
2.6k
Blindsided by security
ladynerd
0
79
Practical tools for privacy audit
ladynerd
0
170

Other Decks in Technology

See All in Technology
サイボウズフロントエンドエキスパートチームについて / FrontendExpert Team
cybozuinsideout
PRO
5
38k
Fanstaの1年を大解剖! 一人SREはどこまでできるのか!?
syossan27
2
160
Jetpack Composeで始めるServer Cache State
ogaclejapan
2
170
開発生産性向上! 育成を「改善」と捉えるエンジニア育成戦略
shoota
2
320
小学3年生夏休みの自由研究「夏休みに Copilot で遊んでみた」
taichinakamura
0
150
社外コミュニティで学び社内に活かす共に学ぶプロジェクトの実践/backlogworld2024
nishiuma
0
260
第3回Snowflake女子会_LT登壇資料(合成データ)_Taro_CCCMK
tarotaro0129
0
190
新機能VPCリソースエンドポイント機能検証から得られた考察
duelist2020jp
0
220
10分で学ぶKubernetesコンテナセキュリティ/10min-k8s-container-sec
mochizuki875
3
330
OpenAIの蒸留機能(Model Distillation)を使用して運用中のLLMのコストを削減する取り組み
pharma_x_tech
4
550
ずっと昔に Star をつけたはずの 思い出せない GitHub リポジトリを見つけたい!
rokuosan
0
150
UI State設計とテスト方針
rmakiyama
2
480

Featured

See All Featured
Fireside Chat
paigeccino
34
3.1k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.7k
Music & Morning Musume
bryan
46
6.2k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
How GitHub (no longer) Works
holman
311
140k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k
Building Better People: How to give real-time feedback that sticks.
wjessup
365
19k
Become a Pro
speakerdeck
PRO
26
5k
Faster Mobile Websites
deanohume
305
30k
What's in a price? How to price your products and services
michaelherold
243
12k
No one is an island. Learnings from fostering a developers community.
thoeni
19
3k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
365
25k

Transcript

  1. ARC208

  2. once upon a time design code stuff ideas test deploy

  3. security was all about gates design code stuff idea test

    deploy

  4. and goodness do we love gates design code stuff idea

    test deploy Initial Risk Assessment Design Review Code and Implementation Review Penetration Testing

  5. same thing, just more frequently?

  6. None

  7. Why don’t you do security?

  8. we can make you look good Proactive security engagement increases:

    Preparedness Credibility Market awareness Strategic thinking

  9. So what does agile security need to be 1. Able

    to empower developers 2. Cost effective 3. Pragmatic and flexible 4. Easy to integrate with existing workflows 5. Scalable

  10. common misconceptions

  11. avoidance != management

  12. too little to fail (at security)

  13. the sky is not always falling* *except when it is

    (then you should really do something about it)

  14. agility increases risk

  15. Ten steps to a better, stronger and more secure you

    regardless of budget, organisation size or how cool you are

  16. 1. know your stack Languages Libraries Operating Systems Applications Third

    Party Services

  17. 2. learn to add, adapt and abandon

  18. 3. create a simple risk taxonomy Critical High Medium Low

    Informational False Positive

  19. 4. understand your security and technical debt it’s natural and

    awesome but you can’t run from it forever

  20. 5. bring security into your requirements “engage security early and

    often and be sure to have it included in your definition of done”

  21. 6. prepare for the worst Monitoring Analysis Understanding Response Feedback

  22. 7. build an empire one developer at a time

  23. 8. design your workflows “the best technical people I know

    work really hard to make themselves redundant. “

  24. fails

  25. 10. outsource smartly “if you are going to spend the

    money, research your options, scope well and be demanding”

  26. common challenges and how to conquer, obliterate or otherwise win

  27. compliance is a priority “nothing is more fatal to a

    new business than the fines for non-compliance”

  28. maintain momentum “more secure today than yesterday”

  29. use your words No Simple way to remove risk Must

    be logically applied and justified Does not remove the original need or objective Yes Scary for security people Accepts risks and understands them Enables innovation Encourage safe usage
  30. None

  31. Ready to get started? …take a deep breath

  32. None
  33. None